False Authentication

To gain access to a network, a user must be authenticated. While authentication
is typically done at a higher network level, 802.11b and Bluetooth technologies
also support device authentication.
In 802.11b authentication is performed by a challenge response procedure using
a shared secret. After requesting authentication, the authenticator sends the
initiator a 128-octet random number challenge. The initiator encrypts the
challenge using the shared secret and transmits it back to the authenticator.
Encryption is performed by XORing the challenge with a pseudo-random string
formed by the shared secret and a public IV. Note that the only thing that
changes from authentication to authentication with a specific user is the plaintext

A simple and powerful attack on this authentication mechanism is presented by
Arbaugh, et. al [4]. First the intruder determines the pseudorandom string by
recording the challenge (plaintext) and the response (ciphertext) and XORing
them. He then impersonates the victim by using the pseudorandom string to
compute the response to subsequent challenges. Notice that the attacker never
needs to determine the shared secret; knowledge of the pseudorandom string is


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: