WLAN Security Megaprimer Part 18: Korek's Chopchop Attack
In this video, we will look at Korek's infamous ChopChop attack! This attack unbelievably allows you to decrypt an entire WEP packet without knowing the WEP key. Though almost magical sounding, this attack has a firm foundation in polynomial math dealing with CRCs. I will not get into the math, instead will try to make you understand how this works using some interesting illustrations :)
The attack works by chopping off the last byte of the packet, making a guess for the plain text value of the byte, and then correcting the ICV. This uses the same approach as the Caffe Latte attack, leveraging the message modification vulnerability in WEP. The idea is that if the guess for the chopped byte is correct, the packet will be a valid WEP packet. It will thus be accepted by the access point. If it is invalid, it will be silently discarded. The tools uses this approach to find one byte at a time of the packet, till it manages to reconstruct the entire packet.
Have any Questions? or would like to add a point?
Visit the video page on SecurityTube to post your questions and comments : http://www.securitytube.net/video/1836