I'm reading a book named 802.11 Wireless Networks The Definitive Guide(second edition) recently. I find myself unable to understand the algorithm of WEP shared-key authentication.

In the book, chapter 8.3, section "The legacy of shared-key authentication", it says

The third frame is the mobile station's response to the challenge. To prove that it is allowed on the network, the mobile station constructs a management frame with three information elements: the Authentication Algorithm Identifier, a Sequence Number of 3, and the Challenge Text. Before transmitting the frame, the mobile station processes the frame with WEP

(BUT HOW???). The header identifying the frame as an authentication frame is preserved, but the information elements are hidden by WEP.

So, I'd like to ask the kind community here.

Here is my example WEP auth session packets captured with Tamosoft Commview for wifi 6.3.

- AP MAC: 000E.2E7C.52A9 (Edimax)
- Wifi client: 0020.4A96.23C7 (Lantronix WiPort)
- WEP key is 437B7A57F6762CC7271EBB16FC

You can find my packet capture here: http://down.nlscan.com/misc/WEP128-shared-key-success-1.ncf

Packet #55,#57,#59,#61 is the WEP authentication packets. #59 is "the third frame".

```
============================================================================
Packet #55, Direction: Pass-through, Time:16:11:42.634285, Size: 30
Wireless Packet Info
Signal level: 100%
Rate: 2.0 Mbps
Band: 802.11g
Channel: 11 - 2462 MHz
802.11
Frame Control: 0x00B0 (176)
Protocol version: 0
To DS: 0
From DS: 0
More Fragments: 0
Retry: 0
Power Management: 0
More Data: 0
Protected Frame: 0
Order: 0
Type: 0 - Management
Subtype: 11 - Authentication
Duration: 0x0102 (258)
Destination Address: 00:0E:2E:7C:52:A9
Source Address: 00:20:4A:96:23:C7
BSS ID: 00:0E:2E:7C:52:A9
Fragment Number: 0x0000 (0)
Sequence Number: 0x000E (14)
Authentication
Algorithm Number: 0x0001 (1) - Shared Key
Transaction Sequence Number: 0x0001 (1)
Status Code: 0x0000 (0) - Successful
Raw Data:
0x0000 B0 00 02 01 00 0E 2E 7C-52 A9 00 20 4A 96 23 C7 °......|R©. J–#Ç
0x0010 00 0E 2E 7C 52 A9 E0 00-01 00 01 00 00 00 ...|R©à.......
============================================================================
Packet #57, Direction: Pass-through, Time:16:11:42.638429, Size: 160
Wireless Packet Info
Signal level: 100%
Rate: 1.0 Mbps
Band: 802.11g
Channel: 11 - 2462 MHz
802.11
Frame Control: 0x00B0 (176)
Protocol version: 0
To DS: 0
From DS: 0
More Fragments: 0
Retry: 0
Power Management: 0
More Data: 0
Protected Frame: 0
Order: 0
Type: 0 - Management
Subtype: 11 - Authentication
Duration: 0x013A (314)
Destination Address: 00:20:4A:96:23:C7
Source Address: 00:0E:2E:7C:52:A9
BSS ID: 00:0E:2E:7C:52:A9
Fragment Number: 0x0000 (0)
Sequence Number: 0x0343 (835)
Authentication
Algorithm Number: 0x0001 (1) - Shared Key
Transaction Sequence Number: 0x0002 (2)
Status Code: 0x0000 (0) - Successful
Challenge text: 28 B8 9B EC 79 C1 AC B6 24 AD 54 A5 5A 96 EE 24 3E 25 F2 D5 B8 11 1C 2F E9 8D 2B A2 63 EA 3D 1F 40 6E 8C 3D 2C 7E 37 E9 5C 9C F4 0E F2 9C 50 88 21 DA 35 09 97 AE E3 BA 4E 56 77 9A B4 B1 F2 34 E9 AD
Raw Data:
0x0000 B0 00 3A 01 00 20 4A 96-23 C7 00 0E 2E 7C 52 A9 °.:.. J–#Ç...|R©
0x0010 00 0E 2E 7C 52 A9 30 34-01 00 02 00 00 00 10 80 ...|R©04.......€
0x0020 28 B8 9B EC 79 C1 AC B6-24 AD 54 A5 5A 96 EE 24 (¸›ìyÁ¬¶$T¥Z–î$
0x0030 3E 25 F2 D5 B8 11 1C 2F-E9 8D 2B A2 63 EA 3D 1F >%òÕ¸../é+¢cê=.
0x0040 40 6E 8C 3D 2C 7E 37 E9-5C 9C F4 0E F2 9C 50 88 @nŒ=,~7é\œô.òœPˆ
0x0050 21 DA 35 09 97 AE E3 BA-4E 56 77 9A B4 B1 F2 34 !Ú5.—®ãºNVwš´±ò4
0x0060 E9 AD 8D 98 05 28 A1 AD-3F DA 66 05 60 66 EA 24 é˜.(¡?Úf.`fê$
0x0070 02 DA 14 AC 66 CD DC E6-93 A8 79 23 70 87 39 44 .Ú.¬fÍÜæ“¨y#p‡9D
0x0080 17 4E 0F AC A2 CA 9F 84-5F 94 66 3C 04 AB 86 8E .N.¬¢ÊŸ„_”f<.«†Ž
0x0090 99 78 AB C9 E9 C0 91 95-9E 52 B1 7C 6B 22 63 C0 ™x«ÉéÀ‘•žR±|k"cÀ
============================================================================
Packet #59, Direction: Pass-through, Time:16:11:42.639825, Size: 168
Wireless Packet Info
Signal level: 100%
Rate: 2.0 Mbps
Band: 802.11g
Channel: 11 - 2462 MHz
802.11
Frame Control: 0x40B0 (16560)
Protocol version: 0
To DS: 0
From DS: 0
More Fragments: 0
Retry: 0
Power Management: 0
More Data: 0
Protected Frame: 1
Order: 0
Type: 0 - Management
Subtype: 11 - Authentication
Duration: 0x0102 (258)
Destination Address: 00:0E:2E:7C:52:A9
Source Address: 00:20:4A:96:23:C7
BSS ID: 00:0E:2E:7C:52:A9
Fragment Number: 0x0000 (0)
Sequence Number: 0x000F (15)
Authentication
Algorithm Number: 0x1300 (4864) - Reserved
Transaction Sequence Number: 0x00F6 (246)
Status Code: 0xB4BA (46266) - Reserved
Raw Data:
0x0000 B0 40 02 01 00 0E 2E 7C-52 A9 00 20 4A 96 23 C7 °@.....|R©. J–#Ç
0x0010 00 0E 2E 7C 52 A9 F0 00-00 13 F6 00 BA B4 A9 F5 ...|R©ð...ö.º´©õ
0x0020 77 E9 5D 1F A2 B2 CE 3A-AD 1E FD 31 EA 55 90 B8 wé].¢²Î:.ý1êU¸
0x0030 56 F6 EF 81 CE C5 95 B6-9B 2F C4 77 BD E0 DD 73 VöïÎÅ•¶›/Äw½àÝs
0x0040 C6 C8 CE F6 0B 3F 0E 8D-08 15 93 5C 26 6E DA 17 ÆÈÎö.?...“\&nÚ.
0x0050 83 34 A2 53 51 65 3C AE-7A 5C A5 EA 04 97 6E F0 ƒ4¢SQe<®z\¥ê.—nð
0x0060 53 02 02 91 08 51 87 8E-83 38 CD 23 35 E7 56 1B S..‘.Q‡Žƒ8Í#5çV.
0x0070 1D A8 52 8F E1 D4 21 FD-46 41 65 AD 26 AB 74 3D .¨RáÔ!ýFAe&«t=
0x0080 E0 13 12 66 F5 C1 67 B3-71 7F 83 77 A0 34 16 55 à..fõÁg³qƒw 4.U
0x0090 25 96 31 01 A0 9C D9 13-1E 7C E6 8F 15 8D 8A 7B %–1. œÙ..|æ.Š{
0x00A0 8E 6B 65 97 74 0B 23 71- Žke—t.#q
============================================================================
Packet #61, Direction: Pass-through, Time:16:11:42.640916, Size: 30
Wireless Packet Info
Signal level: 100%
Rate: 1.0 Mbps
Band: 802.11g
Channel: 11 - 2462 MHz
802.11
Frame Control: 0x00B0 (176)
Protocol version: 0
To DS: 0
From DS: 0
More Fragments: 0
Retry: 0
Power Management: 0
More Data: 0
Protected Frame: 0
Order: 0
Type: 0 - Management
Subtype: 11 - Authentication
Duration: 0x013A (314)
Destination Address: 00:20:4A:96:23:C7
Source Address: 00:0E:2E:7C:52:A9
BSS ID: 00:0E:2E:7C:52:A9
Fragment Number: 0x0000 (0)
Sequence Number: 0x0344 (836)
Authentication
Algorithm Number: 0x0001 (1) - Shared Key
Transaction Sequence Number: 0x0004 (4)
Status Code: 0x0000 (0) - Successful
Raw Data:
0x0000 B0 00 3A 01 00 20 4A 96-23 C7 00 0E 2E 7C 52 A9 °.:.. J–#Ç...|R©
0x0010 00 0E 2E 7C 52 A9 40 34-01 00 04 00 00 00 ...|R©@4......
============================================================================
```

I know, from the book, how RC4 works and I have written a python program to verify how WEP encrypts a 802.11 packet.

The remaining issue is I just cannot figure out how WEP authentication algorithm works(how #59 is calculated.

Waiting for your generous help.

This is a good question, but specifications and books written about them are often incomplete in the place where you need them the most.

Working source code is your best bet in this case and the linux/net/mac80211/wep.c code is out there for the reading.

my speculation says that when the challenge is sent in cleartext, the mobile station picks a random IV and using the pre-shared WEP key, it encrypts the challenge using RC4 when IV is used as the first 3 bytes of the key. These 3 bytes are sent in clear over the channel. Then, the problem starts here as mentioned later in the book. Anyone who is listening to the communication, can eavesdrop and find out the challenge and the ciphertext, xoring these two, the attacker gets the keystream and asks for a new challenge and encrypts it with the same IV as the legitimate user and the same keystream. He can then simply authenticate, though he still does not know the WEP key :)

Similar Questions

NOTE: I am trying to find the name of the specific LRU algorithm, not that this is a caching algorithm (I know it is, I wrote it). Telling me this is a caching algorithm is like telling someone lookin

I have a really difficult problem to solve and Im just wondering what what algorithm can be used to find the quickest route. The undirected graph consist of positive and negative adjustments, these ad

What is a good algorithm for pixelating an image in C# .NET?

Possible Duplicate: Algorithm to find which numbers from a list of size n sum to another number What is a good algorithm for deciding whether a passed in amount can be built additively from a set of

what is keyed-HMAC (Hash Message Authentication Code)? And how to write HMAC in web service using java?

The doc doesnt seem to tell us what algorithm is used for array sorting. So what algorithm does the function arsort use? In otherwords, does it use merge sort, quick sort? Code taken from doc: <?ph

What is the algorithm to have random reals using x++ in Dynamics AX?

What is meant by two legged authentication? Where and how it is used in programming?

I found this in my programing notes and could not find references to the algorithm flow diagram on the right. What is the name of this notation ?

In this MIT video regarding Prims algorithm for minimum spanniing tree the professor explains π[v] ←u at time 71:16 seconds . But I do not understand why we need this step . What does this notation π[

We are working implementing Single Sign On(SSO) using pingfederate. The basic implementation uses a login token sent via browser cookies for checking user authentication. What's the recommended way of

I've been searching for a while now, but i can't find what algorithm does visual c++ use for the std::sort function, i know the GNU Standard C++ library uses Introsort, but there doesn't seem to be an

What is the computational bottleneck algorithm for medical imaging applications? We are trying to figure out if there is a benefit to run these algorithms on regular cloud server instances or GPU acce

If I am given training data sets and unlabeled datasets, what is the RBF Kernel matrix algorithm for Matlab?

I've been trying to come up with an interest point detection algorithm and this is what I came up with: You go through the X and the Y axises 3n pixels at a time creating 3n x 3n squares. For the the

I am trying to perform mutual authentication in Java. The structure of what I am trying to achieve is: server with self-signed certificate acts as a CA, signing the client certificate. Therefore, this

What is Crossover Probability & Mutation Probability in Genetic Algorithm or Genetic Programming ? Could someone explain them from implementation perspective!

What algorithm is typically used when implementing a spell checker that is accompanied with word suggestions? At first I thought it might make sense to check each new word typed (if not found in the d

I'm looking for a voting algorithm that picks the winners based on combination of majority of votes and number of votes. Real life example: Our company has a cereal bar. We have room for 3 different

I am doing some practice problems for a competition and I have been working on this algorithm like all day. If you want to read the whole problem here it is, but I will give you a short explanation be

The standard tutorials for J2EE 6 show the handling of user authentication as follows: <form method=POST action=j_security_check> <table cellpadding=0 cellspacing=0 border=0> <

At the current moment, I'm trying to get the basics of C++ down so learning to use the find() Algorithm is where I'm at. When I use find() within my code, I am having problems when what I'm looking ha

I m building a facebook application. In the application setting, there is a option to enable the Oath authentication. So, what is the advantage of using Oauth Authentication over normal authentication

In IIS 7, after I specify the physical path for my website and click the Test Settings button, I get the following warning: The server is configured to use pass-through authentication with a built-

My understanding of Basic Authentication is that it stores the username:password pair in the request headers, which are then returned on subsequent responses from the server. Questions: What hashing

what is the difference between sql server authentication and windows authentication...Is there any specific situation of using each authentication?

I've been given the task of finding and evaluating some authentication libraries for use in one of our products and one of the selling features being pushed by some solutions is two-factor authentica

I am looking for a algorithm for string processing, I have searched for it but couldn't find a algorithm that meets my requirements. I will explain what the algorithm should do with an example. There

I've got a list of 10000 keywords. What is an efficient search algorithm to provide auto-completion with that list?

Brainstorming request I need an idea for an authentication algorithm with some unusual requirements. The algorithm would be used to verify that the sender of a message is legitimate. Restrictions: Th

I am thinking of starting a project which is based on recommandation system. I need to improve myself at this area which looks like a hot topic on the web side. Also wondering what is the algorithm la

I need to design an algorithm for solving the following problem: Consider a straight line L in the plane. A finite set T of targets are located above the line L, and a finite set S of wireless sensor

Please refer to Wiki definitions about 3d modeling, what modeling algorithm WPF 3d use? Polygon or NURBS? Thanks Mike

What is the algorithm of converting pcm to adpcm?

What is the fastest known sort algorithm for absolute worst case? I don't care about best case and am assuming a gigantic data set if that even matters.

How do you implement DBSCAN algorithm on categorical data (mushroom data set)? And what is a one pass clustering algorithm? Could you provide pseudo code for a one pass clustering algorithm?

Say you had a graph representing the dependencies defined in a make file. What is the (an?) algorithm that is used to determine in what order dependencies should be built and what is parallelizable (w

This question already has an answer here: Which sorting algorithm is used by .net in IComparer 3 answers Could anyone please advise when implementing something like IComparable in .NET what sor

What is a good path finding algorithm when you care the amount of time it takes but not how long the path is. Also is there a faster algorithm if you don't care about the path at all but just want to

I need to implement two-way authentication process in one of my Symfony 2 projects according to this algorithm: User enters his username and password in the authentication form and submits it. System

I was working on this graph problem from the UVa problem set. It's a single-source-shortest-paths problem with no negative edge weights. From what I've gathered, the algorithm with the best big-O runn

I am having some trouble understanding the documentation on machinekey. What algorithm is being used to encrypt/decrypt the forms authentication ticket when the decryption attribute is not set. I have

What GA/GP lib do you use and why?

I have been looking at the Scala documentation but so far I have found no answer to my question, namely what sorting algorithm is used by the method scala.collection.immutable.Vector.sorted The docum

I'm fairly familiar with algorithm analysis and can tell the Big-O of most algorithms I work with. But I've been stuck for hours unable to come up with the Big-O for this code I write. Basically it's

Good day everyone, I'm currently doing research on search algorithm optimization. As of now, I'm researching on the Database. In a database w/ SQL Support. I can write the query for a specific table.

What encryption algorithm can use 2 keys: admin - encrypt & decrypt and user - only decrypt ?

I'm looking for the edge detection algorithm used in Visual Studio 2012. Is there anyone who knows that algorithm?

I am currently doing an assigment and cannot find the answer to this question..as Algorithm is supposed to mean (solving problems as such)

I've been using the hclust algorithm, here is the code : hc = hclust(dist(mydata)) ## tweeking some parameters for plotting a dendrogram # set background color op = par(bg=#DDE3CA) # plot dendrogra