|
|
IV Replay Attack
A known plain-text message is sent to an wireless client (an email message, ICMP request, ..)
The attacker will sniff the wireless looking for the predicted cipher-text
The attacker will find the known frame and compute the key stream
-
The attacker can grow the key stream to any size required
The attacker builds a frame one byte larger than the known key stream size (ICMP frame should be ideal for obtaining the response)
The attacker augments the key stream by one byte - he tries all possible values (i.e. he sends 256 ICMP requests)
When the attacker guesses the correct value, the expected response (e.g. the ICMP reply message) is received
The attacker can repeat this process until the desired key stream length is obtained
|