著者
TERAMURA Ryoichi ASAKURA Yasuo OHIGASHI Toshihiro KUWAKADO Hidenori MORII Masakatu
出版者
The Institute of Electronics, Information and Communication Engineers
雑誌
IEICE transactions on fundamentals of electronics, communications and computer sciences (ISSN:09168508)
巻号頁・発行日
vol.93, no.1, pp.164-171, 2010-01-01
被引用文献数
11 9

Conventional efficient key recovery attacks against Wired Equivalent Privacy (WEP) require specific initialization vectors or specific packets. Since it takes much time to collect the packets sufficiently, any active attack should be performed. An Intrusion Detection System (IDS), however, will be able to prevent the attack. Since the attack logs are stored at the servers, it is possible to prevent such an attack. This paper proposes an algorithm for recovering a 104-bit WEP key from any IP packets in a realistic environment. This attack needs about 36, 500 packets with a success probability 0.5, and the complexity of our attack is equivalent to about 2<sup>20</sup> computations of the RC4 key setups. Since our attack is passive, it is difficult for both WEP users and administrators to detect our attack.
著者
HIROSE Shoichi KUWAKADO Hidenori
出版者
Springer-Verlag
雑誌
Lecture Notes in Computer Science (ISSN:03029743)
巻号頁・発行日
pp.262-275, 2009-10
被引用文献数
1

This article discusses the provable security of an iteratedhash function using a block cipher. It assumes the construction usingthe Matyas-Meyer-Oseas (MMO) scheme for the compression functionand the Merkle-Damg˚ard with a permutation (MDP) for the domainextension transform. It is shown that this kind of hash function, MDPMMO,is indifferentiable from the variable-input-length random oraclein the ideal cipher model. It is also shown that HMAC using MDPMMOis a pseudorandom function if the underlying block cipher is apseudorandom permutation under the related-key attack with respect tothe permutation used in MDP. Actually, the latter result also assumesthat the following function is a pseudorandom bit generator:(E_<IV>(K ⊕ opad) ⊕ K ⊕ opad)||(E_<IV> (K ⊕ ipad) ⊕ K ⊕ ipad) ,where E is the underlying block cipher, IV is the fixed initial value ofMDP-MMO, and opad and ipad are the binary strings used in HMAC.This assumption still seems reasonable for actual block ciphers, thoughit cannot be implied by the pseudorandomness of E as a block cipher.The results of this article imply that the security of a hash function maybe reduced to the security of the underlying block cipher to more extentwith the MMO compression function than with the Davies-Meyer (DM)compression function, though the DM scheme is implicitly used by thewidely used hash functions such as SHA-1 and MD5.