Decrypting wireless (802.11) packets when you know the cleartext

From: samson (samson3141_at_comcast.net)
Date: 03/18/05 

Date: Thu, 17 Mar 2005 19:39:55 -0500

We’ve seen that WEP for wireless was terrible. The 802.11 (wi-fi)
wireless data networking folks have addressed the shortcomings with WEP
by applying newer methods such as WPA (Wi-Fi Protected Access) versions
1 and 2. The newer techniques are accepted as secure because the
algorithms are secure. I don't question the algorithms, but I do
question the application. Specifically, in Wi-Fi, each data packet is
encrypted. However, even though I cannot break the encryption, I can
determine some of the clear text of the packets just by looking at them.
For instance, almost every packet will be an IP packet. In every IP
packet, certain bits are always the same. In addition, if I have
captured a stream of packets, I can infer what certain packet types are
by when they occur in the stream, and their length. So, for example, I
can identify a DHCP packet and subsequent response. Or, I can identify a
TCP 3-way handshake. And, every IP packet has a two byte length field,
which I can determine simply by the length of the packet in the sniffer
trace. All of this allows me to know what parts of the packets are in
clear text, even if I cannot decrypt them. A typical packet stream
consists of hundreds or thousands of packets (samples), each encrypted
using the same algorithm. And in all of them, a number of the bits and
bit sequences are predictable. My questions are, "Does knowing portions
of the clear text provide an opportunity in decryption?" and “Is there
any relevant research in this area?”

Quantcast