iXsecurity-Cryptanalysis Lucent Orinoco CM

From: ingebornat_private
Date: Mon Nov 12 2001 - 05:49:14 PST

  • Next message: William Salusky: "Re: NT Password Recovery Bootable CD"

    iXsecurity November 9th 2001
    
    -[ SUMMARY ]-
    
    Lucent Orinoco Client Manager stores SSID and WEP secret for all known profiles
    in the Windows registry. The WEP secret is encrypted and the algorithm is not,
    as far as we know and up until today, publicly documented.
    
    During an assignment, a client asked about the risks of losing a configured
    laptop :-) There are at least two (bad) things an attacker can do to obtain
    access to the WaveLan:
    
    1. It is possible to copy the values right off from one laptop into another
       and then connect to the WaveLan. Thus, the result of the encryption is
       not salted nor unique to the installation.
    2. It is possible to reverse the encryption to get the plain text WEP secret
       and then use it to configure another card.
    
    -[ ALGORITHM ]-
    
    The algorithm is short and we give an overview here.
    
    It runs in blocks of three plain text characters. They are expanded into a
    block of 5 cipher text characters. Every plain text character, affects two
    characters in a cipher text block (but cipher text character 2 is only
    affected by plain text character 1). The last plain text character in one
    block also affects the first cipher text character of the next block.
    
    Thus the blocks are chained together, i.e. they cannot be decrypted
    independently of each other. The start value for the very first plain text
    block may be seen as an IV. For each of the three plain text characters in
    a plain text block there is a separate permutation, mask and addition.
    
    -[ PROGRAM ]-
    
    We have written a program that can be used to encrypt WEP secrets into
    registry values or to decrypt registry values into plain text WEP secrets.
    To test this, we use ORiNOCO Client Manager ver. 1.18 and Windows 2000.
    The program is available at http://www.cqure.net/lrc/
    
    Anders Ingeborn, ingebornat_private
    Patrik Karlsson, patrik.karlssonat_private
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/
    



    This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 09:49:13 PST