On 6/12/05, Michal Jaegermann <michal@xxxxxxxxxxxx> wrote: > It does not help you very much with that. I was talking about > retrieving keys from ethernet packets _sniffed_ over a radio so how > they are stored is hardly relevant. AFAIK you need big samples for > those key breaking programs but the point is that with WEP you can > collect long enough and a target has no way to check that this is > happening. Eh, it's even worse than that: the attacker can grab a packet, make a guess at the addresses in use and flip some bits until he turns it into a broadcast packet.... then the access point will retransmit it with a new IV every time the attacker replays the packet on the wire... This means that an attacker can generate the 100k packets needed for a solid statistical attack on the key in a couple of minutes tops. I've even toyed with the idea of making a modifyed network manager to auto-crack wep protected networks... but the traffic generated by performing a replay attack is somewhat disruptive. :)