Description: Welcome to Part 18 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will look at Korek's infamous ChopChop attack! This attack unbelievably allows you to decrypt an entire WEP packet without knowing the WEP key. Though almost magical sounding, this attack has a firm foundation in polynomial math dealing with CRCs. I will not get into the math, instead will try to make you understand how this works using some interesting illustrations :)
The attack works by chopping off the last byte of the packet, making a guess for the plain text value of the byte, and then correcting the ICV. This uses the same approach as the Caffe Latte attack, leveraging the message modification vulnerability in WEP. The idea is that if the guess for the chopped byte is correct, the packet will be a valid WEP packet. It will thus be accepted by the access point. If it is invalid, it will be silently discarded. The tools uses this approach to find one byte at a time of the packet, till it manages to reconstruct the entire packet.