Description: This is the solution video to Challenge 3: http://www.securitytube.net/video/1884
3a can be solved in 2 ways - rewriting the authentication packet as a data packet and use existing tools on it or create an RC4 encryption / decryption engine and work from either direction. We have the ICV in the packet to verify if the key guess is correct.
3b is more interesting - you can never be sure you have the right solution, but you could make educated guesses. The size of the packet and the destination MAC address suggests that it is most probably an ARP Request packet. Which means we can know the first couple of bytes - LLC header + Part of ARP Header. Now, we can take different keys from the dictionary, take the IV from the truncated data packet and generate short keystreams. We can compare this with the decrypted keystream from the packet (as we know part of the plain text).
The important thing to note that there could always be keystream collisions - in the sense that the same IV with different WEP keys could produce the same keystream unto the Nth byte (N typically small). The larger the N, the lesser the probability that 2 keys with the same IV have the same keystream output till the Nth byte. Anyways, end conclusion - we can never fully be sure which is the key, for the dictionary at our disposal and the first few decrypted bytes, we could make some guesses, but they could be proven wrong if the size of the keystream sample increases.