An FPGA architecture for the recovery of WPA/WPA2 keys

Abstract

<p>Wi-Fi protected access (WPA) has provided serious improvements over the now deprecated wired equivalent privacy protocol (WEP). WPA, however, still has some flaws that allow an attacker to obtain the passphrase. One of these flaws is exposed when the access point (AP) is operating in the WPA personal mode. This is the most common mode as it is the quickest and easiest to configure. It requires the attacker to capture the traffic from four-way handshake between the AP and client, and then provide enough compute time to reverse the passphrase. Attackers quickly noticed that by investing the compute time in advance, and storing their work, they could decrease the time-to-crack for an AP. This caused attackers to start compiling large lookup tables based on dictionaries of common passwords and common SSIDs. The attackers are required to compile a separate lookup table for each SSID, making this style of attack most feasible against APs with a common SSID and password.</p> <p>The work in this thesis will focus on creating an FPGA based architecture to accelerate the generation of the lookup table, given a dictionary of possible Pre-shared Keys and an SSID. The application of this work would be most useful for attacking one-off SSID's. This is because most common SSID's already have a generated lookup table that can be downloaded much faster than it could be generated, so this regeneration would be wasteful. The application will also provide a manner to check for a valid Pairwise Master Key during the table generation phase.</p>