WEP cracking - Why does many IVs allow to actually get the cipher key

Question

I've been reading a lot about WEP cracking on online resources very recently, however there is one question that no website gives answer to I believe.
I would like to first understand the theory very well.

I understand how RC4 stream cipher works:

The IV being very short, with an high enough number of packets (ARP replay attack would be one way to get a lot of packets quickly), it should be possible to get 2 packets with the same IVs. Consequently, the two packets (P1 and P20 would have the same cipher Key (K).
Once you have these 2 packets, you just need to XOR them to obtain such result:

P1 XOR P2 = K XOR M1 XOR K XOR M2 = M1 XOR M2

So, you end up having a XOR of the two clear messages. That makes perfect sense.
However, how can you from there obtain the actual encryption Key ?
I did not find any resource online that would answer this question. They all assume that at that point, when you got a repetition of the IV, you got the key.

Thank you in advance for your help

Answer 1

I actually got my answer.
Once you get M1 XOR M2, you can derivate the actual keystream. Moreover, as the IV is sent in clear with every packet, you can now associate this IV with the KeyStream you found.

Using this technique on enough packet, you can construct a IV - Keystream dictionary.After a certain number of packets captured (not that many considering the "Birthday paradox"), you'll be able to construct a pretty exchaustive KeyStream dictionary which then allow to decrypt incoming messages.

This is how it would work:

1. You intercept a packet
2. You look at the IV coming with this packet in clear
3. You check in your dictionary to see if you have the corresponding Keystream for this IV
4. If yes, you use the keystream to decrypt the message. If not, you keep the IV and wait for another encrypted packet with the same IV, which would allow to get Keystream for this IV (by XORing the two packets) and add it to your dictionary