WEP Wireless Encryption Protocol

1
WEP Wireless Encryption Protocol

• A. Gabriel W. Daleson
• CS 610 Advanced Security
• Portland State University

2
WEP Wired Equivalent Privacy

• A. Gabriel W. Daleson
• CS 610 Advanced Security
• Portland State University

3
WEP Weak Encryption Protocol

• A. Gabriel W. Daleson
• CS 610 Advanced Security
• Portland State University

4
It seemed like a good idea at the time

• Lets make it at least as difficult to eavesdrop
  on wireless traffic as wired traffic
• which, by the way, is not that hard to eavesdrop
  on to begin with.
• So, instead, lets just add some neat encryption
  to 802.11 a/b/g.

5
Ideas, Good and Bad

• WEP is based on RC4
• RC4 is a stream cipher
• We use an initialization vector (IV)

6
In the Beginning, there was the Plan (for WEP-PSK)

• Alice and Bob share a private shared key (PSK)
  K, and Alice wants to send Bob the message m.
• Alice calculates m1, the message m followed by
  its CRC.
• Alice takes an IV v and uses the stream RC4(v,K)
  to generate a session key k of the same length as
  m1.

7
In the Beginning, there was the Plan (for
WEP-PSK) cont.

• Alice sends Bob the ciphertext (v,k XOR m1).
• Alice picks a new IV for each packet.

8
RC4

• RC4 is old. (1987)
• There are known attacks, including a weak key
  being generated with probability 1 in 256
• RC4 is a stream cipher were probably much
  better off with a block cipher for this sort of
  application

9
Initialization Vectors

• The only requirement of the IV is that it be 24
  bits long.
• Some Wi-Fi cards start with an IV of 0x000000
  when theyre plugged in and just increment the IV
  with each packet sent.
• Its perfectly legal WEP to never change the IV
  at all!

10
More Initialization Vectors

• Even if the IVs are chosen randomly, the Birthday
  Paradox tells us that the chance of finding two
  packets with the same IV is 1 in 212.

11
THE 11TH COMMANDMENT

• Thou shalt not encrypt two plaintexts with the
  same key, lest Eve and her Evil Empire crack your
  code and make a fool of ye. (Shamir 1729)

12
Why?

• Suppose frinstance Alice used WEP with the
  same IV on two messages, m and n, and sent Bob
  (and thus Eve) the ciphertexts M and N.

13
Why? cont. 1

• Eve thanks to the fact that the IVs are
  included as plaintext along with the ciphertexts
  will detect this awful mistake, and note that M
  m XOR k and N n XOR k.
• Eve will then calculate M XOR N, and the two ks
  will cancel out this is just m XOR n.

14
Why? cont. 2

• If Eve was able to mount a known plaintext
  attack, she now has the other plaintext.
• Even if she wasnt, the plaintexts will be
  patterned enough that simple frequency analysis
  can get both.

15
The IV Dictionary Attack

• Eve thus sits and sniffs traffic, building a
  dictionary of ciphertexts, IVs, and keys (once
  she gets them).
• Every collision of IVs makes her job easier.
• She gets matches in virtually every other set of
  4096 packets.

16
Other issues

• If the AP requires WEP use, Eve can use the keys
  she finds to encrypt her own messages and thus
  inject traffic.
• The PSK is no defense even if its perfectly
  random and 4096 bits long, there will still only
  be 224 streams in use.

17
Defenses

• The problem is that there arent enough streams,
  right?
• So make some more!
• Only problem is, now its no longer WEP as far as
  the standard is concerned.

18
Easy Defense 1

• Instead of using a static PSK and only 224 IVs,
  make more of the key vary from packet to packet.
• This is basically how SSL does it. (There, the
  whole 128-bit key can be random.)

19
Easy Defense 2

• Get rid of RC4. (Use AES instead.)
• At least, no stream ciphers.
• Big benefit! No longer stuck using ECB mode
  feedback modes like CBCs are possible.

20
One Last Note

• Where is encryption (or security, for that
  matter) in the OSI stack?
• To use feedback modes, we need the guarantee of
  linearity which TCP promises.
• So why are we doing this down in the link layer?

21
The OSI Stack

• 802.11 a/b/g WEP, TCP, and IPSec
• Which layer(s) of the stack should we include
  confidentiality? integrity? linearity? Should
  these be restricted to certain layers?