Wired Equivalent Privacy (WEP)

1
Wired Equivalent Privacy (WEP)

• Chris Overcash

2
Contents

• What is WEP?
• How is it implemented?
• Why is it insecure?
• Conclusion

3
What is WEP?

• WEP is defined in the IEEE 802.11 standard as a
  wired LAN equivalent data confidentiality
  algorithm. Wired equivalent privacy is defined as
  protecting authorized users of a wireless LAN
  from casual eavesdropping. This service is
  intended to provide functionality for the
  wireless LAN equivalent to that provided by the
  physical security attributes inherent to a wired
  medium.
• IEEE Std 802.11-1997 page 62

4
How is it implemented?

• The WEP algorithm is a form of electronic code
  book in which a block of plaintext is bitwise
  XORed with a pseudorandom key sequence of equal
  length. The key sequence is generated by the WEP
  algorithm. Encipherment begins with a secret key
  that has been distributed to cooperating STAs by
  an external key management service. WEP is a
  symmetric algorithm in which the same key is used
  for encipherment and decipherment.
• WEP uses the RC4 PRNG algorithm from RSA Data
  Security, Inc.

5
How is it implemented?
The secret key is combined with an initialization
vector (IV) and the resulting seed is input to a
pseudorandom number generator (PRNG). The PRNG
outputs a pseudorandom key sequence k equal in
length to the data that is to be transmitted.
6
How is it implemented?
To protect against unauthorized data
modification, an integrity algorithm operates on
P to produce an ICV. Encipherment is then
accomplished by mathematically combining, or
XOR-ing, the key sequence with the plaintext
combined with the ICV. The output of the process
is a message containing the IV and ciphertext.
7
How is it implemented?

• The WEP PRNG is the critical component of this
  process, since it transforms a relatively short
  secret key into an arbitrarily long key sequence.
  This greatly simplifies the task of key
  distribution, as only the secret key needs to be
  communicated between stations. The IV extends the
  useful lifetime of the secret key and provides
  the self-synchronous property of the algorithm.
  The IV is transmitted in the clear since it does
  not provide an attacker with any information
  about the secret key, and since its value must be
  known by the recipient in order to perform the
  decryption.

8
How is it implemented?
The IV of the incoming message shall be used to
generate the key sequence necessary to decipher
the incoming message. Combining the ciphertext
with the proper key sequence yields the original
plaintext and ICV. Correct decipherment shall be
verified by performing the integrity check
algorithm on the recovered plaintext and
comparing the output ICV to the ICV transmitted
with the message.
9
Why is it insecure?

• Stream Cipher
• WEP uses RC4 encryption algorithm, which is a
  stream cipher. It operates by expanding a short
  key into an infinite pseudo-random key stream.
  The sender XORs the key stream with the plaintext
  to produce ciphertext. The receiver has a copy of
  the same key, and uses it to generate identical
  key stream. XORing the key stream with the
  ciphertext yields the original plaintext.

10
Why is it insecure?

• Stream Cipher
• This makes it vulnerable to several attacks. If
  an attacker flips a bit in the ciphertext, then
  upon decryption, the corresponding bit in the
  plaintext will be flipped. Also, if an
  eavesdropper intercepts two ciphertexts encrypted
  with the same key stream, it is possible to
  obtain the XOR of the two plaintexts. Knowledge
  of this XOR can enable statistical attacks to
  recover the plaintexts. The statistical attacks
  become increasingly practical as more ciphertexts
  that use the same key stream are known. Once one
  of the plaintexts becomes known, it is trivial to
  recover all of the others.

11
Why is it insecure?

• Integrity Check
• The integrity check field is a CRC-32 checksum,
  which is part of the encrypted payload of the
  packet. However, CRC-32 is linear, which means
  that it is possible to compute the bit difference
  of two CRCs based on the bit difference of the
  messages over which they are taken. In other
  words, flipping bit n in the message results in a
  deterministic set of bits in the CRC that must be
  flipped to produce a correct checksum on the
  modified message. Because flipping bits carries
  through after an RC4 decryption, this allows the
  attacker to flip arbitrary bits in an encrypted
  message and correctly adjust the checksum so that
  the resulting message appears valid.

12
Why is it insecure?

• IV reuse
• The initialization vector in WEP is a 24-bit
  field, which is sent in the cleartext part of a
  message. Such a small space of initialization
  vectors guarantees the reuse of the same key
  stream. A busy access point, which constantly
  sends 1500 byte packets at 11Mbps, will exhaust
  the space of IVs after 15008/(11106)224
  18000 seconds, or 5 hours. (The amount of time
  may be even smaller, since many packets are
  smaller than 1500 bytes.)

13
Why is it insecure?

• IV reuse
• This allows an attacker to collect two
  ciphertexts that are encrypted with the same key
  stream and perform statistical attacks to recover
  the plaintext. Worse, when the same key is used
  by all mobile stations, there are even more
  chances of IV collision. For example, a common
  wireless card from Lucent resets the IV to 0 each
  time a card is initialized, and increments the IV
  by 1 with each packet. This means that two cards
  inserted at roughly the same time will provide an
  abundance of IV collisions for an attacker.
  (Worse still, the 802.11 standard specifies that
  changing the IV with each packet is optional!)

14
Conclusion

• WEP is not capable of keeping a wireless network
  secure.
• Other methods of encryption should be used.
• Examples VPNs, end-to-end encryption