Wired Equivalent Privacy (WEP) - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Wired Equivalent Privacy (WEP)

Description:

In other words, flipping bit n in the message results in a deterministic set of ... Because flipping bits carries through after an RC4 decryption, this allows the ... – PowerPoint PPT presentation

Number of Views:821
Avg rating:3.0/5.0
Slides: 15
Provided by: chrisov
Category:

less

Transcript and Presenter's Notes

Title: Wired Equivalent Privacy (WEP)


1
Wired Equivalent Privacy (WEP)
  • Chris Overcash

2
Contents
  • What is WEP?
  • How is it implemented?
  • Why is it insecure?
  • Conclusion

3
What is WEP?
  • WEP is defined in the IEEE 802.11 standard as a
    wired LAN equivalent data confidentiality
    algorithm. Wired equivalent privacy is defined as
    protecting authorized users of a wireless LAN
    from casual eavesdropping. This service is
    intended to provide functionality for the
    wireless LAN equivalent to that provided by the
    physical security attributes inherent to a wired
    medium.
  • IEEE Std 802.11-1997 page 62

4
How is it implemented?
  • The WEP algorithm is a form of electronic code
    book in which a block of plaintext is bitwise
    XORed with a pseudorandom key sequence of equal
    length. The key sequence is generated by the WEP
    algorithm. Encipherment begins with a secret key
    that has been distributed to cooperating STAs by
    an external key management service. WEP is a
    symmetric algorithm in which the same key is used
    for encipherment and decipherment.
  • WEP uses the RC4 PRNG algorithm from RSA Data
    Security, Inc.

5
How is it implemented?
The secret key is combined with an initialization
vector (IV) and the resulting seed is input to a
pseudorandom number generator (PRNG). The PRNG
outputs a pseudorandom key sequence k equal in
length to the data that is to be transmitted.
6
How is it implemented?
To protect against unauthorized data
modification, an integrity algorithm operates on
P to produce an ICV. Encipherment is then
accomplished by mathematically combining, or
XOR-ing, the key sequence with the plaintext
combined with the ICV. The output of the process
is a message containing the IV and ciphertext.
7
How is it implemented?
  • The WEP PRNG is the critical component of this
    process, since it transforms a relatively short
    secret key into an arbitrarily long key sequence.
    This greatly simplifies the task of key
    distribution, as only the secret key needs to be
    communicated between stations. The IV extends the
    useful lifetime of the secret key and provides
    the self-synchronous property of the algorithm.
    The IV is transmitted in the clear since it does
    not provide an attacker with any information
    about the secret key, and since its value must be
    known by the recipient in order to perform the
    decryption.

8
How is it implemented?
The IV of the incoming message shall be used to
generate the key sequence necessary to decipher
the incoming message. Combining the ciphertext
with the proper key sequence yields the original
plaintext and ICV. Correct decipherment shall be
verified by performing the integrity check
algorithm on the recovered plaintext and
comparing the output ICV to the ICV transmitted
with the message.
9
Why is it insecure?
  • Stream Cipher
  • WEP uses RC4 encryption algorithm, which is a
    stream cipher. It operates by expanding a short
    key into an infinite pseudo-random key stream.
    The sender XORs the key stream with the plaintext
    to produce ciphertext. The receiver has a copy of
    the same key, and uses it to generate identical
    key stream. XORing the key stream with the
    ciphertext yields the original plaintext.

10
Why is it insecure?
  • Stream Cipher
  • This makes it vulnerable to several attacks. If
    an attacker flips a bit in the ciphertext, then
    upon decryption, the corresponding bit in the
    plaintext will be flipped. Also, if an
    eavesdropper intercepts two ciphertexts encrypted
    with the same key stream, it is possible to
    obtain the XOR of the two plaintexts. Knowledge
    of this XOR can enable statistical attacks to
    recover the plaintexts. The statistical attacks
    become increasingly practical as more ciphertexts
    that use the same key stream are known. Once one
    of the plaintexts becomes known, it is trivial to
    recover all of the others.

11
Why is it insecure?
  • Integrity Check
  • The integrity check field is a CRC-32 checksum,
    which is part of the encrypted payload of the
    packet. However, CRC-32 is linear, which means
    that it is possible to compute the bit difference
    of two CRCs based on the bit difference of the
    messages over which they are taken. In other
    words, flipping bit n in the message results in a
    deterministic set of bits in the CRC that must be
    flipped to produce a correct checksum on the
    modified message. Because flipping bits carries
    through after an RC4 decryption, this allows the
    attacker to flip arbitrary bits in an encrypted
    message and correctly adjust the checksum so that
    the resulting message appears valid.

12
Why is it insecure?
  • IV reuse
  • The initialization vector in WEP is a 24-bit
    field, which is sent in the cleartext part of a
    message. Such a small space of initialization
    vectors guarantees the reuse of the same key
    stream. A busy access point, which constantly
    sends 1500 byte packets at 11Mbps, will exhaust
    the space of IVs after 15008/(11106)224
    18000 seconds, or 5 hours. (The amount of time
    may be even smaller, since many packets are
    smaller than 1500 bytes.)

13
Why is it insecure?
  • IV reuse
  • This allows an attacker to collect two
    ciphertexts that are encrypted with the same key
    stream and perform statistical attacks to recover
    the plaintext. Worse, when the same key is used
    by all mobile stations, there are even more
    chances of IV collision. For example, a common
    wireless card from Lucent resets the IV to 0 each
    time a card is initialized, and increments the IV
    by 1 with each packet. This means that two cards
    inserted at roughly the same time will provide an
    abundance of IV collisions for an attacker.
    (Worse still, the 802.11 standard specifies that
    changing the IV with each packet is optional!)

14
Conclusion
  • WEP is not capable of keeping a wireless network
    secure.
  • Other methods of encryption should be used.
  • Examples VPNs, end-to-end encryption
Write a Comment
User Comments (0)
About PowerShow.com