Title: Wired Equivalent Privacy (WEP)
1Wired Equivalent Privacy (WEP)
2Contents
- What is WEP?
- How is it implemented?
- Why is it insecure?
- Conclusion
3What is WEP?
- WEP is defined in the IEEE 802.11 standard as a
wired LAN equivalent data confidentiality
algorithm. Wired equivalent privacy is defined as
protecting authorized users of a wireless LAN
from casual eavesdropping. This service is
intended to provide functionality for the
wireless LAN equivalent to that provided by the
physical security attributes inherent to a wired
medium. - IEEE Std 802.11-1997 page 62
4How is it implemented?
- The WEP algorithm is a form of electronic code
book in which a block of plaintext is bitwise
XORed with a pseudorandom key sequence of equal
length. The key sequence is generated by the WEP
algorithm. Encipherment begins with a secret key
that has been distributed to cooperating STAs by
an external key management service. WEP is a
symmetric algorithm in which the same key is used
for encipherment and decipherment. - WEP uses the RC4 PRNG algorithm from RSA Data
Security, Inc.
5How is it implemented?
The secret key is combined with an initialization
vector (IV) and the resulting seed is input to a
pseudorandom number generator (PRNG). The PRNG
outputs a pseudorandom key sequence k equal in
length to the data that is to be transmitted.
6How is it implemented?
To protect against unauthorized data
modification, an integrity algorithm operates on
P to produce an ICV. Encipherment is then
accomplished by mathematically combining, or
XOR-ing, the key sequence with the plaintext
combined with the ICV. The output of the process
is a message containing the IV and ciphertext.
7How is it implemented?
- The WEP PRNG is the critical component of this
process, since it transforms a relatively short
secret key into an arbitrarily long key sequence.
This greatly simplifies the task of key
distribution, as only the secret key needs to be
communicated between stations. The IV extends the
useful lifetime of the secret key and provides
the self-synchronous property of the algorithm.
The IV is transmitted in the clear since it does
not provide an attacker with any information
about the secret key, and since its value must be
known by the recipient in order to perform the
decryption.
8How is it implemented?
The IV of the incoming message shall be used to
generate the key sequence necessary to decipher
the incoming message. Combining the ciphertext
with the proper key sequence yields the original
plaintext and ICV. Correct decipherment shall be
verified by performing the integrity check
algorithm on the recovered plaintext and
comparing the output ICV to the ICV transmitted
with the message.
9Why is it insecure?
- Stream Cipher
- WEP uses RC4 encryption algorithm, which is a
stream cipher. It operates by expanding a short
key into an infinite pseudo-random key stream.
The sender XORs the key stream with the plaintext
to produce ciphertext. The receiver has a copy of
the same key, and uses it to generate identical
key stream. XORing the key stream with the
ciphertext yields the original plaintext.
10Why is it insecure?
- Stream Cipher
- This makes it vulnerable to several attacks. If
an attacker flips a bit in the ciphertext, then
upon decryption, the corresponding bit in the
plaintext will be flipped. Also, if an
eavesdropper intercepts two ciphertexts encrypted
with the same key stream, it is possible to
obtain the XOR of the two plaintexts. Knowledge
of this XOR can enable statistical attacks to
recover the plaintexts. The statistical attacks
become increasingly practical as more ciphertexts
that use the same key stream are known. Once one
of the plaintexts becomes known, it is trivial to
recover all of the others.
11Why is it insecure?
- Integrity Check
- The integrity check field is a CRC-32 checksum,
which is part of the encrypted payload of the
packet. However, CRC-32 is linear, which means
that it is possible to compute the bit difference
of two CRCs based on the bit difference of the
messages over which they are taken. In other
words, flipping bit n in the message results in a
deterministic set of bits in the CRC that must be
flipped to produce a correct checksum on the
modified message. Because flipping bits carries
through after an RC4 decryption, this allows the
attacker to flip arbitrary bits in an encrypted
message and correctly adjust the checksum so that
the resulting message appears valid.
12Why is it insecure?
- IV reuse
- The initialization vector in WEP is a 24-bit
field, which is sent in the cleartext part of a
message. Such a small space of initialization
vectors guarantees the reuse of the same key
stream. A busy access point, which constantly
sends 1500 byte packets at 11Mbps, will exhaust
the space of IVs after 15008/(11106)224
18000 seconds, or 5 hours. (The amount of time
may be even smaller, since many packets are
smaller than 1500 bytes.)
13Why is it insecure?
- IV reuse
- This allows an attacker to collect two
ciphertexts that are encrypted with the same key
stream and perform statistical attacks to recover
the plaintext. Worse, when the same key is used
by all mobile stations, there are even more
chances of IV collision. For example, a common
wireless card from Lucent resets the IV to 0 each
time a card is initialized, and increments the IV
by 1 with each packet. This means that two cards
inserted at roughly the same time will provide an
abundance of IV collisions for an attacker.
(Worse still, the 802.11 standard specifies that
changing the IV with each packet is optional!)
14Conclusion
- WEP is not capable of keeping a wireless network
secure. - Other methods of encryption should be used.
- Examples VPNs, end-to-end encryption