Wired Equivalent Privacy (WEP)

When the IEEE was developing the 802.11 ‘a’ and ‘b’ standards, it was decided that a security protocol should be developed and written into the standard. The security protocol is called Wired Equivalent Privacy (WEP) and is so called to describe the fact that it is designed to provide the same level of security for a wireless network as that of a wired network. It uses a well known and accepted symmetric stream cipher called RSA. A symmetric stream cipher means that encryption of the data is done at the transmitting end with the same key as that used to decrypt the data at the receiving end. This has advantages for networks where guests may wish to join the network as a one- off situation, in that the pre-shared key (PSK) can be entered into the guest computer

network side. As ease of use for both users and network administrators was identified as an important factor in wireless network adoption, this seemed like an ideal encryption scheme.

One problem identified with the IEEE 802.11 standards, is that it does not specify how key management should be done. Consequently, different vendors implement it in different ways. If WEP is used on a wireless network, the sending and receiving station use the same pre-shared secret key to encrypt data. This key is specified in the standard as 40 bits in length, with an additional 24 bits used as an Initialisation Vector (IV). Longer keys are optional, and many vendors allow the use of 104 bit keys, plus the 24 bit IV making a total key length of 128 bits. One flaw in the way the IV is used is that it is contained in the header of the packet, and only the data portion of the packet is sent encrypted. This means that anybody with a packet sniffer can read the unencrypted header of the packets and see the IV being used for that packet. Additionally, the way the IV is incremented is also vendor specific. Most wireless cards will set the IV to zero when they are initialised, and increment the IV by one for each packet. Some cards however, switch between two different IVs with every packet sent, and some use random IVs.

A wireless network can be configured to use WEP or not as the administrator chooses.

If WEP is chosen, then a secret key k is chosen, and shared between the Access Point

(AP) and the client station (STA). To compute the encrypted WEP frame, the plaintext

frame data M is first concatenated with its non-cryptographic checksum c(M), to

produce M.c(M) where ‘.’ denotes concatenation. Then, a per-packet IV is prepended to

using this packet key, and the output bytes of the cipher are XORed with the check summed plaintext to generate the ciphertext.

C = (M.c(M)) XOR RC4(IV.k)

The actual WEP data is the per-packet IV prepended to this ciphertext, C. Figure 2.8 shows the WEP data unit.

802.11 Header 4 bytes IV field 4 bytes Data (MPDU) >= 1 byte ICV 4 bytes IV Field IV 3 bytes KeyID 1 byte

Figure 2.8: WEP data unit.

In 2001, a paper was published describing a theoretical attack on a WEP key (Fluhrer, Mantin and Shamir 2001), which identified ‘weak’ keys that were produced during the encryption process. These ‘weak’ keys could lead to the discovery of the WEP key if enough data could be captured that used the same key to encrypt it. The following year a successful attack on WEP encipherment was described (Stubblefield, Ioannidis and Rubin 2002). Figure 2.9 shows how the WEP encipherment works and how the IV forms part of the key.

Figure 2.9: WEP encipherment (Vibhuti 2005).

The IV has a length of 24 bits, and is concatenated to the secret key (40 or 104 bits). This results in the seed for the WEP Pseudo Random Number Generator (PRNG) of 64 bits. The WEP PRNG is based on the RC4 algorithm. The output of the WEP PRNG is a key sequence of the same length as the text to be encrypted, given by the length of the plaintext and an Integrity Check Value (ICV) corresponding to a Cyclic Redundancy Check (CRC-32) of the plaintext. The key sequence and the plaintext are then Exclusive-Ored (XOR), and the resulting encrypted text is sent over the air, concatenated with the IV which is sent in the clear.

The IEEE 802.11 standard defines two different authentication schemes, Open System Authentication and Pre-shared Key Authentication. The Open System Authentication method is actually a NULL authentication, in that anyone wishing to join the network can do so. The Pre-Shared Key Authentication is a challenge-response type authentication scheme. Station A sends an authentication request and its station identifier to station B. B replies with an authentication message containing a random

challenge of 128 bits. Station A encrypts the message and sends it in encrypted form back to B. Station B, who has encrypted a copy of the message and is waiting for A’s response, checks that the response from A matches the message that B encrypted. As the same key is used for encryption and decryption by the two communicating stations, if the messages match, then B must have the correct key. If so, B is then authenticated and permitted access to the network. Figure 2.10 shows station A requesting to communicate with station B.

The standard defines the use of up to four different pre-shared keys, shared by all the stations within a BSS. To allow for stations to move between different access points easily, many implementations use the same WEP key on all access points. This bad practice means that if the WEP key is compromised, the attacker has access to all stations and access points. The standard does consider the possibility of having per-user WEP keys, or better still per-MAC address WEP keys. However, only a very limited number of vendors have implemented this in their products, partly because of the management difficulties in administering this type of key distribution.

Station A Station B

Authentication Request

Challenge

Response

Result