Wired Equivalent Privacy -WEP

Nada Ibiary, Nesreen Bakr,Farah Thakeb May 10, 2013

Introduction

Wired equivalent privacy (WEP) is a security protocol for wireless local area networks.It was dened in 802.11b Ethernet standard,and developed to introduce the same level of secrecy of wired LAN in the wireless world,by encrypting the data transmitted over the radio waves.When it comes to security both wireless and wired systems are faced with the same problems which is the need of authentication ,privacy and attacks resistance. Furthermore, compared with wired systems, wireless systems are more vulnerable having limited physical security to prevent unauthorised access, which makes securing the communication a bit of a challenge. WEP works over the physical and the data link layer of the OSI model,thus it doesnt provide end to end security ,It represents one element of the networks security strategy model,without employing WEP hackers can easily obtain data sent over the network as data is sent in clear text.Although its been widley used,several aws were detected in the WEP algorithm.In 2004 IEEE announced that WEP failed to meet its security goals , So improvments were made in WPA and WPA-2later on to overcome WEPs vulnerabilities .

The Algorithm

WEP covers authentication and data privacy,In authentication a challenge text is sent in order to avoid unauthorised access.to reach privacy data is encrypted to prevent eavesdropping.

2.1

Encryption and Decryption

The encryption in WEP takes place depending on the RC4 algorithm. The initialization vector (IV) and the secret key entered by the user are concatenated. The concatenated binary stream is the input of the RC4 algorithm. RC4 is symmetric stream cipher widely used to generate a pseudo random stream of bits using the key entered by user. It consists of two stages, the Key Scheduling Algorithm (KSA) and the Pseudo Random Generation Algorithm (PRGA). First, a 256 bytes array called S is initialized and we run the KSA algorithm on it. The KSA is used to turn the key entered by user into an initial permutation of S. S is mixed with bytes of key entered by user and permuted 256 times. Second, using the output of the KSA two counters i and j are initialized, swap the values of S[i] and Zd values of S[i] & S[j]. The output key is then S[j] and the key would be in the position of their xorA xorAZd with the plain text message that we need to encrypt. Finally, the encrypted binary stream is concatenated with the IV and sent. Decryption in WEP is very similar to the encryption procedures

Figure 1: [Fig 1 Encryption and decryption Block diagram

because of the xor operation. The IV is extracted from the frame received and concatenated with the secret key, the binary concatenated stream of bits is then entered as an input to the RC4 algorithm Zd with received encrypted text resulting into the encrypted key. The encrypted key is then xorA resulting into the plain text. 2.1.1 Pseudo code of RC4

KSA Stage for i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j] endfor PRSA Stage i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap values of S[i] and S[j] K := S[(S[i] + S[j]) mod 256] output K endwhile In the gure below the PRSA stage 2.1.2 WEP algorithm simulator

We use a simple simulator to show how WEP works. The simulator is capable of generating the initialization vector (IV) randomly or the user can enter it. It uses IV of 24 bits in binary. These 24 bits are then concatenated with a 40 bit key that we enter. The simulator allows for maximum of 5 characters key entered by user. Both the IV and the WEP key are then concatenated and encrypted using the RC4 Zd with the RC4 algorithm. The message that is meant to be sent is converted to binary too and XORA key. The frame sent contains the result of the XOR (Encrypted payload), the initialization vector and the MAC source and destination. The MAC addresses are only used to check whether the frame received

Figure 2: [Fig2] 2PRSA

is sent for this device or not. In decryption, the IV in the frame is retrieved and the user is asked to enter the key where both of them will be concatenated in the same manner as in the encryption. The Zd with the concatenated stream will then be used to evaluate the RC4 key. The RC4 key will be XORA received encrypted payload found in the frame, and will give us back the plain text message that was sent in the rst place.

2.2

Authentication

Authentication in the wep is acheived by knowing of the pre-shared secret key ,that is in some case transmitted through a secure channel between the communicating devices , or sometimes congured manually on the devices , authentcation is described as follows; the station send a request to the Access point to be authenticated , the access point sends back a challenge text for the station to encrypt using its key,when receiving the encrypted text the access point decrypt it using its key, if the decrypted text is the same then the station is an authorised user,and an acknowldgment is sent to the station for successful authentication.

Figure 3: [Fig3] Authentication in WEP

Flaws

As mentioned though WEP is widley used , its security features can easily be defeated by numerous attacks some of these attacks are represented in this section.

3.1

Key sequence reuse

Problems with using RC4 in WEP As previously mentioned the Initialization Vector IV is 24 bits, making it possible to have 224 different IV combination that might be reused if all the combinations are consumed resulting in a repeated keystream. In order to have unique keystreams, the secret share key must be changed which is very difcult to accomplish. Keystream Attack When two different plaintext are encrypted with the same keystream and one of the plaintext is known, it is possible to derive the second plaintext. EX: 1. C1 = P1 xor K 2. C2 = P2 xor K 3. C1 xor C2 = P1 xor P2 4. P2 = C1 xor C2 xor P1

3.2

Key Management

-802.11 does not specify how the secret key is distributed among the stations in a network. This task is left to an external system to accomplish it. -It is nearly impossible to change a key, as it will require that all stations to update their secret keys as well. -Leaving the secret key as it is will increase the probability of using the same IV and accordingly the same key sequence will be used that subject the system to more attacks.

3.3
IV1 IV2 ... IV224

Decryption Dictionary
Keysequence 1 Keysequence 2 .................... Keysequence 224

When the plain text is known, it is easy to derive the key sequence, which in turn can decrypt any encrypted message with the same IV.A decryption table can be built to map the IV with its corresponding sequence key. Ex: if the intruder knows the IV used in encryption, the key sequence can be mapped using the Decryption Dictionary and the plaintext can be obtained: P1 = C1 xor Keysequence1

3.4

Message Injection

An intruder may inject a number of encrypted text into the system,this is due to the keysquence attacks and the possibility of using the same IV for an unlimited number. 4

Ex: P xor C = RC4 (IV, K) This RC4(IV,4) can be used to forge new cipher text into the system, the AP will not be able to differentiate whether the source is an authenticated station or not without knowing the secret key.

3.5

Authentication Spoong

In order for a station to be authenticated by an AP, the station should encrypt the challenge text sent by the AP using WEP. The authentication is successful when the decryption of the response matches the challenge sent at the AP. During this process, an intruder could learn both the challenge sent by the AP and its encrypted version sent by the station, and would derive the keystream and use it as a response for a new challenge (Message Injection).

3.6

webLap

WebLap tries to break the WEP keys using different attacks: -Brute Force: use an exhaustive search for nding the WEP key. Also WebLap can limit the search by restricting the it into a sub set that can be customized. -Dictionary: use words or phrases and try them out in plain keys or MD5 form. WebLap takes advantage of implementing John the Ripper in producing the words used. -Statistical attacks: Trying all IV to test whether they are weak or not, and attacking the rst and second Zs attacks that can crack 64 bit key from 100000 packet and 128 bit byte. Lately, Weblap uses KorekA from 300000.

References
1. Yang Xiao,Chaitanya Bandela,Xiaojiang (James) Du,Yi Pan,Edilbert Kamal Dass Security mechanisms, attacks and security enhancements for the IEEE 802.11 WLANs , 2006. 2. Nikita Borisov, Ian Goldberg, and David WagnerSecurity of the WEP algorithm .