The current 802



ANALYSIS OF WIRED EQUIVALENT PRIVACY

Xunyan Yang

San Jose State University

CS265, Spring 2003

ABSTRACT

This paper presents an overview of the Wired Equivalent Privacy (WEP) protocol. An analysis is given to a number of flaws in the WEP algorithm.

1. INTRODUCTION

The current IEEE 802.11 standard defines two security protocols: Shared Key authentication and WEP encryption. Shared Key authentication was designed to provide secure access control, and WEP encryption was designed to provide confidentiality. Due to the lack of security, the implementation of wireless networking is still limited to these companies where the security is not a critical issue. This situation is due in large part to the inadequacy of Shared Key and WEP. These two protocols have been shown to have significant cryptographic errors, which allow cryptographic attack on both the confidentiality and access control functions. In this paper we will focus on WEP protocol and analyze a number of flaws in the WEP algorithm. A couple of types of attacks against WEP are also discussed in this paper.

2. WORKING MECHANISM

As we know, wireless networking has its market half opened largely due to the availability of the 802.11 standard, which describes the communication that occurs in wireless local area networks (LANs). As the first wireless security standard, WEP was introduced several years ago and defined by 802.11 standard. WEP is a string cipher which uses the RC4 encryption algorithm. RC4 consists of a key scheduling algorithm and an output generator. In WEP, the key scheduling algorithm has two options, a 64-bit packet key (40-bit secret key plus 24-bit IV) or a 128-bit key (104-bit secret key plus 24-bit IV). With the packet key, a state array is set up and the output generator will use it to create a pseudorandom sequence, which is the key string. In WEP a secret key (a short key) is shared by an access point (e.g. a laptop with a wireless Ethernet card) and a mobile station (e.g. a base station). Like other stream ciphers, the secret key is used to expand into a specified-length pseudo-random key stream. Before transmitting a package, the sender basically needs to XOR the plaintext with the key stream to produce a ciphertext. Since WEP is a symmetric-key cryptal algorithm, the receiver can use the same private key to generate the same key stream and XOR this key stream with the ciphertext to recover the plaintext.

WEP has two main functions. One is to protect wireless communication from eavesdropper and the second is to ensure that a packet has not been modified in transit (information integrity). Apparently the mode described above won’t achieve these two functions; it makes ciphertexts vulnerable to attacks. Simply XORing the plaintext with the key string is impossible to ensure the integrity of the data and keep eavesdroppers out of the door. To damage the integrity, an attacker only needs to flip a bit in the ciphertext. To recover a plaintext, an eavesdropper can test their luck by intercepting ciphertexts. As long as he got two ciphertexts which the same key is used to encrypt, the eavesdropper can get the XOR of the two plaintexts. With this information, statistical attacks are allowed. The more ciphertexts, encrypted using the same key string, an eavesdropper can obtain, the more possibility he holds to recover plaintexts. Once the one plaintext is disclosed, it is easy to get the key string by XORing this plaintext with its ciphertext. Recovering all other plaintexts is as easy as XORing the ciphertext with the key string.

WEP has defenses against both of these attacks by using an Integrity Check (IC) field and an Initialization Vector (IV). The IC field, a 32-bit value, is a non-cryptographic checksum which is used to make sure that a packet has not been modified during the transit. To produce an encrypted packet, two extra steps are added into the mode that we have described in the previous section. In the first step, the code of plaintext is concatenated with checksum. In the second step, a package key, a binding of the secret key and an IV, is used to initialize the RC4 stream cipher, which in turn generates a key string. This key string has the same length of the plaintext plus a 32-bit integrity check value. An IV is a random-generated 24-bit value which is used to lengthen the life of the secret key. For each frame transmission, a different IV is applied by the sending station. Usually, the IV is sent in the cleartext part of a message.

3. ATTACKABLE ENTRIES

The IV and IC do help WEP prevent from some kind of attacks, but there are many underlined flaws in current WEP which make attacks practically possible. The first flaw results from the integrity check field which is implemented as a CRC-32 (32-bit Cyclic Redundancy Check) checksum. CRC-32 checksum algorithm itself is not cryptographically secure, but sometimes it is used as a component of cryptographic systems. The checksum is usually on the front of the message. When receiver gets a message, he pops the checksum from the front and then compares this checksum with the checksum which is computed from the rest of the message.

However, CRC-32 is a linear algorithm, so it is possible to compute the bit difference of two CRCs based on the bit difference of the messages which carry these CRCs. If we flip bit n in the message, we must flip a set of bits in the CRC to produce a corresponding checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.

The second flaw of WEP is due to the IV. As we know the IV in WEP is a 24-bit field and appended to the cleartext part of a message. According to a statistic, a busy access point usually sends out a 1500-byte packet at the speed of 11Mbps. Based on this number, we can estimate that a 24-bit IV will be exhausted after about five hours. The calculating formula is 1500 * 8 / (11 * 10^6) / 60^2 * 2^24. If packets are smaller than 1500 bytes, less hours are needed. This means that the more possibility to get ciphertexts which are encrypted using the same key string. The reuse of the key string violates the rules of secure string encryption. This violation allows attackers perform statistical attacks based on the same-key-string ciphertexts. The situation gets worse if all mobile stations use the same secret key. Attackers have more chances to catch IV collisions. Usually, a common wireless card resets the IV to 0 each time a card is initialized, and increments the IV by 1 with each packet. This means that two cards inserted at roughly the same time will provide an abundance of IV collisions for an attacker. In the 802.11 standard, WEP is optional and changing the IV with each packet is also optional. We can imagine how worse the situation could be.

4. IMPROVEMENT IN WEP IMPLEMENTATION

In 2002, Wavelink Corp. came up with a new feature, called automatic WEP rotation, which helps fortify WEP’s effectiveness by providing a sophisticated key management technique. More Supplying access points with new keys after a regular time interval makes hackers do not have enough time to break the key encryption.

Automatic WEP rotation modifies WEP implementation to dramatically increase the security of wireless transmissions by providing a dynamic key rotation. Automatic WEP rotation carries on in several levels. First, it employs four secret keys rather than a single, static WEP key. These four keys are rotated at some time interval. Now it’s getting harder for a attacker because he must determine currently which key is in use. Second, automatic WEP rotation continually rotates old WEP keys out of the approved list of keys, replacing them with new ones. This means at each appropriate rotation interval, automatic WEP rotation not only changes the WEP key transmitted by a wireless device; it also changes one of the WEP keys in the WEP key list. This provides a complete protection to wireless transmissions. The last level of automatic WEP rotation security is ensured by only using unique keys. A specific algorithm is applied to generate new keys. The combination of constant automatic WEP rotation, continual key replacement, and unique key generation efficiently increase the security of WEP implementation.

5. CONCLUSION and RECOMMENDATION

According above analysis, we can make a conclusion that the 802.11 networks which implements WEP are insecure. People using such wireless networks cannot rely only on WEP for security. Other security measures should be employed. Followings are some recommendations for such wireless networks users.

• Assume that the link layer offers no security.

• Use higher-level security mechanisms such as IPsec [6] and SSH [11] for security, instead of relying on WEP.

• Treat all systems that are connected via 802.11 as external. Place all access points outside the firewall. Since in many case, the wireless network is connected directly to a corporate intranet, this gives the hackers direct access to the intranet, bypassing any internet boundary firewalls.

• Assume that anyone within physical range can communicate on the network as a valid user. The 802.11 signal can travel surprisingly large distances from the access point, often a thousand feet or more. Attackers may utilize a sophisticated antenna with much longer range.

• Always turn on WEP in your access point. WEP and Shared Key are optional and by default turned off in access points.  Failing to turn on these protocols will make attacks much easier. Hackers can use standard wireless cards and drivers to mount attacks. 

References

"Security of the WEP algorithm"

, "Automatic WEP rotation "

,"802.11: WEP concepts and vulnerability.html"

," gearing up for wireless security"

, "Using the Fluhrer, Mantin, and Shamir attack to break WEP"

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download