What is WEP?

• WEP : Wired Equivalent Privacy
• Provided by the 802.11b specification
• Defines how a wireless network is secured
• Operates on the Media Access Control (MAC) layer
• Is flawed in the very way the encryption is implemented

WEP's "Security"

WEP implements two types of security:

• A secret key

  • A 5 or 13 characters long password
  • Shared by all users of the access point

• An encryption

  • Makes use of the secret key
  • ..to scramble each packet with a unique password
  • Key is a randomly generated number (Initialization Vector : IV) + secret key
  • Ensures that if a packet is cracked, not all packets can be read

WEP Flavours

• Original specification

  • 40-bit user-specified key
  • Combined with 24-bit IV gives 64 bits of "key"
• 104-bit key + IV = 128 bits

• Proprietary extensions to WEP

  • E.g dynamic key management
  • No guarantee of compatibility between different hardware (as non-standard)

Encrytion used in WEP

RC4 is the encryption algorithm used to cipher the data sent. It consists of :

• Key Scheduling Algorithm
• Pseudo Random Generation Algorithm

Key Scheduling Algorithm (KSA)

First part of the encryption process.

1. Assume N = 256//Determines how strong the encryption is.
2. K[] = Secrete Key array//Is unscrambled.


3. Initialization://Used to fill the empty State (S[]) array with values 0 to 255.
4. For i = 0 to N - 1
5.     S[i] = i


6. j = 0//Is used to hold a value during the scrambling process.
7. Scrambling://Starts the scrambling process that transforms S into a pseudo random array
8. For i = 0 to N - 1
9.     j = j + S[i] + K[i]//Merge the properties of the secret key with the state array (S[]) to create a pseudo random number
10.     Swap(S[i], S[j])

Pseudo Random Generation Algorithm (PRGA)

Outputs a streaming key based on the KSA's pseudo random state array. This streaming key is then merged with the plaintext data to create a stream of data that is encrypted.

1. Initialization
2. i = 0
3. j = 0


4. Generation Loop: //Starts the stream-generation process : will continue until there is no more data
5.     i = i + 1
6.     j = j + S[i]
7.     Swap(S[i], S[j])
8.     Output z = S[S[i] + S[j]]//
9.     Output XORed with data//

XOR

A	B	A XOR B
0	0	0
0	1	1
1	0	1
1	1	0

Encryption process overview

Decryption process overview

WEP Cracked : First Steps

Recap :

• The IV is sent as plaintext with the encrypted packet
• Both the KSA and PRGA leak information during the first few iterations of their algorithm
• XOR is a simple process that can be easily used to deduce any unknown value if the other two values are known

Furthermore :

• There is a 5% probability that the values held in S[0] to S[3] will NOT change after the first three iterations of the KSA
• The first value of the encrypted data is always the SNAP header : "AA" in hex or "170" in decimal form
• In the WEP encryption process, it has been determined that a certain format of an IV indicates that it is a weak IV and subject to cracking. It is (B + 3, 255, x)

WEP Cracked : Down and dirty through KSA

The captured weak IV is 3, 255, 7. The pre-shared password is 22222.

• Initial state

  The key array:  K[0]=3   K[1]=255   K[2]=7   K[3]=?   K[4]=?   K[5]=?   K[6]=?   K[7]=?

• KSA loop 1

  • i=0 j=0 S[0]=0 S[1]=1 S[2]=2 S[3]=3
  • j=j + S[i] + K[i mod l] = 0 + S[0] + K[0] = 0 + 0 + 3 = 3 : j = 3
  • Swap (S[i], S[j]) = Swap (S[0] , S[3]) : finally S[0] = 3 , S[3] = 0

• KSA loop 2 (nothing new)

  • i=1 j=3 S[0]=3 S[1]=1 S[2]=2 S[3]=0
  • j=j + S[i] + K[i mod l] = 3 + S[1] + K[1 mod 8] = 3 + 1 + 255 = 259 mod 256 = 3 j = 3
  • Swap(S[i], S[j]) = Swap (S[1] , S[3]) : finally S[1]=0 , S[3]=1

• KSA loop 3 (still nothing new)

  • i=2 j=3 S[0]=3 S[1]=0 S[2]=2 S[3]=1
  • j=j + S[i] + K[i mod l] = 3 + S[2] + K[2] = 3 + 2 + 7 = 12 j = 12
  • Swap(S[i], S[j]) = Swap (S[2] , S[12]) : finally S[2]=12 , S[12]=2

• KSA loop 4 (things get complicated)

  • i=3 j=12 S[0]=3 S[1]=0 S[2]=12 S[3]=1 S[12]=2
  • j=j + S[i] + K[i mod l] = 12 + S[3] + K[3] = 12 + 1 + ? = ? j = ??

  We can deduce the first byte of the PRGA if we XOR the first byte of the encrypted data with the first byte of plaintext. We know in advance that it will be the SNAP header (170 in decimal).

  In the example, the captured encrypted byte value is 165 in decimal.

• z = 0xAA(SNAP) XOR Ciphertext byte1 = 170 (Dec) XOR 165 (Dec) = 15 : z = 15
• [IN PRGA] Swap (S[i], S[j]) = Swap (S[1] , S[0]) finally S[1]=3 , S[0]=0
• [IN PRGA] z = S[S[i] + S[j]] = S[S[1] + S[0]] = S[3 + 0] = S[3] = ?
• S[3]=15 , S[15]=S[3]t-1 : S[3]=15 , S[15]=1
• j=j + S[i] + K[i mod 256] = 12 + S[3] + K[3] = 12 + 1 + K[3] = 15
• K[3] = 15 - 12 - 1 = 2

• We found the first character of the secret key.

Accelerating the cracking

• Previous exploit requires an order of millions of messages
• Some bruteforce might increase the process
• Must increase traffic : send packets
• BUT packets with wrong key are dropped
• Solution : exploit another WEP weakness, packet replaying
• WEP doesn't implement any timestamp or message authentification code
• Packet injection (must be a broadcast packet)

Tools commonly used to crack WEP

These are dedicated to cracking WEP keys:

• WEPCrack
• AirSnort
• Aircrack

But you might also need:

• Airodump - for grabbing IVs
• Airdecap - for decoding captured packets
• Airreplay - to inject packets to attack APs
• Kismet - for network sniffing, can grab IVs as well.

WEP killer : Klein's attack

• Analysis of RC4 stream cipher showing more correlations between RC4 keystream and key
• Was used in aircrack-ptw : cracks 104-bit RC4 used in 128-bit WEP in under a minute
• Breaks 104-bit keys in 40K frames with 50% probability, or in 85K frames with 95% probability

Why keep using WEP?

• Better than nothing
• Discourages casual "wardrivers"
• ...but will not stop a determined hacker
• So, if you must secure your network, whenever possible switch to WPA (Wi-Fi Protected Access)

Conclusion

• Wired Equivalent Privacy
• Not intended to be any more secure than Ethernet (which has no encryption)