Wired Equivalent Privacy: (WEP

)
Luke Cole <cole@lc.homedns.org> http://cole.homedns.org 17th of April, 2003

1

Contents
1 Key length 1.1 Explain clearly what a key length is? . . . . . . . . . . . . . . 1.2 What standard key lengths are used in WEP? . . . . . . . . . 2 WEP Packet sizes 2.1 Explain how WEP affects the size of packets on the wireless network? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The Initialization Vector (IV) 3.1 Explain what the Initialization Vector is? . . . . . . . . . . . . 3.2 How does it make WEP weak? . . . . . . . . . . . . . . . . . . 4 Breaking WEP keys 4.1 Name and describe the operation of at least one commonly available package for ”breaking” WEP keys . . . . . . . . . . . 5 Extensible Authentication Protocol 5.1 Explain how some vendors are using vendor-specific extensions to mechanisms like Extensible Authentication Protocol (EAP) to regain some degree of privacy in their wireless network solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Reliability of a Wireless Network 6.1 Explain why an 802.11 wireless network can never be relied upon like a wired network, regardless of which encryption technology it uses . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 3 3 3 4 4 4 4 4 5

5 5

5

2

1
1.1

Key length
Explain clearly what a key length is?

For a wireless network to be secure, we need to encrypt or decrypt the data being sent or received. When describing the strength of encryption, key length is referred to as the number of bits that need to be configured when decrypting or encrypting data. The best way to think about it is like the key to enter your house. If the notches are not aligned correctly the door will not open, in this case the data can not be decrypted. Furthermore the more notches the key has the harder it is for the lock to be picked. This is also true for encryption, the longer the key, that is the more bits (notches) the key has the harder it is to break the code (pick the lock). So key length can be thought of as encryption strength.

1.2

What standard key lengths are used in WEP?

The encryption key is made up of a random-generated 24-bit initialization vector (IV) and either a 40-bit or 104-bit WEP key which is usually set by the product (the wireless device). Originally only 40-bit WEP keys were used, however some vendors now also include the 104-bit WEP key (known as WEP2) in the products. They are some times referred to as the 64-bit and 128-bit WEP keys as that is there combined value. See [3].

2
2.1

WEP Packet sizes
Explain how WEP affects the size of packets on the wireless network?

IEEE 802.11 [1] packet format is a lot different to the IEEE 802.3 packet format. Instead of the ’preamble’, 802.11 has a ’frame control’ and ’duration ID’. Also instead of the ’type/length’ and ’options’, 802.11 has a ’RX node address’, ’TX node address’ plus a ’sequence control’ and the ’data’ is increased to 2312 bytes, the total size of the 802.11 frame is 2346. So the packet size of a 802.11 frame is 828 bytes greater then a 802.3 frame.

3

3
3.1

The Initialization Vector (IV)
Explain what the Initialization Vector is?

A sequence of random bytes (binary vector) used as a key to transform plaintext into ciphertext (encrypted message via a mathematical function known as the cryptographic algorithm).

3.2

How does it make WEP weak?

The first problem is that every packet sent also includes the IV in plaintext. So any hacker could immediately see part of the key. Another problem is that the IV is relatively short, only 24-bits. So eventually the same IV will be used in different packets. In a busy network the reoccurrence of IVs will happen very hour or so. If a hacker collects enough frames based on the same IV, the hacker can determine the shared secret key, which results in a hacker decrypting any of the packets. This shows the other weakness of WEP, the use of a static shared secret key. Since 802.11 doesn’t support the exchange of keys among stations, system administrators and users use the same key for some time. Giving hackers plenty of time to hack WEP networks. Dynamic keys would improve the security of WEP networks and some vendors are deploying dynamic key solutions based on 802.1X, however this has only become part of the 802.11 standard very recently.

4
4.1

Breaking WEP keys
Name and describe the operation of at least one commonly available package for ”breaking” WEP keys

AirSnort [5] is a tool to recover encrypted keys. It uses the technique described in section 3.2. That is, it monitors traffic and collects enough frames based on the same IV, the program can then calculate the encrypted key to decrypt all traffic on the wireless network. AirSnort can calculate the encrypted key under a second, after collecting approximately 5-10 million packets.

4

5
5.1

Extensible Authentication Protocol
Explain how some vendors are using vendor-specific extensions to mechanisms like Extensible Authentication Protocol (EAP) to regain some degree of privacy in their wireless network solutions

Extensible Authentication Protocol (EAP) uses an authentication process between a client, known as the “supplicant” (an Ethernet or wireless NIC) and a “authenticator” (an Ethernet switch or a wireless access point) via a authentication server. The “authenticator” acts as a boundary between the protected and unprotected parts of the network and the authentication server approves and disapproves access into the protected parts of the network. 802.1X products use the EAP process, however still use WEP for encryption, so it still has the problem of weak keys. However 802.1X allows administrators to setup systems to change the keys every hour, every minute or when ever they like which adds some degree of privacy to the wireless network. The IEEE 802.11i, which is near completion, uses 802.1X as its basic building block however is intended to solve the two primary security problems with WEP: weak encryption and static keys. It will also leave the choice of EAP authentication type to the implementer.

6
6.1

Reliability of a Wireless Network
Explain why an 802.11 wireless network can never be relied upon like a wired network, regardless of which encryption technology it uses

The first security boundary in a wired network is the building, the network is contained in (Unless all IP’s of the network are accessible via the Internet). If a hacker wished to make an attack they would first need to gain access to the building and plug themselves into the network. A wireless network is simply that, wireless, hence a hacker could simply take there laptop near a wireless network and preform an attack. Most common wired networks have a physical connection usually to a switch. With a good switch, each datagram would be a point to point connection (except broadcast datagrams). This is the current nature of a star topology network. However a wireless network is like a bus topology network and therefore every host can watch datagrams going through there NIC. So

5

a hacker would have access to all datagrams going through there NIC, so this would never be as secure as a wired network since a host in a wired network only sees datagrams for there NIC.

References
[1] Phil Belanger Aironet Wireless Communications http://grouper.ieee.org/groups/802/11/Tutorial/MAC.pdf, IEEE [2] http://www.zytrax.com/tech/wireless/802 mac.htm, Zytrax [3] Jim Geier http://www.80211-planet.com/tutorials/article.php/1368661, 802.11 Planet [4] Steven J. Vaughan-Nichols http://www.80211planet.com/tutorials/article.php/2106281, 802.11 Planet [5] http://airsnort.shmoo.com/, AirSnort [6] http://techupdate.zdnet.co.uk/story/0,,t481-s2133239,00.html, ZDNET

6

Sign up to vote on this title
UsefulNot useful