Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

14.3 WEP

As wireless technology started to replace direct connections in the 1990s, the WEP (Wired Equivalent Privacy) Algorithm was introduced and was the standard method used from 1997 to 2004 for users to access the Internet via wireless devices via routers. The intent was to make wireless communication as secure as that of a wired connection. However, as we’ll see, there were several design flaws, and starting in 2004 it was replaced by the more secure WPA (Wi-Fi Protected Access), WPA2, and WPA3.

The basic arrangement has a central access point, usually a router, and several laptop computers that want to access the Internet through the router. The idea is to make the communications between the laptops and the router secure. Each laptop has the same WEP key as the other users for this router.

A laptop initiates communication with the router. Here is the protocol.

The laptop sends an initial greeting to the router.
Upon receiving the greeting, the router generates a random 24-bit IV (= initial value) and sends it to the laptop.
The laptop produces a key for RC4 (a stream cipher described in Section 5.3) by concatenating the WEP key for this router with the IV received from the router:

$RC4Key = WEPKey || IV .$ $RC4Key = WEPKey || IV .$

and uses it to produce the bitstream RC4.
The laptop also computes the checksum $c h = C R C 32 (M e s s a g e)$ $c h = C R C 32 (M e s s a g e)$ . (See the description of CRC-32 at the end of this section.)
The laptop forms the ciphertext

$C = RC4 \oplus (Message, ch),$ $C = RC4 \oplus (Message, ch),$

which it sends to the router along with the IV (so the router does not need to remember what IV it sent).
The router uses the WEPKey and the IV to form

$R C 4 K e y = W E P K e y ∥ I V,$ $R C 4 K e y = W E P K e y ∥ I V,$

and then uses this to produce the bitstream $R C 4$ $R C 4$ .
The router computes $C \oplus RC4 = (message, ch)$ $C \oplus RC4 = (message, ch)$ .
If $c h = C R C 32 (M e s s a g e)$ $c h = C R C 32 (M e s s a g e)$ , the message is regarded as authentic and is sent to the Internet. If not, it is rejected.

Notice that, except for the authentication step, this is essentially a one-time pad, with RC4 supplying the pseudorandom bitstream.

Usually, the WEP key length was 40 bits. Why so short? This meant there were $2^{40} \approx 10^{12}$ $2^{40} \approx 10^{12}$ possible keys, so a brute force attack could find the key. But back when the algorithm was developed, U.S. export regulations prohibited the export of more secure cryptography, so the purpose of 40 bits was to allow international use of WEP. Later, many applications changed to 104 bits. However, it should be emphasized that WEP is considered insecure for any key size because of the full collection of design flaws in the protocol, which is why the Wi-Fi Alliance subsequently developed new security protocols to protect wireless communications.

The designers of WEP knew that reusing a one-time pad is insecure, which is why they included the 24-bit IV. Since the IV is concatenated with the 40-bit WEP key to form the 64-bit RC4Key (or $24 + 104 = 128$ $24 + 104 = 128$ bits in more recent versions), there should be around $2^{24} \approx 1.7 \times 10^{7}$ $2^{24} \approx 1.7 \times 10^{7}$ keys used to generate RC4 bitstreams. This might seem secure, but a highly used router might be expected to use almost every possible key in a short time span.

But the situation is even worse! The Birthday Paradox (see Section 12.1) enters again. There are $N = 2^{24}$ $N = 2^{24}$ possible IV values, and $\sqrt{N} = 2^{12} = 4096$ $\sqrt{N} = 2^{12} = 4096$ . Therefore, after, for example, 10000 communications, it is very likely that some IV will have been used twice. Since the IV is sent unencrypted from the router to the laptop, this is easy for Eve to notice. There are now two messages encrypted with the same pseudorandom one-time pad. This allows Eve to recover these two messages (see Section 4.3). But Eve also obtains the RC4 bitstream used for encryption. The IV and this bitstream are all that Eve needs in Step (e) of the protocol to do the encryption. The WEP key is not required once the bitstream corresponding to the IV is known. Therefore, Eve has gained access to the router and can send messages as desired.

There is even more damage that Eve can do. She intercepts a ciphertext $C = RC4 \oplus (Message, ch)$ $C = RC4 \oplus (Message, ch)$ , and we are not assuming this RC4 was obtained from a repeated IV value. So the $C$ $C$ is rather securely protecting the message. But suppose Eve guesses correctly that the message says

S e n d t o I P a d d r e s s 69.72.169.241 . H e r e i s m y c r e d i t c a r d n u m b e r, e t c .

$S e n d t o I P a d d r e s s 69.72.169.241 . H e r e i s m y c r e d i t c a r d n u m b e r, e t c .$

Eve’s IP address is 172.16.254.1. Let $M_{1}$ $M_{1}$ be the message consisting of all 0s except for the XOR of the two IP addresses in the appropriate locations. Then

\begin{aligned} M_{2} = M \oplus M_{1} \\ = S e n d t o I P a d d r e s s 172.16.254.1 . H e r e i s m y c r e d i t c a r d n u m b e r, e t c . \end{aligned}

$\begin{aligned} M_{2} = M \oplus M_{1} \\ = S e n d t o I P a d d r e s s 172.16.254.1 . H e r e i s m y c r e d i t c a r d n u m b e r, e t c . \end{aligned}$

Moreover, because of the nature of CRC-32,

c h (M_{2}) = c h (M) \oplus c h (M_{1}) .

$c h (M_{2}) = c h (M) \oplus c h (M_{1}) .$

Eve doesn’t know $M$ $M$ , and therefore, doesn’t know $M_{2}$ $M_{2}$ . But she does know $c h (M_{1})$ $c h (M_{1})$ . Therefore, she takes the original $C = R C 4 \oplus (M, c h (M))$ $C = R C 4 \oplus (M, c h (M))$ and forms

C \oplus (M_{1}, c h (M_{1})) = R C 4 \oplus (M, c h (M)) \oplus (M_{1}, c h (M_{1})) .

$C \oplus (M_{1}, c h (M_{1})) = R C 4 \oplus (M, c h (M)) \oplus (M_{1}, c h (M_{1})) .$

Since $M \oplus M_{1} = M_{2}$ $M \oplus M_{1} = M_{2}$ and

c h (M) \oplus c h (M_{1}) = c h (M \oplus M_{1}) = c h (M_{2}),

$c h (M) \oplus c h (M_{1}) = c h (M \oplus M_{1}) = c h (M_{2}),$

she has formed

R C 4 \oplus (M_{2}, c h (M_{2})) .

$R C 4 \oplus (M_{2}, c h (M_{2})) .$

This will be accepted by the router as an authentic message. The router forwards it to the Internet and it is delivered to Eve’s IP address. Eve reads the message and obtains the credit card number.

This last flaw easily could have been avoided if a cryptographic hash function had been used in place of CRC-32. Such functions are highly non-linear (so it is unlikely that $c h (M \oplus M_{1}) = c h (M) \oplus c h (M_{1}))$ $c h (M \oplus M_{1}) = c h (M) \oplus c h (M_{1}))$ , and it would be very hard to figure out how to modify the checksum so that the message is deemed authentic.

The original version of WEP used what is known as Shared Key Authentication to control access. In this version, after the laptop initiates the communication with a greeting, the router sends a random challenge bitstring to the laptop. The laptop encrypts this using the WEP key as the key for RC4 and then XORing the challenge with the RC4 bitstring:

RC4(WEPKey) \oplus C h a l l e n g e .

$RC4(WEPKey) \oplus C h a l l e n g e .$

This is sent to the router, which can do the same computation and compare results. If they agree, access is granted. If not, the laptop is rejected.

But Eve sees the Challenge and also RC4(WEPKey) $\oplus$ $\oplus$ Challenge. A quick XOR of these two strings yields RC4(WEPKey). Now Eve can respond to any challenge, even if she does not know the WEP key, and thereby gain access to the router.

This access method was soon dropped and replaced with the open access system described above, where anyone can try to send a message to the system, but only the ones that decrypt and yield a valid checksum are accepted.

14.3.1 CRC-32

CRC-32 ( $=$ $=$ 32-bit Cyclic Redundancy Check) was developed as a way to detect bit errors in data. The message $M$ $M$ is written in binary and these bits are regarded as the coefficients of a polynomial mod 2. For example, the message 10010101 becomes the polynomial $x^{7} + x^{4} + x^{2} + 1$ $x^{7} + x^{4} + x^{2} + 1$ . Divide this polynomial by the polynomial

\begin{matrix} p (x) = x^{32} + x^{26} + x^{23} + x^{22} + x^{16} + x^{12} + x^{11} + x^{10} + \\ x^{8} + x^{7} + x^{5} + x^{4} + x^{2} + x + 1. \end{matrix}

$\begin{matrix} p (x) = x^{32} + x^{26} + x^{23} + x^{22} + x^{16} + x^{12} + x^{11} + x^{10} + \\ x^{8} + x^{7} + x^{5} + x^{4} + x^{2} + x + 1. \end{matrix}$

Let $r (x)$ $r (x)$ be the remainder, which is a polynomial of degree at most 31. Reduce the coefficients of $r (x)$ $r (x)$ mod 2 to obtain a binary string of length 32 (if the degree is less than 31, the binary string will start with some 0s corresponding to the 0-coefficients for the high degree terms). For an example of such polynomial division, see Section 3.11. This binary string is the checksum $c h (M)$ $c h (M)$ .

Adding two polynomials mod 2 corresponds to computing the XOR of the corresponding bitstrings formed from their coefficients. For example, the polynomial $x^{7} + x^{4} + x^{2} + 1$ $x^{7} + x^{4} + x^{2} + 1$ corresponds to 10010101 and $x^{4} + x + 1$ $x^{4} + x + 1$ corresponds to 00010011, with a few 0s added to match the first string. The sum of the two polynomials mod 2 is $x^{7} + x^{2} + x$ $x^{7} + x^{2} + x$ , which corresponds to 10000110 = 10010101⊕00010011. Since dividing the sum of two polynomials by $p (x)$ $p (x)$ yields a remainder that is the sum of the remainders that would be obtained by dividing each polynomial individually, it can be deduced that

c h (M_{1} \oplus M_{2}) = c h (M_{1}) \oplus c h (M_{2})

$c h (M_{1} \oplus M_{2}) = c h (M_{1}) \oplus c h (M_{2})$

for any messages $M_{1}, M_{2}$ $M_{1}, M_{2}$ .

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 14.3 WEP

Create new playlist

Sign In

Sign Up

Table of Contents for
14.3 WEP