14.3 WEP

As wireless technology started to replace direct connections in the 1990s, the WEP (Wired Equivalent Privacy) Algorithm was introduced and was the standard method used from 1997 to 2004 for users to access the Internet via wireless devices via routers. The intent was to make wireless communication as secure as that of a wired connection. However, as we’ll see, there were several design flaws, and starting in 2004 it was replaced by the more secure WPA (Wi-Fi Protected Access), WPA2, and WPA3.

The basic arrangement has a central access point, usually a router, and several laptop computers that want to access the Internet through the router. The idea is to make the communications between the laptops and the router secure. Each laptop has the same WEP key as the other users for this router.

A laptop initiates communication with the router. Here is the protocol.

  1. The laptop sends an initial greeting to the router.

  2. Upon receiving the greeting, the router generates a random 24-bit IV (= initial value) and sends it to the laptop.

  3. The laptop produces a key for RC4 (a stream cipher described in Section 5.3) by concatenating the WEP key for this router with the IV received from the router:

    RC4Key = WEPKey||IV.

    and uses it to produce the bitstream RC4.

  4. The laptop also computes the checksum ch=CRC32(Message). (See the description of CRC-32 at the end of this section.)

  5. The laptop forms the ciphertext

    C= RC4  (Message, ch), 

    which it sends to the router along with the IV (so the router does not need to remember what IV it sent).

  6. The router uses the WEPKey and the IV to form

    RC4Key=WEPKeyIV, 

    and then uses this to produce the bitstream RC4.

  7. The router computes C RC4 =(message, ch).

  8. If ch=CRC32(Message), the message is regarded as authentic and is sent to the Internet. If not, it is rejected.

Notice that, except for the authentication step, this is essentially a one-time pad, with RC4 supplying the pseudorandom bitstream.

Usually, the WEP key length was 40 bits. Why so short? This meant there were 2401012 possible keys, so a brute force attack could find the key. But back when the algorithm was developed, U.S. export regulations prohibited the export of more secure cryptography, so the purpose of 40 bits was to allow international use of WEP. Later, many applications changed to 104 bits. However, it should be emphasized that WEP is considered insecure for any key size because of the full collection of design flaws in the protocol, which is why the Wi-Fi Alliance subsequently developed new security protocols to protect wireless communications.

The designers of WEP knew that reusing a one-time pad is insecure, which is why they included the 24-bit IV. Since the IV is concatenated with the 40-bit WEP key to form the 64-bit RC4Key (or 24+104=128 bits in more recent versions), there should be around 2241.7×107 keys used to generate RC4 bitstreams. This might seem secure, but a highly used router might be expected to use almost every possible key in a short time span.

But the situation is even worse! The Birthday Paradox (see Section 12.1) enters again. There are N=224 possible IV values, and N=212=4096. Therefore, after, for example, 10000 communications, it is very likely that some IV will have been used twice. Since the IV is sent unencrypted from the router to the laptop, this is easy for Eve to notice. There are now two messages encrypted with the same pseudorandom one-time pad. This allows Eve to recover these two messages (see Section 4.3). But Eve also obtains the RC4 bitstream used for encryption. The IV and this bitstream are all that Eve needs in Step (e) of the protocol to do the encryption. The WEP key is not required once the bitstream corresponding to the IV is known. Therefore, Eve has gained access to the router and can send messages as desired.

There is even more damage that Eve can do. She intercepts a ciphertext C= RC4  (Message, ch), and we are not assuming this RC4 was obtained from a repeated IV value. So the C is rather securely protecting the message. But suppose Eve guesses correctly that the message says

SendtoIPaddress69.72.169.241.Hereismycreditcardnumber, etc.

Eve’s IP address is 172.16.254.1. Let M1 be the message consisting of all 0s except for the XOR of the two IP addresses in the appropriate locations. Then

M2=MM1=SendtoIPaddress172.16.254.1.Hereismycreditcardnumber, etc.

Moreover, because of the nature of CRC-32,

ch(M2)=ch(M)ch(M1).

Eve doesn’t know M, and therefore, doesn’t know M2. But she does know ch(M1). Therefore, she takes the original C=RC4(M, ch(M)) and forms

C(M1, ch(M1))=RC4(M, ch(M))(M1, ch(M1)).

Since MM1=M2 and

ch(M)ch(M1)=ch(MM1)=ch(M2), 

she has formed

RC4(M2, ch(M2)).

This will be accepted by the router as an authentic message. The router forwards it to the Internet and it is delivered to Eve’s IP address. Eve reads the message and obtains the credit card number.

This last flaw easily could have been avoided if a cryptographic hash function had been used in place of CRC-32. Such functions are highly non-linear (so it is unlikely that ch(MM1)=ch(M)ch(M1)), and it would be very hard to figure out how to modify the checksum so that the message is deemed authentic.

The original version of WEP used what is known as Shared Key Authentication to control access. In this version, after the laptop initiates the communication with a greeting, the router sends a random challenge bitstring to the laptop. The laptop encrypts this using the WEP key as the key for RC4 and then XORing the challenge with the RC4 bitstring:

RC4(WEPKey)Challenge.

This is sent to the router, which can do the same computation and compare results. If they agree, access is granted. If not, the laptop is rejected.

But Eve sees the Challenge and also RC4(WEPKey) Challenge. A quick XOR of these two strings yields RC4(WEPKey). Now Eve can respond to any challenge, even if she does not know the WEP key, and thereby gain access to the router.

This access method was soon dropped and replaced with the open access system described above, where anyone can try to send a message to the system, but only the ones that decrypt and yield a valid checksum are accepted.

14.3.1 CRC-32

CRC-32 (= 32-bit Cyclic Redundancy Check) was developed as a way to detect bit errors in data. The message M is written in binary and these bits are regarded as the coefficients of a polynomial mod 2. For example, the message 10010101 becomes the polynomial x7+x4+x2+1. Divide this polynomial by the polynomial

p(x)=x32+x26+x23+x22+x16+x12+x11+x10+x8+x7+x5+x4+x2+x+1.

Let r(x) be the remainder, which is a polynomial of degree at most 31. Reduce the coefficients of r(x) mod 2 to obtain a binary string of length 32 (if the degree is less than 31, the binary string will start with some 0s corresponding to the 0-coefficients for the high degree terms). For an example of such polynomial division, see Section 3.11. This binary string is the checksum ch(M).

Adding two polynomials mod 2 corresponds to computing the XOR of the corresponding bitstrings formed from their coefficients. For example, the polynomial x7+x4+x2+1 corresponds to 10010101 and x4+x+1 corresponds to 00010011, with a few 0s added to match the first string. The sum of the two polynomials mod 2 is x7+x2+x, which corresponds to 10000110 = 10010101⊕00010011. Since dividing the sum of two polynomials by p(x) yields a remainder that is the sum of the remainders that would be obtained by dividing each polynomial individually, it can be deduced that

ch(M1M2)=ch(M1)ch(M2)

for any messages M1, M2.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.145.128