Wired Equivalent Privacy

Wired Equivalent Privacy ( WEP , English. " Wired (systems) appropriate privacy ") is the former standard encryption protocol for wireless . It should regulate access to the network as well as ensure the confidentiality and integrity of the data . The procedure is considered unsafe due to various weak points. Calculating the key from a few minutes of recorded data normally only takes a few seconds. For this reason, WLAN installations should not provide network access with WEP at all and instead use at least the more secure WPA and (if always available) even better the WPA2 encryption.

functionality

Generally, it is a simple XOR of the bit stream of user data with one of the RC4 - algorithm -generated pseudo-random bit stream.

A ciphertext is transmitted

The WEP protocol uses RC4 - algorithm as the pseudo random number generator (PRNG) in generating a keystream having a key and an initialization vector as an input. For each message M to be protected, a new 24-bit long initialization vector IV is formed and linked to a key K, which is known to all stations in the Basic Service Set . The result is used as input for the RC4 algorithm, which generates a keystream from it. In addition, a supposedly secure "Integrity Check Value" (ICV) is calculated by means of a cyclic redundancy check (ZRP, CRC) and appended to the message M (||). The resulting message (M || ICV) is XORed with the keystream (RC4 (IV || K)) of the RC4 algorithm and the initialization vector IV is placed in front of the resulting ciphertext. The figures below illustrate encryption and decryption.

WEP decryption

There are two methods of authentication:

Open System Authentication

The Open System Authentication is the standard authentication.

If the access point is not configured for encryption, there is practically no authentication and every client can connect to the WLAN.
If the access point is configured for encryption (in this case WEP):
- logical: The WEP key is also used for authentication: every client with the correct WEP key has access to the network.
- technical: There is an exchange of authentication messages and the client is authenticated. Communication is possible if the WEP key on the access point and client match. If these do not match, the client is authenticated but cannot exchange data with the network.

The implementation of the authentication using a key is a manufacturer feature and is not described in the standard.

Shared key authentication

The Shared Key Authentication is the supposedly safe variant. The authentication takes place via challenge-response authentication with a secret key.

Authentication method

However, the challenge-response method is also based on WEP and has the same weakness. Using Shared-Key Authentication exposes the secret key, as shown in the next section. It is therefore highly advisable to forego shared key authentication and to use open authentication . However, encryption should never be done without. Even with Open Authentication , a connected network participant can only establish communication with the access point if they know the WEP key .

The four messages of the WEP authentication ensure the access authorization of the client.

Attack on authentication

As already mentioned, shared key authentication does not contribute to protection; on the contrary, it unintentionally reveals information. Since we are dealing here with a challenge-response authentication , the whole thing happens as follows:

The server sends the client Challenge1 , for example a random number.
The client encrypts this number as stated above and sends the WEP packet ( IV1 + Ciphertext1 ) back to the server
Trudy, the attacker (from English intruder ), can thus eavesdrop on the three pieces of information ( Challenge1 , IV1 and Ciphertext1 ). It now calculates using XOR Challenge1 Ciphertext1 = Challenge1 (Challenge1 Keystream1) = Keystream1 ${\ displaystyle \ oplus}$ ${\ displaystyle \ oplus}$ ${\ displaystyle \ oplus}$

Trudy now has Keystream1 and IV1 , which turns out to be a valid combination. She can now try to be authenticated herself. She now simply answers a Challenge2 from the server with the WEP packet, consisting of IV1 + Ciphertext2 , the latter resulting from Challenge2 Keystream1 . This sends them to the server and is successfully authenticated. ${\ displaystyle \ oplus}$

The WEP data packet

WEP data package

A WEP data package consists of:

the actual user data,
a 32-bit checksum of this user data (Integrity Check Value, ICV, using cyclic redundancy check ) and
an unencrypted 24-bit initialization vector (IV), which turns the WEP key into an overall key with 64 bits, 128 bits or 256 bits.

Complete WEP package

The actual WEP data packet consists of the data and the 32-bit long test bit sequence. This is encrypted with the IV-WEP key combination, and the initialization vector is placed in front of the whole.

From the IV, the recipient can then use the RC4 key to calculate the plain text of the message.

Weak points

There are many well-functioning attacks on WEP-secured networks. However, if a WEP-secured WLAN has no participants, that is, if no one has ever logged into this network, then the probability of calculating the key quickly or calculating it at all is very low. Most attacks exploit the weak point of the very short initialization vector IV with 24 bits in RC4 encryption. This attack method is also known in general terms as a related key attack .

Many active attacks require modified drivers on the part of the attacker, since these must be able to handle reinjection . Initially, many drivers do not even support passive listening on one or even several channels, which can be achieved using monitor mode . However, passive listening is only a basic requirement. Assuming an AP has many clients that produce a lot of data, one could simply record everything and try to calculate the WEP key with the data obtained. If the amount of data is not yet sufficient, this data stream can often be used to extract ARP requests that are needed for reinjection . Flooding on the part of the attacker using ARP requests leads - if carried out correctly - to many ARP replies , which can then be used to break the WEP key. Reinjection is the driver side quite complex because the frames are brought into the WLAN must be sent at the correct timing. It should also be noted that an access point requires renewed authentication by the client after a certain period of time. If the client does not log on to the network again, all data sent at the access point are discarded and in Kismet , for example, suspicious client can be read.

CRC32 as Message Authentication Code (MAC)

The CRC32 function is strictly linear because CRC32 (A XOR B) = CRC32 (A) XOR CRC32 (B) . This function is therefore unsuitable as a message authentication code , because it is possible to calculate the bits that have to change in the checksum if you want to change the ciphertext without the secret key actually required for it . Due to this weakness, you can modify the payload of the packet as you like, since after the modification you only have to calculate the MAC, i.e. the new CRC32 value.

The modification step above looks something like this:

Verschlüsselte Nachricht m                        c=CRC32(m)
00100101001110010100101010101010100101...         10101010 10111101 10101101 10100000

Modifikationsvektor m'                            c'=CRC32(m')
00000000000000000000000000000000001000...         00000001 10101010 10100000 10100100

In the last step, the new message m_new and the associated MAC c_new are calculated:

m_neu = m XOR m'
c_neu = CRC32(m) XOR CRC32(m')

In order to create a forged message and then to send it, the data fields m and CRC32 (m) in the original data packet ( frame ) must now be replaced by the newly calculated values m_new and c_new. After the replacement, the modified package can then be sent again.

In this way you can change all packages. However, if you want to know whether the modification was successful, you should choose a package that will then lead to an answer at the remote station.

If the source package z. B. was a ping request, you could e.g. B. test which modifications in the package you get an answer to. Interesting stateless packets would be: ARP request and ping.

Breaking the key

It is possible to break a used WEP key and thus the entire WEP encryption. There are accessories for various systems that can calculate the WEP key used by listening to a sufficient amount of data traffic, for example Aircrack or Airsnort . This attack is based on having as many packets as possible with the same, weak initialization vector. It is already possible today to crack WEP encryption in less than a minute.

In recent years, the attack options have been continuously improved and expanded. For example, if only one of the transmitted messages is known in plain text , any content (correctly encrypted) can be fed into the WLAN . There is also a technique for decrypting individual overheard data packets by re-entering them into the WLAN several times, slightly modified. This so-called KoreK attack does not use data packets with the same initialization vector as before , but with different ones , which makes the attack much more effective.

In addition to passive attacks, active attacks are also used. In this way, responses from the access point can be forced in order to collect sufficient data for a successful passive attack within a very short time (~ 1 min). For this purpose, ARP packets are specifically intercepted using specific signatures and - without knowing their decrypted content - fed back into the WLAN in encrypted form.

Safety measures

First and foremost, you should renounce WEP in favor of WPA2 (or at least WPA , if WPA2 is not available). In many cases, this goal can be achieved with a driver or firmware update. If the use of WEP cannot be avoided, at least the basic security measures should be taken, which can be found in the section Basic Security Measures of the main article Wireless Local Area Network .

However, none of these security measures should obscure the fact that they ultimately do not provide any real protection when using WEP. In spite of all these precautions, an attack on the WEP encryption with the right technical requirements will be successful within about a minute with great certainty.

Effective - but associated with additional work and possibly additional costs - is the use of VPN technology such as B. IPsec , PPTP or OpenVPN to bridge the unsecured or weakly secured WLAN connection with WEP (WEP64 or WEP128). A relatively small additional effort arises for the configuration of a target computer with which one would like to communicate securely so that it accepts a VPN connection. Greater effort and possible additional costs arise when setting up a VPN gateway and integrating and managing the network participants that are supposed to communicate securely.

commitment

Because of the weak points, network technicians recommend protecting the traffic via the access point with additional encryption. In practice, this is often solved by a VPN . The successor to the insecure WEP is WPA or its improvement WPA2 as the IEEE 802.11i standard.

When using a VPN, either only the user data or the entire data packet is encrypted. Since WEP then no longer brings any additional security gain , it can be switched off according to the KISS principle in order to minimize possible sources of error. Another opinion is that WEP should be used to secure OSI layer 2 at least minimally.

Web links

Individual evidence

↑ Seminar Net Security - Security in WLAN by Jörg Hedrich ( page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. ( PDF ; 831 kB)@1@ 2

↑ Scott Fluhrer, Itsik Mantin, Adi Shamir : Weaknesses in the Key Scheduling Algorithm of RC4 ( Memento from March 17, 2003 in the Internet Archive ) ( PDF ; 297 kB)

^ Flaws in WEP ( Memento from March 18, 2007 in the Internet Archive )

↑ heise Online WEP encryption of WLANs cracked in less than a minute

↑ Rafik Chaabouni: Break WEP Faster with Statistical Analysis . June 2006, Chapter 4 ( epfl.ch [PDF] semester paper at EPFL ).

↑ WLAN security - Schnatterente.net, August 24, 2015

[1] Seminar Net Security - Security in WLAN by Jörg Hedrich ( page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. ( PDF ; 831 kB)@1@ 2

[2] Scott Fluhrer, Itsik Mantin, Adi Shamir : Weaknesses in the Key Scheduling Algorithm of RC4 ( Memento from March 17, 2003 in the Internet Archive ) ( PDF ; 297 kB)

[3] Flaws in WEP ( Memento from March 18, 2007 in the Internet Archive )

[4] se Online WEP encryption of WLANs cracked in less than a minute

[5] Rafik Chaabouni: Break WEP Faster with Statistical Analysis . June 2006, Chapter 4 ( epfl.ch [PDF] semester paper at EPFL ).

[6] WLAN security - Schnatterente.net, August 24, 2015