List of WEP (Wired Equivalent Privacy) Problems

wireless WEP Weakness Protocol Security Techhyme

The 802.11b introduced the concept of Wired Equivalent Privacy (WEP). It tried to ensure confidentiality, integrity and authenticity in wireless communication. At the beginning, implementing WEP required hardware resources and modifications to existing wireless card. With security at low cost in mind, vendors decided to introduce the so-known MAC-address filtering instead of the 802.11b.

It prevented connection from unknown users to the wireless system. This authentication technique could be practical for a home network but maintaining a good address list quickly became a nightmare for IT departments. Moreover, an attacker could use spoofing techniques as the authentication referred to MAC addresses, not the user himself.
Address filtering was never part of the standard and vendors finally implemented 802.11b WEP specification in hardware. It used RC4 stream cipher and Cyclic Redundancy Check (CRC) integrity algorithm as described in figure

A basic challenge-response protocol is used for authentication. WEP can used up to four default keys and it can create pairwise keys related to MAC-address. It specified a 40-bit secret key, combined with a 24-bit Initialization Vector (IV). The 802.11Working Group focused on the early stage of the wireless protocol and did not implement real security measures.

Here is a list of WEP problems:

  • No specification for the construction of the Initial Vector. A IV collision could occur and compromises the key.
  • Key distribution remains a problem in case of compromising or when a user must be deleted from the authorization list.
  • Message injection attack, which allows Authentication spoofing.
  • Brute Force Attack: The 40-bit secret key is too small for encryption.
  • All network users use the same authentication keys.
  • No replay protection.
  • Pairwise keys are not user dependant but relative to MAC-address.
  • The CRC integrity check algorithm detects single-bit alterations but is not cryptographically secure: As it does not use a hash function, an attacker can easily forge messages.

The final break has been done in “Weaknesses in the Key Scheduling Algorithm of RC4” and is specifically adapted for WEP in another paper. The 802.11 Working Group adopted the 802.1X standard to address the shortcomings of WEP authentication scheme. It is based on the IETF Extensible Authentication Protocol (EAP). EAP was designed with flexibility in mind and has been used in a lot of network authentications.

Interim Solution: Wi-Fi Protected Access (WPA)

WPA is a subset of IEEE 802.11i security specification currently under development. It took some ready parts of 802.11i draft to enhance security structure of wireless network and it only required a software upgrade of actual wireless devices.

WPA supported a mixed environment of client devices using either WPA or WEP. It used 802.1X EAP-TLS to authenticate users and addressed WEP vulnerabilities by using a new Temporal Key Integrity Protocol (TKIP) and 128-bit RC4 key. TKIP is a suit of four algorithms with minimum computing cost:

  1. The cryptographic Message Integrity Code (MIC), called Michael, to defeat forgeries. It replaces CRC with providing true cryptographic hash function.
  2. A new Initial Vector sequencing discipline, to prevent replay attacks.
  3. A key mixing function, to have a per-packet key.
  4. A re-keying mechanism, to provide fresh keys to the key mixing function.

Michael Algorithm used a tagging function and a 64-bit secret key, shared only between sender and receiver. It ensured the message integrity without preventing replay attacks. To enhance and prevent the lake of MIC in replay, the sender appended a sequence number to the packet.

The Initial Vector (IV) took the role of this TKIP Sequence Number (TSC). It is based on an extended 48-bit WEP IV field. WPA associated TSC with the encryption key as it will be initialized to zero whenever a new TKIP key is set.

The sender incremented the TSC after each packet sent. TKIP prevented replay attack by discarding packets out of order. The key mixing function enables TKIP to give a different key for each packets.

WPA associated the temporal key (user dependant) and the MAC-address (computer dependant) to prevent packet forgery.

In most cases, WPA used the infrastructure 802.1X to authenticated and obtained two fresh master keys for global and per-user communication. By derivation, the client and the authenticator acknowledge themselves of a temporal key, which is regularly refreshed.

In home environment and small network, TKIP use a shared secret passphrase to generate per-station encryption key or mutually entered keys without the need of an authentication server. This WPA mode suffering from dictionary
attack if the user did not use a strong one (more then 20 characters). The WPA is an intermediate solution. It discards all known attacks from WEP architecture but it preserves the RC4 Algorithm to ensure compatibility and simple update of actual hardware. Even if WPA structure consolidates WEP, the 802.11 Working Group decided to change it as it could be the only Achilles’ heel for the future.

Today, the future seems to be in the 802.11i standard. This new vision of wireless transactions extends the 802.11b to the security area. The only remaining problem seems to be the roaming efficiency. For Real time protocol, like Voice
IP, pre-authentication system did not comply with sufficient fast authenticator switching. A key passing architecture will be, perhaps, the next major evolution of RSN.