WEP Security Architecture Analysis

Author: OrphousV Tianyang Forum

1. Background
WEP (Wired Equivalent Protocol) is a Wired Equivalent Protocol. From the name, we can see that WEP aims to ensure the consistency between the wireless environment and the wired environment, and ensure the security of the wireless environment. As a link layer protocol, WEP is not required by the 802.11 standard, but an optional security solution. However, due to the complexity of the wireless environment, WEP has not fulfilled its original goal. On the contrary, its defects are gradually exposed with the development of wireless technology.
Communication Security is divided into three main aspects: confidentiality, integrity, and authenticity ). Confidentiality is designed to prevent data from being intercepted by unauthorized third parties. For example, encryption is used to prevent data from being eavesdropped. This is especially important for wireless environments using broadcast. Integrity is designed to prevent data from being modified, this can be achieved through some effective means; Authenticity is designed to ensure the legitimacy of the data source. Authenticity is the basis of any security policy. authorization and access control are based on authenticity. To achieve these three goals, IEEE (Institute of Electrical and Electronics Engineers) made a lot of work in the initial design of WEP. However, due to its unreliable algorithm, WEP leaves a great risk in the security architecture.
2. WEP Security Architecture, defects and attack methods
2.1 basic encryption process
In the initial 802.11 standard, the length of the key seed is 64-bit, of which 40 are occupied by the password shared when data is transmitted between two workstations. Since WEP uses the RC4 algorithm for encryption, WEP has no special requirements on the key length. Some manufacturers provide support for 128-bit WEP (WEP-104 or 104-bit keys in some places) seeds in order to improve data security, 128 of the 104 bits are not public. However, due to the defect of the symmetric algorithm RC4, whether this method of increasing the key length can improve the security is still questionable. In addition, since the maximum ASCII character used as the password is 0, the value range of a key is limited, which makes decryption difficult to a certain extent. The appearance of the rainbow table greatly reduced the difficulty of password cracking.
To achieve integrity, WEP uses the CRC (Cyclic Redundancy Check) mechanism. However, CRC is not secure in cryptography because it is implemented through direct mathematical operations, instead of hash functions. This allows attackers to modify data without changing the CRC value of the data. This poses a great security risk to WEP.
Figure 1 shows the general process of WEP encryption.




Figure 1 General WEP encryption process
First, a 24-bit IV (Initialization Vector, Initialization Vector) is combined with a 40-bit or 104-bit Key, so that each data packet has a different RC4 Key. The generated initial key is input to RC4 PRNG (Pseudo do Random Number Generator, Pseudo-Random Number Generator, used to expand the key into a dense stream, generates a pseudo-random number ciphertext stream with a length such as the initial Key. This process can be expressed as Keystream = RC4 (IV • Secret Key) (2) by formula ), when restoring data, both parties are required to have the same key and use the same algorithm to expand the key into a pseudo random number sequence (pseudo random sequence ). Next, the generated dense stream and the combination of data and the CRC verification value of the data are used to perform operations in different ways. Finally, the encrypted data is generated, and a 24-bit IV is appended for transmission.
Figure 2 WEP encryption Flowchart

2.2 IV Collision (IV Collision) Attacks
2.2.1 decryption
Because the 24-bit IV in the shared key is sent in plaintext, a 64-bit WEP key is equivalent to only 40 bits. (3) We can calculate the length of the IV. The number of all possible IV values is: 2 ^ 24 = 16777216. Obviously, the value range of IV is small, which means that the IV resources will be used up within a few hours. As a result, different data packets may reuse an IV, which means they use the same cipher stream. If we know the first raw data and the encrypted content of the first and second raw data based on the same dense stream, we can calculate the second raw data, 4.

Figure 3 shared key structure

Figure 4 IV reuse defect Utilization

Because the encrypted data is obtained by the different or operation between the encrypted stream and the original data, and the different or operation is reversible, as long as the original data and the encrypted data are obtained, we can calculate the dense stream. If we have enough data packets encrypted with the same encrypted stream, when the number of repeated times of the same IV reaches a certain level, we may crack the key. Even if we fail to crack the key, we can introduce a lot of useful information from the encrypted data.

Its algebra principle is as follows:

C1 = P1 XOR RC4 (IV, Keystream)

C2 = P2 XOR RC4 (IV, Keystream)

C1 XOR C2 = (P1 XOR RC4 (IV, Keystream) XOR (P2
XOR RC4 (IV, Keystream) = P1 XOR P2

Among them, C1 (Ciphertext1) is obtained by the difference or between P1 (Plaintext1) and encrypted stream RC4 (IV, Keystream), C2 (Ciphertext2) is by P2 (Plaintext2) the RC4 (IV, Keystream) of the same dense stream is different or obtained. Therefore, the difference or result of C1 and C2 is the difference or result of P1 and P2.

2.2.2 Message Injection)

If we get a dense stream, we can execute MessageInjection. We can encrypt the data to be sent and the combination of the ICV (IntegrityCheck Value) with the obtained cipher stream, and then attach the appropriate IV corresponding to the cipher stream to construct a data packet, because IV may be used repeatedly and the 802.11 standard requires that the lost data be retransmitted, the receiving end will regard the data packet we sent as a valid data packet.

2.2.3 AuthenticationSpoofing)

When we get a secret stream, we choose more than one. In addition to Message Injection, we can also Authentication Spoofing. WEP uses the Challenge-Response method for identity authentication. A standard authentication process is as follows:
Step 1
Client --------- verification request -------------> AP

Step 2
Client <----- 128-byte challenge text -------- AP

Step 3
Client-challenge text after encryption with a shared key-> AP

Step 4
Client <----- verification result (success or failure) --- AP

This process can also be abstracted as Figure 5.

Figure 5 basic verification process
We can successfully pass the verification as long as the encrypted stream is obtained. In addition, we can see that this authentication method is limited to user legality verification, but cannot implement identity verification for multiple users.

2.2.4 Human Factors
The existence of IVCollision is mainly caused by the small IV length. In addition, there are other causes. Due to the inertia of people, users are often reluctant to change their keys frequently. (It takes several hours to change the key when IV resources are exhausted .) This is a human factor. Of course, some vendors cannot escape their responsibilities. For example, when a wireless NIC is initialized, the IV value is reset to 0, and the IV value of each packet sent increases sequentially, which is very bad, because of this, the frequency of reuse of IV is higher, which makes it possible for attackers to guess IV more frequently.

2.2.5 WEP encryption algorithm RC4
2.2.5.1 RC4 errors
First, it should be clear that the RC4 password is a stream cipher. the encryption and decryption process is as follows:
Encryption: Plaintext XOR Keystream = Ciphertext.
Decryption: Ciphertext XOR Keystream = Plaintext.
As a stream password, the RC4 password depends on the degree of security of the encrypted stream. The random degree of the password stream is not high, so there is a certain security risk. A completely random cipher stream, that is, one-time pad, is very secure, but it is extremely demanding to use it: 1. the cipher stream must be completely random; 2. The encrypted stream must be the same as the data to be encrypted. 3. The stream cannot be reused. Therefore, using a one-time password will put a lot of pressure on bandwidth. The one-time password is only used in rare cases for these reasons. However, WEP, although the security is low, will be used in some less demanding places, even though the 802.11 R & D team thought RC4 was safe when choosing RC4 as the WEP encryption engine, facts prove that they are wrong.

2.2.5.2FMS attack
When talking about RC4 in WEP, we should not talk about the FMS attack. This attack method was initially proposed by Scott Fluhrer, Itsik Mantin, and Adi Shamir in their paper Weaknesses in the Key Scheduling Algorithm of RC4. Therefore, this attack method is called an FMS attack, that is, Fluhrer-Mantin-Shamir attacks. 802.11 Frame is headed by the SNAP header, while the 1st bytes of SNAP are 0xAA, therefore, we only need to convert 0xAA from the encrypted 1st bytes or get the 1st bytes of the key. As WEP uses RC4 as the encryption engine, each character in the key has different influences on the encrypted output, which directly leads to the existence of weak IV (weak IV. The weak IV has a potential relationship with the specific bytes of the key. Each weak IV will disclose the information of the specific bytes of the key. The basic format of weak IV is N + 3: 255: X. The first byte of the specified key is 0. Where, N is the byte corresponding to the Key information leaked by weak IV; 255 is fixed, and it is obtained by the length of the KSA (Key Scheduling Algorithm) array minus 1; X represents any integer in [0,255], which is uncertain. For example, if N in a weak IV is 0, the weak IV will leak the information of 1st bytes in the key, which is very helpful for cracking. In addition, even if the key is too long, it does not have much impact, because the use of the MS attack makes the speed of cracking each byte in the key a linear upward trend. This is terrible. According to the above, we can also know that under the 64-bit Key condition, the number of basic weak IV is 5*1*256 = 1280. (The value range of the first byte of the weak IV in this environment is an integer in the range of [3, 7 .) So far, more than 9000 weak IV has been discovered. Currently, AirSnort can exploit this vulnerability.

3. Improvement
In order to overcome these WEP defects, we have made some improvements based on WEP. For example, we have introduced WEP2, which is weak in terms of IV.