WEP – (Wired Equivalent Privacy), a security protocol for wireless local area networks (WLANs) defined in the 802.11 standard. WEP is so called because it was designed to provide the same level of security as that of a wired LAN. But LANs are actually more secure than WLANs because LANs are restricted by physical access that secures them from unauthorized access. But WLANs use radio waves that do not enjoy the same privacy and are prone to unauthorized access. But before researching further into this lets go through WEP in detail.
WEP security an Overview
WEP was one of the first attempts to fix this insecurity issue in wireless LANs. The Wired Equivalent Privacy (WEP) algorithm was designed to be used to protect wireless communication from unauthorized eavesdropping and restricting access to a wireless network.
According to section 8.2.2 of the 1999 IEEE 802.11 standard states the following, as the objectives for WEP (quoted verbatim):
It is reasonably strong: The security afforded by the algorithm relies on the difficulty of discovering the secret key through a brute-force attack. This in turn is related to the length of the secret key and the frequency of changing keys. WEP allows for the changing of the key (K) and frequent changing of the Initialization Vector(IV).
- It is self-synchronizing: WEP is self-synchronizing for each message. This property is critical for a data-link-level encryption algorithm, where “best effort” delivery is assumed and packet loss rates may be high.
- It is efficient: The WEP algorithm is efficient and may be implemented in either hardware or software.
- It may be exportable: Every effort has been made to design the WEP system operation so as to maximize the chances of approval, by the U.S. Department of Commerce, of export from the U.S. of products containing a WEP implementation. However, due to the legal and political climate toward cryptography at the time of publication, no guarantee can be made that any specific IEEE 802.11 implementations that use WEP will be exportable from the USA.
- It is optional: The implementation and use of WEP is an IEEE 802.11 option.
WEP Operation and Implementation
WEP is used at the two lowest layers of the OSI model – the data link and physical layers. Let’s study this a little further and see how WEP works.
WEP uses the RC4 algorithm to encrypt the packets of information as they are sent out from the access point or wireless network interface card. As soon as the other access point receives the packets sent by the user’s network interface card it decrypts them.
Fig. Wireless Network
WEP relies on a 40 or 64-bit secret key that is shared between a mobile station and an access point to encrypt and decrypt the data. This secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit.
Let’s see this concept in detail, each byte of data is encrypted using a unique packet key. This ensures that if a hacker tries and suceeds to crack this packet key the only information that is leaked is that which is contained in that particular packet. The actual encryption logic used in RC4 algorithm is that the plain text is XOR-ed with an infinitely long keystream. The security of RC4 comes from the secrecy of the packet key that is derived from the keystream. It should be noted that WEP only encrypts data between 802.11 stations that is wireless stations. Once the frame enters the wired network side, such as between access points, WEP no longer applies.
Fig. WEP encryption protocol (Reference url: http://en.hakin9.org/ )
Authentication Methods in WEP
WEP uses two types of authentication methods Open System authentication and Shared Key authentication.
Let’s take the first case, in the Open System authentication any WLAN client, regardless of its WEP keys, can authenticate itself with the Access Point and then attempt to associate. After the authentication and association, WEP is used for encrypting the data frames. But at this point, the client needs to have the right keys.
Shared Key authentication is a little bit complex, here WEP is used for authentication by using a four way handshake that works as follows
- The client station sends an authentication request to the Access Point.
- On receiving the request the Access Point sends back a clear text challenge.
- The client has to then encrypt the challenge text using the configured WEP key, and send it back in another authentication request.
- On reception the Access Point decrypts the material, and compares it with the clear-text it had sent earlier. Depending on the success of this comparison, the Access Point sends back a positive or negative response. After this authentication and association, WEP is used for encrypting the data frames.
Shortcomings of WEP and its Impact Security
Eventhough WEP was one of the primary protocols used for wireless security with advent of time WEP experienced many limitations and which undermined the security claims of the system. The main reason was the cryptographic protocol design. So where did the WEP actually went wrong, WEP is actually vulnerable because of a relatively short IVs and keys that remain static.
IV is known as Initialization Vector and can be defined as 3-byte random number generated by the computer. It’s either prepended or appended to the cipher text and sent to the receiver who strips the IV off before decrypting the cipher text.
With only 24 bits, WEP eventually uses the same IV for different data packets. For a large busy network, this reoccurrence of IVs can happen within a short periods. This results in the transmission of frames having keystreams that are too similar. If enough frames are collected based on the same IV, anyone can determine the shared values among them, that is the keystream or the shared secret key. And eventually lead to the decryption of any of the 802.11 frames. A security breach as we say.
The static nature of the shared secret keys emphasizes this problem because 802.11 doesn’t provide any function that supports the exchange of keys among stations. Hence users generally use the same keys for a very longer period of time without changing. This gives a hacker plenty of time to monitor and hack into WEP enabled networks. Hence WEP can only be implemented as a low level Security in Wireless networks.
These flaws gave way for the following attacks which made WEP further unsuitable:
- Passive attacks to decrypt traffic based on statistical analysis.
- Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext.
- Active attacks to decrypt the traffic, based on tricking the access point.
- Dictionary-building attack that, after analysis of about a day’s worth of traffic, allows real-time automated decryption of all traffic.
- Key recovery programs became common that utilizes the existing vulnerability of the WEP system to gain the keys. One of such program for wireless attack is AirSnort. Key recovery with AirSnort takes only a few seconds once enough encrypted frames are gathered.
- It is possible to derive the static WEP key by capturing the four handshake frames in Shared Key authentication.
Wired Equivalent Privacy (WEP) limitations and flaws were mainly due to the cryptographic protocol design and their combination.In order to make WEP effective a deeper analysis into its protocol design is necessary. But still WEP can be used to an extent with other security functions like MAC based filtering.
The IEEE group, which sets the standards for wireless networking, had been working to fix WEP with a new standard called 802.11i , a standard for wireless local area networks that provides improved encryption by using encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).Further study and research is going on 802.11 to make the protocol and security standards more advanced and secured.