Why WEP Encryption Protocol Failed in WiFi Security ?

WEP encryption or Wired Equivalent Privacy encryption was part of the original IEEE 802.11 standard ratified in 1997. WEP encryption was widely used to safeguard wireless communications between access points and client stations during the early days of WiFi. But when WiFi usage exploded beyond anybody’s imagination around the turn of the century, the security standard fell way short of meeting security requirements. It was found to lack the robustness required to keep WiFi safe for the growing number of users and use cases in a world that was quickly getting saturated with personal computing power.

In this article, we examine the WEP encryption protocol and explain why it failed when security demands grew. Though the technology itself is dated, this article would be useful for anyone interested in understanding the basics of WiFi security. It can also help any general IT security enthusiast to appreciate the growth and evolution of wireless security as a field.

Further, knowing WEP and its flaws will serve as a foundation to better understand the subsequent security standards that replaced it, leading upto WPA 3, which is the latest ratified standard in 2020. WiFi itself has come a long way from the basic 802.11a launched in the 1990s to 802.11ax standard (WiFi 6) and the 6 GHz WiFi 6E, which is widely considered as a paradigm shift in WiFi communications.

What is WEP encryption?

Cryptography is broadly divided into Symmetric key cryptography and Asymmetric key cryptography. Symmetric key is where the same “secret” key is used for encrypting and decrypting traffic. Asymmetric key or public key cryptography is where different keys are used for encrypting and decrypting traffic.

Symmetric key cryptography is further divided into many subtypes. “Stream Cipher” is one of the subtypes under which the RC4 (Rivest Cipher 4) algorithm used by WEP falls. RC4 algorithm was invented by Ronald Rivest in 1987, a Professor at MIT, USA and a co-founder of RSA security. RC4 is a trademark and its working was a secret until it was leaked out in 1994. To avoid trademark troubles, RC4 was also referred to as ARC4 or ARCFOUR by many.

WEP encryption process 

RC4 algorithm used in WEP produces an infinite pseudo-random “keystream” for encrypting data. This keystream is produced using a ‘secret’ key (WiFi password) as one of the inputs. Once the keystream is produced, it is XOR’d with data, byte by byte, to produce encrypted ciphertexts that are ready for transmission.

On the receiving side, the process is reversed to retrieve the data. The received ciphertext is simply XOR’d with the receiver side keystream that was produced using the same secret key (Symmetric), to get the original data.

We can look at this process in a bit more detail.

WEP keystream production process

The WEP encryption keystream production process follows through the below steps.

Checksum

RC4 algorithm can only ensure secrecy of a message and not its integrity. To maintain the integrity of transmitted messages, a checksum process is separately followed. Cyclic Redundancy Check (CRC) is used for this purpose by WEP to generate an Integrity check value (V). This checksum V is then concatenated with the message (M) to obtain a value (A) that is fed into the next step of the keystream production process.

A=M+V

Seed production

The secret key (generated from WiFi password) and an initialization vector (IV) is combined to create a seed (S) that is fed into the keystream production process using the RC4 algorithm. This seed is 64 bits in length. The first 24 bits correspond to the IV and the last 40 bits correspond to the secret key. ( A five character ASCII WiFi password will become a 40 bit key as each ASCII character is 8 bit length in binary)

S=IV+Secret Key

Initialization vector is a value generated in the WEP process to add variability to the seed value as WiFi passwords may not be changed frequently by organizations using the WLAN.

Keystream production

As shown in Fig. 1 above, the seed, which is a combination of IV and secret key is fed into the RC4 algorithm for keystream production. RC4 is a stream cipher that produces a keystream (K).

S==>RC4 ==> K

This keystream is then XOR’d byte by byte with the message (A) to produce the final encrypted cipher text (C) that is ready for transmission.

K⨁A=C

When the cipher text is transmitted, the IV is also transmitted along with it in clear text to the receiver as a combination (D). This transmission arrangement is for enabling the receiving party to obtain each cipher text and decrypt it using the corresponding IV and the secret key that is already known to it.

The MPDU for transmission will hence consist of 4 octets (32 bits) of IV at the beginning of the MPDU + Data + 4 octets (32 bits) of checksum. Except IV, the other bits are in encrypted state. The WEP security process thereby increased the MPDU size by a total of 8 octets.

WEP Decryption Process

In the decryption process, the received IV is combined with the known secret key to produce the same seed (S’) that was produced in the Encryption process. This seed S’ is then fed into the RC4 algorithm to produce the same keystream (K’) that was produced in the encryption process.

As shown in Fig.2 above, keystream K’ is now XOR’d with the received ciphertext C’ to produce a value A’ which is the concatenation of the original message M’ and its checksum V’. Now this message M’ is extracted and fed into the same Integrity algorithm that was used in the Encryption process to get the checksum value V”. This value is then compared with the checksum value V’.

If V”=V’ then it means the message was not corrupted in the transmission and it can be taken further for processing. If these checksum values don’t match, it means there was an error in transmission of data and the packet is discarded.

WEP encryption security issues

IEEE, in its 802.11(1999) standards text said “Wired equivalent privacy is defined as protecting authorized users of a wireless LAN from casual eavesdropping.”

But as demonstrated by many in the later days, the WEP encryption standard fell short of this stated data confidentiality goal and other related goals of data integrity and access control.

In fact attacks on WEP enabled WLANs from nearby parked cars became so notorious that it got referred to with the moniker “Wardriving”. Wardriving rigs and guides were made and sold to hackers who wanted to sneak up on such WEP enabled WLANs.

Brute Force attacks were always possible for an attacker with computational power and means to crack a 40 bit secret key. But there were other general vulnerabilities with the WEP encryption process that opened it to attacks.

Privacy is broken when the secret key is directly found out. But in the case of WEP, privacy was vulnerable even without direct knowledge of the key.

The major issues in WEP were caused by the below two shortcomings:

1. Keystream re-use
2. Weak message authentication process

We will take a look at these issues and the attacks that became possible due to these issues.

I) Keystream Re-use

Keystream re-use is a condition where same keystreams are used to encrypt data. This compulsion arises due to the short IV of just 24 bits. 224equals to about 16 million odd IV values that can produce 16 million odd keystreams, which sounds like a lot. But in a very busy environment with heavy WLAN usage, such an amount of IVs can be quickly used up in a few hours, after which the IV has to be repeated.

When an IV gets repeated, it means the same keystream is being repeated to encrypt data, as the secret key usually remains unchanged over this time. Company-wide WiFi passwords are not changed that often.

When there are 2 cipher texts that have been encrypted by XORing the same keystreams with 2 messages, the XOR of 2 ciphertexts will reveal the XOR’d value of two messages.

Example

Let:

Keystream K = 1101

Message M1 = 1001

Message M2 = 1110

Then,

Ciphertext C1 = K⊕M1 = 1101⊕1001 = 0100

Ciphertext C2 = K⊕M2 = 1101⊕1110 =  0011

Now,         C1⊕C2 = 0100⊕0011 = 0111

And also,     M1⊕M2 = 1001⊕1110 = 0111

As we can see in the example above, the XOR value of 2 messages can be retrieved from 2 ciphertexts encrypted with the same keystream.

Now, when one of the messages can be found out by some means, the other message can be found out using the same XOR function.

The whole idea of using the IV in WEP was to prevent keystream reuse issues. But due to weak implementation of IV, the keystream reuse and its related attacks became possible.

Keystream re-use opportunities in WEP

• No implementation guidelines

  • As the 802.11 standard did not clearly specify IV implementation best practices, many manufacturers of WiFi cards used very basic methodologies and became compliant. The IV was usually initiated from zero everytime the WiFi card was restarted and counted sequentially thereafter. This made the key streams highly repetitive, with the initial keystreams used many times over the life of a WiFi card. One just had to find few of the messages, which in many cases can also be repetitive or can be guessed. For example, IP communication protocols have many standard fields which can be guessed. It is also possible to use other strategies like sending emails to targets and waiting for them to open it over the wireless network. The target user can also be directed to a website. As the attacker knows the content of the packets, it will be easy to find out the keystreams from the captured ciphertexts.

• Small IV size

  • The relatively small size of the IV field means a busy device can legitimately run out of keystreams within a day and be forced to restart the IV field from zero, leading to keystream re-use within a day. For example, a 11 Mbps AP transmitting 1500 byte packets will exhaust IVs in about 5 hours. After exhaustion, the AP has to start the IV count from the beginning, leading to keystream re-use theoretically within a working day.

• Birthday paradox

  • Random use of IV can give rise to duplicate keystreams much earlier. This is due to a probability theory popularly known as the birthday paradox.

• Poor enforcement

  • 802.11 standard did not enforce IV to be changed for every packet. So a manufacturer could have implemented the same IV for all packets and still become compliant with the standard.

II) Insufficient message authentication technique

For maintaining integrity of transmitted messages, WEP uses the CRC (Cyclic Redundancy Check) checksum algorithm. CRC is a simple arithmetic generally used to avoid common transmission errors in messages sent through networks. As a basic error checking algorithm over data transmission lines, it works well. But when used as a cryptographic hash, it falls short. For example, attackers were able to modify the address field of a captured packet to reflect the attacker’s computer, quickly amend the CRC field using its cyclic feature and send the packet to the access point. The access point then simply sent responses to the attacker’s computer for the encrypted packet.

Attacks on WEP encryption protocol

Many types of attacks surfaced as days went by after the launch of WEP. Notable ones like Reaction attack, Dictionary attack, Inductive attack, FMS attack, PTW attack, Chopchop attack, Man-in-the-middle attack etc sent shock-waves through the IT community. We will take a look at a couple of these attacks below.

Reaction attack :

Let’s assume an attacker knows partial values of a keystream K of a particular IV and wants to guess the remaining bits. The attacker can take a dummy message, generate CRC, encrypt it with a keystream containing known and guessed bits and send it to an access point . If the guessed bits of the keystream were correct, the access point will send back an acknowledgement, meaning the guessed keystream was correct. If no acknowledgement was received, then the attacker can try out different guesses for a byte of keystream till an acknowledgement is received. In this way the attacker can keep continuing with the guesswork byte by byte till he is able to find out the whole keystream corresponding to an IV.

Dictionary attack:

When messages are known and cipher text is already available, the keystream can simply be found by XORing the message and ciphertext. By repeating message finding activities over a period of time, it will be possible to build a complete dictionary of all possible keystreams for corresponding IVs while the secret key remains unchanged. It can be calculated that a dictionary of all the keystreams of a length of 1500 bytes will consume only 24 GB of space on a hard drive. This is not a huge storage requirement and can be accommodated in a laptop, even during the time WEP was launched and became popular during the turn of the century.

This leads to a complete breakdown of WLAN privacy in an organization where the hacker need not even know the “secret” key. This is because the keystreams become the same to everyone using a WLAN with a common secret key. The plaintext IV sent along with the encrypted message is used as an identifier to precisely direct the attack on a packet.

Summary

WEP was introduced by IEEE 802.11 body to counter “casual eavesdropping”. True to its intentions, WEP became useful to barely avoid only those attempts. As days went by, even amateur attackers were able to swiftly dismantle the privacy provided by WEP due to the ‘elementary’ nature of security protocols followed by the WEP standard. As we saw above, the basic building blocks of WEP were highly prone to various kinds of attacks.This forced IEEE to constantly update the encryption and authentication protocols in the future versions of 802.11 standard to protect WLAN networks.

Nevertheless, studying WEP helps one to understand the path taken by the Industry in securing WiFi communications. It answers the ‘why’ of what followed WEP in terms of security upgrades to the 802.11 standard. We are planning to write on these subsequent developments in WLAN security including WPA, WPA2 and WPA3 as well in upcoming posts.