Sunday, September 30, 2007

Wireless security an insight into WEP

Wired Equivalent Privacy, a security protocol for wireless local area networks (WLANs) defined in the 802.11b standard. WEP is designed to provide the same level of security as that of a wired LAN. LANs are inherently more secure than WLANs because LANs are somewhat protected by the physicalities of their structure, having some or all part of the network inside a building that can be protected from unauthorized access. WLANs, which are over radio waves, do not have the same physical structure and therefore are more vulnerable to tampering. WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another. However, it has been found that WEP is not as secure as once believed. WEP is used at the two lowest layers of the OSI model - the data link and physical layers; it therefore does not offer end-to-end security.


Two methods of authentication can be used with WEP: Open System authentication and Shared Key authentication.

For the sake of clarity, we discuss WEP authentication in the Infrastructure mode (ie, between a WLAN client and an Access Point). But the discussion applies to the Ad-Hoc mode too.

In Open System authentication, the WLAN client need not provide its credentials to the Access Point during authentication. Thus, any client, regardless of its WEP keys, can authenticate itself with the Access Point and then attempt to associate. In effect, no authentication (in the true sense of the term) occurs. After the authentication and association, WEP can be used for encrypting the data frames. At this point, the client needs to have the right keys.

In Shared Key authentication, WEP is used for authentication. A four-way challenge-response handshake is used:

I) The client station sends an authentication request to the Access Point.

II) The Access Point sends back a clear-text challenge.

III) The client has to encrypt the challenge text using the configured WEP key, and send it back in another authentication request.

IV) The Access Point decrypts the material, and compares it with the clear-text it had sent. Depending on the success of this comparison, the Access Point sends back a positive or negative response. After the authentication and association, WEP can be used for encrypting the data frames.

At first glance, it might seem as though Shared Key authentication is more secure than Open System authentication, since the later offers no real authentication. However, it is quite the reverse. It is possible to derive the static WEP key by capturing the four handshake frames in Shared Key authentication. Hence is advisable to use Open System authentication for WEP authentication. (Note that both authentication mechanisms are weak).

IS it Good

We all know by now that 802.11's wired equivalent privacy (WEP) isn't good enough to protect our data. Thus equipped, a cracker only needs some patience to mount a successful invasion. Specifically, it usually takes only five to ten million packets to break WEP encryption. And, at fifteen million packets, it's almost dead certain that a dedicated attacker can pry the lid off your network traffic. Or, to put it another way, a small WLAN with four active users is almost certain to be cracked with two weeks of eavesdropping.

Making matters even worse, the cracking techniques most frequently used will work equally well no matter what WEP key length you're using. Thus, a 128-bit key is just as vulnerable as a 64-bit key. Indeed, even if a WEP key was 1,204 bits, it still as crackable by today's methods as one's that the minimal 64-bits.

How can that be? To understand how that works, you have to look closely at how WEP actually generates and manages, or more to the point doesn't, manage its encryption keys.

Every WEP packet is encrypted separately with an RC4 cipher stream generated by an encryption key. That key is made up of a 24-bit initialization vector (IV) and either a 40-bit or 104-bit WEP key that's usually set by your wireless device. Combined, they have a total length of 64 or 128-bits, hence the popular names of 64 and 128-bit WEP keys (some vendors use to call the 64-bit key a 40-bit key, but they simply weren't including the 24-bit IV -- so 64 and 40-bit WEP are the same thing). This transmitted packet is generated by a mathematical operation called 'bitwise exclusive OR' (XOR) using the packet sent to your network interface card (NIC) by your computer and the RC4 encryption key.

With me so far? Now, the first thing that kills WEP's fundamental security is that every packet you send also includes the IV in plaintext. In short, any would-be snooper can immediately see part of the key.

Now, because the IV is only 24-bits long, you can only get 16,777,216 different RC4 encryption streams for every key, regardless of how long the rest of the key is. Sounds like a lot doesn't it? It's not even close to enough. The plaintext IV is constantly reused and it takes many packets to send even a quick "Hi, how are you?" instant message, so it doesn't take long for a snooper to gather up enough packets to start cracking your messages.

If that was WEP's only weakness, it would still be insecure but it would take a serious processing power and a lot more packets to break into a WLAN. Unfortunately, RC4 has another problem. Not all of those close to 17-million possible IV numbers work as well as others in RC4. When one of these approximately 9,000 'Weak IVs', are used to encrypt packets, a snooping program can recognize and collect them. These Weak IVs give additional clues on the full encryption key, no matter its length, and so they make breaking WEP that much easier.

There are other theoretical ways to take advantage of WEP, but the combination of these two ways of exploiting the IV have proven to be easy and effective enough that little effort is being spent on developing software to exploit these holes. Trust me, the existing way to pry open a WEP-protected network work more than well enough.

No comments: