A Blast From the Past: WEP — One of the Poorest Wi-fi standards … Ever!

Image for post
Image for post

I used to love teaching wi-fi, especially in the teaching of electromagnetic wave and in outlining the disaster area that was WEP (Wireless Equivalent Protocol). Without a doubt, it was one of the sloppiest standards ever created and broke the rules on good practice on virtually every page. So if you wanted to show how not to design a protocol, then WEP was certainly in the Top 10, and was integrated into IEEE 802.11b. In the days of IEEE 802.11n which gives rates of 540 Mbps, the transmission rate of 11Mbps for 11b just seems so slow. But it was WEP which caused most of the problem.

WEP broke nearly all of the rules of good crypto with:

  • A 24 bit Initialisation Vector (IV). This meant that the same encryption key repeated after 2²⁴ data packets. This mean that an intruder just had to wait for the IV value to return to a given value — typically within a few hours — and it was then possible to crack the encryption key.
  • A 40-bit encryption key. This meant which could be cracked with brute force. Anything less than a 72-bit symmetric encryption key can typically be cracked on a single computer. For example there are 2⁴⁰ keys, and which gives 1,099,511,627,776 different keys, and if we crack with 100 million keys per second, we crack every key in around three hours.
  • A global encryption for the network. WEP used a single global encryption key for the network, thus anyone with secret key for the network could view all of the data packets for the whole network.
  • Lack of error checking. WEP lacked proper error checking, and which allowed bits in the data packets to be flipped and still check a valid packet.

RC4

Most encryption methods for protecting data streams are now mostly block-based (where we take either 64 bits or 128 bits at a time and then them. In the early days of wi-fi, block often required expensive hardware, thus stream were used (and which operated on one bit at a time). The method selected WEP was RC4 (Ron’s Cipher 4), and which could be implemented fairly simply and with a varying encrypting key size. with we create a passphrase and then have some salt value (known as an Initialisation Vector — IV), and then we generate an infinitely long encryption key. This key is then EX-OR’ed with the bit stream, one bit at a time. You can try it here.

RC4 is fast and efficient, and we can have keys of different sizes. For example:

  • Message=Hello, Key=0102030405 Keystream: b2 39 63 05 f0 3d c0 27 cc c3 52 4a 0a 11 18 a8 Try
  • Message=Hello, Key=01020304050607 Keystream: 29 3f 02 d4 7f 37 c9 b6 33 f2 52 85 b4 6b Try
  • Message=Hello, Key=0102030405060708 Keystream: 97 ab 8a 1b f0 b9 61 32 f2 f6 72 58 da 15 a8 Try
  • Message=Hello, Key=0102030405060708090a Keystream: ed e3 b0 46 43 e5 86 cc 90 7d c2 18 51 70 99 02 Try
  • Message=Hello, Key=0102030405060708090a0b0c0d0e0f10 Keystream: 9a c7 cc 9a 60 9d 1e f7 b2 93 28 99 cd e4 1b 97 Try
  • Message=Hello, Key=0102030405060708090a0b0c0d0e0f10 1112131415161718Keystream: 9a c7 cc 9a 60 9d 1e f7 b2 93 28 99 cd e4 1b 97 Try

In order to change the keystream, we normally add the salt (IV) onto the key and then generate the keystream.

WEP

With WEP, in order to produce the stream, we take the passphrase and then concatenate it with a 24-bit IV (Initialisation Vector), and take the RC4 value of it. We then EX-OR the output of this with the data to create the and send the , along with the IV vector. On the other receiver side, we use the passphrase (which is secret and shared on both sides) with the IV and generate the same key, and then simply EX-OR it with the received stream, and the text will be the same of the original data.

Image for post
Image for post

with WEP, we waited until the IV value came around again, we EXOR’ed the two streams:

(MESS1 ^ [Passphase + IV)) ^ (MESS2 ^ [Passphase + IV))

when we EXOR the same value together we nullify the EXOR’ing, so we get:

((MESS1 ^ MESS2)

so that the key (and IV) has disappeared, and we don’t have the key anymore. The intruder would then just run some frequency and reveal the original messages.

WEP is thus the king of bad practice, where Intruders eventually got it down to a few hours (by sending lots of ARPs). It had a 24-bit IV value, thus it had 16,777,216, so if we send 1,000 packets a second, then it takes approximately 16,777 seconds to repeat, it will repeat in 279 minutes (or 4.66 hours).

Here are some examples:

  • Message1 = “hello”, Message2 = “hello”, Key=” “. Try!. Result is 0000000000
  • Message1 = “hello”, Message2 = “hello”, Key=” “. Try!. Result is 0000000000
  • Message1 = “hello”, Message2 = “ “, Key=” “. Try!. Result is 0000001C00
  • Message1 = “hello”, Message2 = “ “, Key=” “. Try!. Result is 0000001C00
  • Message1 = “The boy”, Message2 = “The car”, Key=” “. Try!. Result is 00000000010E0B
  • Message1 = “The boy”, Message2 = “The car”, Key=” “. Try!. Result is 00000000010E0B

WEP was one of the greatest disasters in cryptography and broke virtually every rule. As its core was the simple EX-OR’ing of the , using an IV and passphrase. Once the IV repeated, it was easy to determine the original messages.

Conclusions

WEP was retired, ungracefully, and replaced by WPA-2, which still used RC4, but where the IV was 48-bits (and where it was re-generated before it could come around again). The negotiation phase also introduced PBKDF2 as a hashing method to hide the password, and which is difficult to crack. It is still weak to short (or dictionary)-based passwords. Here is me cracking WPA-2 using a Raspberry PI and Kali:

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store