# Cracking WEP

• Print
From the author of

## PRGA

The PRGA (Psuedo Random Generation Algorithm) is the part of the RC4 process that outputs a streaming key based on the KSA's psuedo random state array. This streaming key is then merged with the plaintext data to create a stream of data that is encrypted. Following is the algorithm and its explanation:

### Algorithm

```1. Initialization:
2. i = 0
3. j = 0
4. Generation Loop:
5.   i = i + 1
6.   j = j + S[i]
7.   Swap(S[i], S[j])
8.   Output z = S[S[i] + S[j]]
9.   Output XORed with data```

### Explanation

1. Again, before using the PRGA, the i and j values must be initialized.

2. i initialized to 0.

3. j initialized to 0.

4. This starts the stream-generation processes. It will continue until there is no more data, which in WEP's case is the end of the packet of data—or about 1,500 bytes.

5. i is added to itself to keep a running value used in the swap process.

NOTE

This value will ALWAYS equal 1 the first time through the PRGA loop (i = i + 1 ‡ i = 0 + 1 = 1).

6. j is used to hold the psuedo random number in the S[] position, with the previous S[] added to it.

NOTE

This value will ALWAYS hold the value held in S[1] for the first iteration of the PRGA (j = j + S[i] ‡ j = 0 + S[1]).

7. Another swap function is performed that switches the values held in the i position and j position of the state array.

8. z is calculated based on an addition of the value held in the state array, as represented by the addition of the values held in S[i] added to S[j]. (This will be better understood after seeing the example later in the article.)

9. Finally, the z value is XORed with the plaintext to create a new and encrypted value. This can be represented by the equation encrypted data = z XOR plaintext.

NOTE

XOR only requires that you know ANY two of the values to deduce the third. In other words, if the plaintext is known and the encrypted data is captured by a sniffer, a hacker can deduce the z value outputted by the PRGA.