Home > Guides > Security > General Security and Privacy

Security Reference Guide

Hosted by

Toggle Open Guide Table of ContentsGuide Contents

Close Table of ContentsGuide Contents

Close Table of Contents

WPA Part 2: Weak IV's

Last updated May 23, 2003.

WEP has a well known black mark against it due to the fact that it can be cracked. The details behind the flaws in WEP are beyond this section, but if you are interested, please read this article. In short, WEP uses RC4 to encrypt the data passed over the network. RC4 requires a passphrase, which is made of up two parts. The first part is known as a pre-shared key (PSK). The PSK must be entered into the configuration settings of each node prior to connecting to the wireless network and is generally 5 or 10 characters in length (5 – 10 bytes).

The second part of this passphrase is a three character (three byte) initialization vector value (IV). The purpose of the IV is to encrypt each packet with a different key (IV + PSK). This value is sent pre-pended to the packet as plaintext, which the receiver strips off and uses in the decryption process. While not the most secure method, this process works in practice...assuming the IV's are truly unique.

Unfortunately, it was discovered that the IVs were not exclusive. This problem, when combined with the fact that the IVs were created using the passphrase as one of the variables, became a security nightmare. The result was that the plaintext IVs statistically leaked the PSK, which an attacker could extract by passively sniffing encrypted packets.

Two main programs (WEP Crack and Airsnort) were created that demonstrated this flaw. Wireless vendors quickly caught on to how these programs worked and they responded by adding a few lines of code to filter out the 'weak IVs' that made this type of WEP cracking possible. Unfortunately, these two programs only focused on one statistical flaw in the WEP encryption process. Much to the chagrin of the wireless vendors, there are several other statistical attacks that can be used to crack the WEP key. As a result a new generation of WEP cracking programs were eventually released. WEP Attack and Aircrack both make short work of cracking a WEP protected network, and have been reported to be successful with about 40,000 packets. When compared to 2-5 million, the impact of the newest attacks are significant.

Duplicate IVs (Collision)

Each packet is encrypted with a unique streaming key. The key is derived from an algorithm that uses an IV and PSK value. This key is then XOR'd with the plaintext data to produce the encrypted data. The unique part of this process is the unique IV value. Since the IV is limited to 24-bits, there are only 16 million (2^24) possible unique values that can be generated. The problem is that 16 million packets only equates to several hours worth of data. In addition, if a device includes a filter for weak IV's, the number of values is deduced further.

The problem arises when you have duplicate IV values. If an attacker knows the content of one of the packets he has the IV for, he can use the collision to extract the contents of the other packet. In other words, an attacker can decrypt data without ever knowing the password. Assuming an attacker can collect enough known IV-data matches, they can comprise the entire network.

ICV

WEP incorporated a data integrity check. Using a CRC-32 algorithm, a wireless device calculates a checksum. This checksum value is appened to the data packet and passed to the receiving node. The node would perform the same CRC-32 calculation, which would also produce a checksum value. The two values are compared and if they match the packet is assumed to be valid.

On the surface, this integrity check value (ICV) process appears to work. After all, the same CRC-32 algorithm is used by TCP/IP traffic to ensure packets are not corrupted in transmission. Unfortunately, the well known CRC-32 only protects against accidentally corruption. As a result, anyone can capture a packet, remove the original CRC-32 value, alter the packet and simply create a new CRC-32 value that validates the data. In other words, a packet can easily be forged by an attacker.

No forgery or replay protection

Each packet is encrypted with a unique key. This key is a binary string that actually encrypts each bit of the packet data using an XOR algorithm. Unfortunately, XOR is very simple and can easily be reversed. As a result, it is often trivial to extract the binary key from an encrypted packet.

The problem isn't so much that the key can be extracted. It is what an attacker can do with the key that is disturbing. Because there are no ties between a wireless device and the key, an attacker can reuse this binary string to create a valid encrypted packet that they can then send into a wireless network. In other words, an attacker can easily forge a packet and insert it into a network. In addition to this, any captured packet can be re-injected into a network at any time from any wireless device. There is no check in place to verify that a node should be sending a particular packet.

No Authentication

WEP was only designed to protect the data. It was not designed to authenticate users to a network. There is some basic authentication technology available called Shared Authentication. However, using this form of authentication created more security problems than it could fix. As it was discovered, the Shared Authentication protocol could be abused by attackers to quickly expose the key. In addition, the data itself that is sent during the Shared Authentication process provides an attacker with a valid binary key that can be in turn used to inject packets into a protected network. In other words, the only authentication method available to WEP users actually was a security risk itself.

Static Key

WEP is based on a pre-shared key concept. Every device that wants to connect to the encrypted network must have the correct key. In a small home network, this isn't really a serious problem...assuming the key is strong. However, thanks to weak IV's, the password can easily be cracked given enough time. In addition, a single shared key is a management nightmare if the key needs to be changed. Every device must be manually touched in order to alter the WEP key.

RC4

Finally, RC4 itself is getting old. While not outdated yet, this algorithm is about to reach its end of life. This is not a serious problem yet, for most users. But in coming years, as Moore's Law predicts, RC4 will not be sufficient encryption.

As you can see, WEP is not secure. It is dangerous to use and employing it could even be considered irresponsible. Fortunately, there are other options, starting with WPA.