To truly understand the problems with WEP, we must first develop an understanding of how WEP works in its currently implemented form (Figure 3.1).
Figure 3.1. WEP encipherment.
The encryption process always begins with a plaintext message that we want to protect. First WEP performs a 32-bit cyclic redundancy check (CRC) checksum operation on the message. WEP calls this the integrity check value and concatenates it to the end of the plaintext message. Next, we take the secret key and concatenate it to the end of the initialization vector (IV). Plug this IV + secret key combination into the RC4 Pseudo-Random Number Generator (PRNG) and it will output the key stream sequence. The key stream is merely a series of 0s and 1s, equal in length to the plain text message plus CRC combination. Finally, we perform an exclusive OR operation (XOR) between the plain text message plus CRC combination and the key stream. The result is the cipher text. The IV (unencrypted) is prepended to the cipher text and included as part of the transmitted data.
Figure 3.2 is another way to look at the same operation. Again, we first take the integrity check value (the CRC) and append it to the end of the message. Then, we take this entire plaintext and XOR it with the key stream. The key stream is created by taking the secret key and appending it to the initialization vector and plugging it into the RC4 cipher.
Figure 3.2. Encrypted WEP frame.
Note that after XORing the two values, we add the initialization vector to the beginning of the cipher text. The IV is prepended and included in clear text (unencrypted) because it is needed in the decryption process.