Wired Equivalent Privacy: (WEP)

Luke Cole <cole@lc.homedns.org>

http://cole.homedns.org
17th of April, 2003

1
Contents
1 Key length 3
1.1 Explain clearly what a key length is? . . . . . . . . . . . . . . 3
1.2 What standard key lengths are used in WEP? . . . . . . . . . 3

2 WEP Packet sizes 3

2.1 Explain how WEP affects the size of packets on the wireless
network? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3 The Initialization Vector (IV) 4

3.1 Explain what the Initialization Vector is? . . . . . . . . . . . . 4
3.2 How does it make WEP weak? . . . . . . . . . . . . . . . . . . 4

4 Breaking WEP keys 4

4.1 Name and describe the operation of at least one commonly
available package for ”breaking” WEP keys . . . . . . . . . . . 4

5 Extensible Authentication Protocol 5

5.1 Explain how some vendors are using vendor-specific extensions
to mechanisms like Extensible Authentication Protocol (EAP)
to regain some degree of privacy in their wireless network so-
lutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

6 Reliability of a Wireless Network 5

6.1 Explain why an 802.11 wireless network can never be relied
upon like a wired network, regardless of which encryption tech-
nology it uses . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2
1 Key length
1.1 Explain clearly what a key length is?
For a wireless network to be secure, we need to encrypt or decrypt the data
being sent or received. When describing the strength of encryption, key
length is referred to as the number of bits that need to be configured when
decrypting or encrypting data. The best way to think about it is like the key
to enter your house. If the notches are not aligned correctly the door will
not open, in this case the data can not be decrypted. Furthermore the more
notches the key has the harder it is for the lock to be picked. This is also
true for encryption, the longer the key, that is the more bits (notches) the
key has the harder it is to break the code (pick the lock). So key length can
be thought of as encryption strength.

1.2 What standard key lengths are used in WEP?

The encryption key is made up of a random-generated 24-bit initialization
vector (IV) and either a 40-bit or 104-bit WEP key which is usually set by
the product (the wireless device). Originally only 40-bit WEP keys were
used, however some vendors now also include the 104-bit WEP key (known
as WEP2) in the products. They are some times referred to as the 64-bit
and 128-bit WEP keys as that is there combined value. See [3].

2 WEP Packet sizes

2.1 Explain how WEP affects the size of packets on
the wireless network?
IEEE 802.11 [1] packet format is a lot different to the IEEE 802.3 packet
format. Instead of the ’preamble’, 802.11 has a ’frame control’ and ’dura-
tion ID’. Also instead of the ’type/length’ and ’options’, 802.11 has a ’RX
node address’, ’TX node address’ plus a ’sequence control’ and the ’data’ is
increased to 2312 bytes, the total size of the 802.11 frame is 2346. So the
packet size of a 802.11 frame is 828 bytes greater then a 802.3 frame.

3
3 The Initialization Vector (IV)
3.1 Explain what the Initialization Vector is?
A sequence of random bytes (binary vector) used as a key to transform
plaintext into ciphertext (encrypted message via a mathematical function
known as the cryptographic algorithm).

3.2 How does it make WEP weak?

The first problem is that every packet sent also includes the IV in plaintext.
So any hacker could immediately see part of the key.
Another problem is that the IV is relatively short, only 24-bits. So even-
tually the same IV will be used in different packets. In a busy network the
reoccurrence of IVs will happen very hour or so. If a hacker collects enough
frames based on the same IV, the hacker can determine the shared secret
key, which results in a hacker decrypting any of the packets.
This shows the other weakness of WEP, the use of a static shared secret
key. Since 802.11 doesn’t support the exchange of keys among stations,
system administrators and users use the same key for some time. Giving
hackers plenty of time to hack WEP networks. Dynamic keys would improve
the security of WEP networks and some vendors are deploying dynamic key
solutions based on 802.1X, however this has only become part of the 802.11
standard very recently.

4 Breaking WEP keys

4.1 Name and describe the operation of at least one
commonly available package for ”breaking” WEP
keys
AirSnort [5] is a tool to recover encrypted keys. It uses the technique de-
scribed in section 3.2. That is, it monitors traffic and collects enough frames
based on the same IV, the program can then calculate the encrypted key to
decrypt all traffic on the wireless network.
AirSnort can calculate the encrypted key under a second, after collecting
approximately 5-10 million packets.

4
5 Extensible Authentication Protocol
5.1 Explain how some vendors are using vendor-specific
extensions to mechanisms like Extensible Authen-
tication Protocol (EAP) to regain some degree of
privacy in their wireless network solutions
Extensible Authentication Protocol (EAP) uses an authentication process
between a client, known as the “supplicant” (an Ethernet or wireless NIC)
and a “authenticator” (an Ethernet switch or a wireless access point) via a
authentication server. The “authenticator” acts as a boundary between the
protected and unprotected parts of the network and the authentication server
approves and disapproves access into the protected parts of the network.
802.1X products use the EAP process, however still use WEP for en-
cryption, so it still has the problem of weak keys. However 802.1X allows
administrators to setup systems to change the keys every hour, every minute
or when ever they like which adds some degree of privacy to the wireless
network. The IEEE 802.11i, which is near completion, uses 802.1X as its
basic building block however is intended to solve the two primary security
problems with WEP: weak encryption and static keys. It will also leave the
choice of EAP authentication type to the implementer.

6 Reliability of a Wireless Network

6.1 Explain why an 802.11 wireless network can never
be relied upon like a wired network, regardless of
which encryption technology it uses
The first security boundary in a wired network is the building, the network is
contained in (Unless all IP’s of the network are accessible via the Internet).
If a hacker wished to make an attack they would first need to gain access
to the building and plug themselves into the network. A wireless network is
simply that, wireless, hence a hacker could simply take there laptop near a
wireless network and preform an attack.
Most common wired networks have a physical connection usually to a
switch. With a good switch, each datagram would be a point to point con-
nection (except broadcast datagrams). This is the current nature of a star
topology network. However a wireless network is like a bus topology network
and therefore every host can watch datagrams going through there NIC. So

5
a hacker would have access to all datagrams going through there NIC, so this
would never be as secure as a wired network since a host in a wired network
only sees datagrams for there NIC.

References
[1] Phil Belanger Aironet Wireless Communications
http://grouper.ieee.org/groups/802/11/Tutorial/MAC.pdf, IEEE

[2] http://www.zytrax.com/tech/wireless/802 mac.htm, Zytrax

[3] Jim Geier http://www.80211-planet.com/tutorials/article.php/1368661,

802.11 Planet

[4] Steven J. Vaughan-Nichols http://www.80211-

planet.com/tutorials/article.php/2106281, 802.11 Planet

[5] http://airsnort.shmoo.com/, AirSnort

[6] http://techupdate.zdnet.co.uk/story/0,,t481-s2133239,00.html, ZDNET