Before I go into the details on why
WEP sucks its important to understand how it works. WEP was designed around the
RC4 stream cypher and supports 64-bit or 128-bit keys. The first 24
bits of a WEP key is known as the initialization vector (IV) and is supposed to
be a random and unique value for each packet. These IVs are then combined with the
pre-shared key and fed into the RC4 algorithm to produce a pseudo-random stream
or PRGA. WEP will then XOR the PRGA against a clear text packet and its integrity
checksum to produce an encrypted packet.
Now here
is where WEP starts to go down hill. Once the encrypted packet is generated the
24-bit IV that was used is then pre-pended to the encrypted packet in clear
text before it’s sent to the destination. This means WEP only effectively provides
40 and 104 bits of protection.
If the
IVs were never re-used it wouldn’t be nearly as big a problem. Now consider
that the 24 bits used in an IV provides about 16.7 million possible
combinations. This may sound like a lot but in reality the likelihood of having
the same IV re-used is very high and is well illustrated by a situation known
as the birthday paradox. On average it only takes about 5,000 packets to yield
a 50% chance of seeing a collision; that is when two packets with the same IV
are seen.
When two packets using the same pre-shared key have a colliding
IV they will also share the same PRGA used to encrypt the packet. If the
contents of a packet can be deduced or predicted then it becomes possible to XOR
the known clear text against its encrypted form to reproduce the PRGA. Once the
PRGA is known any further packets with a colliding IV can be decrypted. Although
this doesn’t reveal the pre-shared key the ability to decrypt single packets is
still a problem. That’s strike one.
WEP also
has zero replay protection. What makes this one so bad is the normal authentication
and challenge/response process used by WEP. When an AP sends a challenge to a
client it is sent in clear text along with the IV. When received the client
uses the provided IV and WEP key to encrypt the challenge and send it back to
the AP. If the challenge/response is captured then we have a known packet and
its encrypted counterpart. All you need to do is XOR the challenge with the
response and you will reproduce the PRGA for packets with the same
IV. This is especially bad because you can then inject traffic into a
network that will elicit predictable responses leading to more known IV and
PRGA pairs. That’s strike two.
Now to
bring it all home, this is the coup da grace on why WEP sucks. Nearly every single
packet sent has a standard Ethernet header. The header always starts with 0xAA
0xAA and is at predictable location inside an encrypted packet. Knowing this
you can use the encrypted packets and their known IVs to brute force keys that
return 0xAA 0xAA at their expected locations. There is also a similar method
that focuses on known parts of standard ARP request. When combined the ability
to phish for encrypted packets and IVs with replaying and injection it becomes
possible to break WEP outright in as little as 1 minute. That’s strike three.
If breaking the encryption wasn’t bad
enough we also need to consider the fact that WEP uses a very poor check for data
integrity. The integrity algorithm used by WEP is only CRC32; which was never
designed for cryptographic security and can easily be spoofed. What’s even
worse is WEP and CRC32 don’t roll in any security elements into its calculation
so there is nothing to verify the data came from a legitimate source.
TLDR: If
you care about security avoid WEP because it sucks and offers no real protection
against intelligent and or targeted attacks.