Wired Equivalent Privacy
Wired Equivalent Privacy ( WEP, engl. " Wired ( systems ) appropriate privacy " ) is the former standard encryption protocol for WLAN. It should both regulate access to the network and ensuring the confidentiality and integrity of data. Due to various weaknesses, the method is considered insecure. The calculation of the key from a few minutes of recorded data usually takes only a few seconds. Therefore WLAN installations should use the more secure WPA2 encryption.
- 3.1 CRC32 as a Message Authentication Code (MAC)
- 3.2 Breaking of the key
- 3.3 Safety measures
- 3.4 Application
Generally, it is a simple XOR of the bit stream of the user data with a signal generated from the RC4 algorithm pseudo-random bit stream.
The WEP protocol uses the RC4 algorithm as pseudo-random number generator ( PRNG ) in generating a keystream which receives a key and an initialization vector as input. For each message to be protected M, a new 24 -bit long initialization vector IV is formed and linked with a key K, which is known to all stations in the basic service set. The result is used as input to the RC4 algorithm, which generates therefrom a keystream. ( Integrity Check Value - ICV ) addition (. Engl CRC CRC, ) a supposedly safer " integrity " is using Cyclic redundancy check calculated and appended to the message M (| |). The resulting message (M | | ICV ) is the keystream ( RC4 (IV | | K )) of the RC4 algorithm XORed and the initialization vector IV is prepended to the resulting ciphertext. The figures below illustrate encryption and decryption.
When authenticating There are two methods:
Open System Authentication
Open System authentication is the standard authentication.
- Is the access point for no encryption configured, there is virtually no authentication, and each client can connect to the WLAN.
- Is the access point for encryption is configured (in this case WEP): logical: The WEP key is also used for authentication: Any client with the correct WEP key gets access to the network.
- Technical: There will be an exchange of authentication messages, and the client is authenticated. Votes WEP key agreement on the access point and client communication is possible. If they do not match, the client is authenticated, although, however, can not exchange data with the network.
The implementation of the authentication using a key feature is a manufacturer, and is not described in the standard.
Shared Key Authentication
The Shared Key Authentication is the supposedly safe option. The authentication is done via the challenge-response authentication with a secret key.
However, the challenge-response method is also based on WEP and has the same weakness. Through the use of shared- key authentication, the secret key is exposed, as shown in the next section. Maximum advisable, therefore, is to dispense with the Shared Key Authentication and use the Open Authentication. On encryption but should never be omitted. Even with Open Authentication can establish communication with the access point a connected network participants with knowledge of the WEP key.
The four messages of WEP authentication set the access rights of the client safely.
Attack on the authentication
As already mentioned, the shared key authentication does not contribute to the protection, but are on the contrary inadvertently disclose information. Since we are dealing with a challenge-response authentication, play the whole as follows:
- The server sends the client the Challenge1, for example, a random number.
- The client encrypts this number as above and sends the WEP packet ( IV1 Ciphertext1 ) back to the server
- Trudy, the attacker (of English. Intruder ), so it can overhear the three pieces of information ( Challenge1, IV1 and Ciphertext1 ). You now calculated by XOR Challenge1 Ciphertext1 = Challenge1 ( Challenge1 Keystream1 ) = Keystream1
Trudy has now Keystream1 and IV1, which proves to be a valid combination. You can now find themselves trying to be a registered. A challenge2 from the server they are now answered easily with the WEP packet consisting of IV1 Ciphertext2, with the latter resulting from challenge2 Keystream1. This sends them to the server and is successfully authenticated.
The WEP data packet
A WEP data packet consists of:
- The actual user data,
- A 32- bit checksum of the user data integrity check value ( ICV, using Cyclic Redundancy Check ) and
- An unencrypted 24 -bit initialization vector ( IV), which makes the WEP key to the overall key of 64 bits, 128 bits or 256 bits.
The actual WEP data packet consists of the data and the 32 -bit check bit sequence. This is encrypted with the IV WEP key combination, and the whole of the initialization vector is prepended.
From the IV, the receiver can eventually together with the RC4 key again calculate the plaintext of the message.
There are many well-functioning attacks on WEP -secured networks. However, if a WEP - secured wireless LAN has no participants, that is, if no one has ever logged onto the network, then the probability is very low, to compute the key quickly or to calculate it at all. Most attacks exploit the vulnerability of the 24-bit initialization vector IV very short in the RC4 encryption. This method of attack is referred to in general terms as well as a related -key attack.
Many active attacks put forward by the attacker modified drivers, which reinjection must master. At first not even support many drivers the passive listening to one or even multiple channels, which can be achieved by the monitor mode. However, passive eavesdropping only a foundation. Suppose that an AP has many clients that produce a lot of data, then you could just record everything and try to calculate with the data obtained the WEP key. If the amount of data is not sufficient, one can often use this data stream to extract therefrom ARP requests, which are needed for the reinjection. The flooding on the part of the attacker using ARP requests leads - done properly - too many ARP replies, which can then be used to break the WEP key. Reinjection is the driver side quite complex because the frames are brought into the WLAN, must be sent with the correct timing. It is further noted that an access point after a certain time assumes a re- authentication by the client. If the client does not sign back on the grid, then all data sent to the access point are discarded and in Kismet, for example, suspicious client to read.
CRC32 as a Message Authentication Code (MAC)
The CRC32 function is strictly linear, because CRC32 ( A XOR B) = CRC32 (A) XOR CRC32 (B). Therefore, this function is as a Message Authentication Code unsuitable because it is also possible without the actually needed for this secret key to compute the bits which must change in the checksum if you want to change the ciphertext. Due to this weakness can be the payload of the packet at will modify because you have only the MAC, so the new CRC32 value calculated by the modification.
The above modification step looks something like this:
Encrypted message mc = CRC32 (m) 00100101001110010100101010101010100101 ... 10101010 10111101 10101101 10100000 Modification vector m 'c' = CRC32 (m ') 00000000000000000000000000000000001000 ... 00000001 10101010 10100000 10100100 In the last step to calculate the new message and the associated MAC m_neu c_neu:
M_neu = m XOR m ' c_neu = CRC32 (m) XOR CRC32 (m ') To create a fake message and order to send them then, the data fields m and CRC32 ( m) in the original data packet ( engl. frame) must be replaced m_neu and c_neu by the newly calculated values . After replacing the modified packet can then be sent again.
In this way you can change all packages. However, if you want to know whether the modification was successful, you should choose a package that then leads the other party to respond.
If the source package, for example, was a ping request, one could test, for example, on what modifications in the package you get an answer. Interesting stateless packet would be: ARP request and ping.
Breaking the key
It is possible to break a shared WEP key and thus the entire WEP encryption. There are different systems for accessories that can calculate by listening in a sufficient amount of traffic on the WEP key being used, for example or Aircrack Airsnort. This attack is based on having as many packets with the same, poor initialization. So it is already possible today, WEP encryption in less than a minute to crack.
In recent years, the possible attacks have been continuously improved and expanded. For example, it is possible, even if only one of the messages transmitted is also known as plain text, ( correctly encoded ) in the WLAN include arbitrary content. Furthermore, there is a technique to decode individual, overheard data packets by being repeatedly modified slightly again in the WLAN recorded. This so-called KoreK attack not used as before data packets with the same Initialisierungvektor, but with different, thus the attack is much more effective.
Moreover, in addition to the passive attacks and active attacks are used. So you can force responses of the access points to collect sufficient data for a successful passive attack within a very short time (~ 1 min). These ARP packets are intercepted targeted based on specific signatures and - without knowing their decrypted content - re-encrypted in the WLAN fed.
In the first place the waiver in favor of WEP WPA2 should be. This goal can be achieved by a driver or firmware update in many cases. If you can not avoid the use of WEP, basic safety precautions should at least be taken, which can be found in the section Basic safety measures of the main article Wireless Local Area Network.
All of these security measures can not hide the fact that this ultimately mean no real protection in the use of WEP, however. An attack on the WEP encryption is successful despite all these precautions with the right technical conditions within about a minute with great certainty.
Effective - but is associated with additional costs and possibly additional costs - is the use of VPN technology such as IPsec, PPTP or OpenVPN to bridge the unsecured or WEP ( WEP 64 or WEP128 ) poorly secured wireless connection. A relatively small amount of additional work for the configuration of a target machine to which you want to communicate securely, so that it will accept a VPN connection. Greater effort and any additional costs incurred in setting up a VPN gateway and the integration and management of network devices that are to communicate securely.
Due to the weaknesses recommend a network technician to secure the traffic through the access point with an additional encryption. In practice this is often achieved by a VPN. As a successor to the insecure WEP applies WPA or WPA2 as its later IEEE 802.11i standard.
When hedging through a VPN, only the payload or the entire data packet is encrypted optionally. Since WEP then brings no additional safety benefit more, it can be switched off after the KISS principle to minimize potential sources of error. Another opinion is that you should use WEP, at least minimally secure the OSI layer 2.