Cracking WEP - explained
Tomorrow I have to give a presentation about WEP and why it is so vulnerable, so I figured what better way to prepare than actually writing down the presentation?
The main problem about WEP is that people think it's designed to provide total end-to-end encryption, when in fact it was only intended to make WLANs as safe as wired lans, hence the name Wired Equivalency Privacy.
The encryption process per se is pretty straight forward. The desired WEP key (which you put in the properties of your internet connection) is merged with 3 random generated characters - initialization vectors (IVs, theese are sent in clear text along with the encrypted packet). This means that in an 64 bit WEP envirement the WEP key itself is only 40 bit. Theese 64 bits are known as the RC4 key. This key is then run through an algorithm called KSA (Key Scheduling Algorithm) to randomize the array. Next the cipher is run through PRGA (Psuedo Random Generation Algorithm) which outputs a streaming key based on the KSA's psuedo random state array. This streaming key is then XOR'd with the plain text data and run through an CRC32 creating the encrypted packet. And that's pretty much all there is to it :-) Here's a flow chart of the whole process:
So in short the main flaws in wep are:
The main problem about WEP is that people think it's designed to provide total end-to-end encryption, when in fact it was only intended to make WLANs as safe as wired lans, hence the name Wired Equivalency Privacy.
The encryption process per se is pretty straight forward. The desired WEP key (which you put in the properties of your internet connection) is merged with 3 random generated characters - initialization vectors (IVs, theese are sent in clear text along with the encrypted packet). This means that in an 64 bit WEP envirement the WEP key itself is only 40 bit. Theese 64 bits are known as the RC4 key. This key is then run through an algorithm called KSA (Key Scheduling Algorithm) to randomize the array. Next the cipher is run through PRGA (Psuedo Random Generation Algorithm) which outputs a streaming key based on the KSA's psuedo random state array. This streaming key is then XOR'd with the plain text data and run through an CRC32 creating the encrypted packet. And that's pretty much all there is to it :-) Here's a flow chart of the whole process:
So in short the main flaws in wep are:
- Initialization Vectors are reused with encrypted packets. As an IV is only 3 characters (24 bits) long it is only a matter of time before it is reused. If a sniffer program picks up enough data it is bound to find to packets with the same IVs sooner or later and by comparing theese the RC4 cipher stream can be backtracked.
- As more RC4 cipher steams are found and more IV’s are deciphered and the closer the cracker will get to discovering the WEP key.
- CRC32 is not intended for encryption purposes. The original purpose of the Cyclic Redundancy Check was to detect errors in transmission, not to encrypt data.
- Every unit using one particular AP will need the same WEP key, hence all the resultant traffic will be using the exact same WEP key as well.
Labels: Computers
posted by Øyvind at
11:59 AM
0 Comments
