WEP

According to the 802.11 standard, authentication and privacy services are provided to bring the IEEE 802.11 functionality in line with wired local area networks.

Authentication is used instead of the wired media physical connection. Privacy is used to provide the confidential aspects of closed wired media. Access control and confidentiality services of 802.11 standard are also important security services [2].

To control access to the unrestricted radio medium, IEEE 802.11 provides two modes of authentication services: Open System and Shared Key.

Open System authentication is a null authentication algorithm. Any STA requesting authentication using this method may become authenticated. Shared Key authentication requires STAs to agree on a common shared key before the authentication service can be used. In infrastructure architecture, the AP is the authenticator, and the other STAs are authenticated by the AP. This authentication scheme is only available if the WEP option is implemented.

Shared Key authentication accomplishes its task without transmitting the secret key over the air. Upon receiving an authentication request, the AP sends a challenge text for the STA to encrypt with the shared secret key using WEP. Then, the AP decrypts the encrypted response packet to match the original challenge text. If there is a match, the authentication succeeds [2]. Please refer to Figure 1 for detail.

Figure 1 Shared Key authentication scheme

No matter which authentication method is used, either sides of the communicating parties can send deauthentication notification to cease the session. For an AP, the deauthentication notifications are broadcasted to all authenticated STAs to stop communicating with them. The deauthentication frame is send in clear, and no key-based authentication is used. This makes forging the deauthentication frame easy.

If a STA is authenticated by some AP, the STA then has to become associated with the authenticating AP to be allowed to send data messages through the AP. The association service provides the STA-to-AP mapping, and this mapping is delivered to the distribution system (DS). The DS will use this information to accomplish message distribution services.

The disassociation service is invoked whenever an existing association is to be terminated. Either the STA or AP may initiate the disassociation process. To do so, one sends a disassociation message to the other, then the disassociation succeeds. The disassociation frame is transmitted in the clear and has similar problems as the deauthentication frame.

The (de)authentication and (dis)association processes are illustrated in Figure 2 as a state transition diagram.

Figure 2 Relationship between state variables and services [2].

As shown in Figure 2, any STA and AP must follow the state machine specified in the IEEE 802.11 standard. A successfully associated STA stays in State 3 in order to continue wireless communication. In State 1 or 2, a STA cannot participate in the WLAN data communication process until it is again authenticated and associated.

IEEE 802.11 specifies a data confidentiality algorithm that hopefully provides the level of secrecy comparable to that provided in a wired LAN. The algorithm, named WEP, protects authorized users of a wireless LAN from casual eavesdropping. This service is intended to provide functionality for the wireless LAN equivalent to that provided by the wired medium [2].

The standard document claims that the WEP algorithm is “reasonably strong”.

The security of the algorithm, as stated in the standard, relies of the difficulty of discovering the secret key through a brute-force attack. Therefore, the security can be enhanced by increasing the length of the secret key and the frequency for changing the IV. Please refer to [2]. for detailed WEP algorithm description.

WEP does not include any key management protocols; the pre-shared key must be fed into devices manually. The AP and the associated STAs share the same key. If the shared key is leaked, the WEP security mechanism is cracked. Since WEP keys are

changed manually, they would be changed infrequently. However, this increases the danger of being sniffed and cracked.

Jesse R. Walker noted that it is infeasible to achieve privacy using WEP encapsulation, even if the key size is expanded from 40 bits to 104 bits. He presented an attack against WEP and demonstrated that the attack will succeed regardless of the key size or the cipher used. Also, the attack can be implemented easily [4].

Fluhrer, Mantin, and Shamir described several attacks on RC4 algorithm used in WEP [10]. They found that an eavesdropper, who can obtain several million encrypted packets with a known first byte of plaintext, would be able to deduce the RC4 key by exploiting properties of the RC4 key schedule. Their passive ciphertext-only attack can recover an arbitrary long key in a short amount of time for any key lengths, even when 24 and 128 bit IV modifiers are added.

Stubblefield, Ioannidis, and Rubin experimentally implemented the “F.M.S.”

attack using off-the-shelf devices, and demonstrated that real systems could be cracked in several hours [5]. They also improved the RC4 attack implementation with some optimizations. Fluhrer et al. speculated that around 4,000,000 to 6,000,000 packets would be sufficient to successfully attack RC4, but Stubblefield’s improvement dropped the number to around 1,000,000 packets. They concluded that 802.11 WEP was totally insecure.

Once the WEP vulnerabilities were publicized, tools like Airsnort [16]. and WEPCrack [17]. emerged and they enabled anyone having popular 802.11 devices to sniff 802.11 packets and discover the key in a short time.