Wired Equivalent Privacy (WEP)


Wired Equivalent Privacy (WEP) is a security protocol, now obsolete, introduced to secure wireless networks, most precisely IEEE 802.11. The naming illustrates the main goal, as thought of at the time: to reach a similar security level in wireless networks as in wired networks (for which, by construction, the security is easier to implement, as the adversary does not have access by default to the communication medium, as it normally happens in wireless communications).
The IEEE 802.11, first introduced on the market in 1999, represents the basics for the later versions. WEP was replaced by Wi-Fi Protected Access (WPA) in 2008. A history of the evolution of Wi-Fi standards is available at [1].



station (e.g., computer, laptop) associates with an Access Point (AP) via a challenge-response protocol. In such a protocol, the station initiates an authentication request. The AP responds with an authentication challenge, normally a nonce (number used once). 

The station computes an authentication response using the received nonce and a piece of private information. The AP computes independently an expected response and successfully authenticates the station if the response equals an expected response. If the received response differs from the expected response, the authentication fails. The security of such a protocol relies on a tiny probability (negligible, see Unconditional vs. Conditional Security) of forging the correct response to a fresh challenge. Under the assumption that the challenge is a nonce (i.e., pseudo-random, fresh for each execution), then the challenge-response protocol is, by construction, more secure than simply sending some static credentials. The latter case, could, in its very dummy implementation be prone to a replay attack: an attacker eavesdrops on the communication medium and further retransmits the same messages to successfully complete authentication. 


WEP is a stream cipher (see Stream Ciphers) that uses Rivest Code (or Rivest/Ron's Cipher/Code 4) (RC4) as a Pseudo-Random Generator (PRG). As for any stream cipher, in WEP the encryption (and consequently decryption) is performed by a simple XOR. More precisely, the plaintext m is appended with a corresponding Cyclic Redundancy Check (CRC)and the result is XOR-ed with a keystream to obtain the ciphertext c. The keystream is the output of the RC4 on inputs a key k and an Initialization Vector IV. Over the years, several vulnerabilities have been found in RC4, and its usage in WEP is an example of bad usage. RC4 was, at first, a trade secret that was reverse-engineered and made public in 1994 [2]. However, RC4 remains one of the most used (if not the most used) stream ciphers ever, and it continues to inspire new designs [3]. More about stream ciphers and RC4 is available, for example, in [4,5,6,7].



In the OSI model, WEP works at Layer 2 - Data Link Layer. Looking into the 802.11 frame, the actual data and the CRC are encrypted. Note that the IV is required at reception to perform decryption (it is input to RC4 to get the keystream), and it is sent in clear as part of the payload.

The security of WEP resides on 104-bit keys (fed into the PRG). 104-bit security is low today, so as initially defined, WEP is nowadays unsecured by definition. Moreover, because of export restrictions on cryptography, key lengths were even up to 40 bits only. Similarly, the IV is 24 bits only and used in Counter (CTR) mode (i.e., incrementally). Hence, if used for large volumes of data, IV becomes reused and thus, again, highly impacts the system's confidentiality. Other limitations (e.g., bit flipping), are a direct consequence of using a stream cipher in WEP. 
By construction, WEP only provides integrity against unintentional faults: CRC is not a Message Authentication Code (MAC) or Message Integrity Code (MIC) that can stand against intentional adversaries. 
WEP suffers from other weak points, including using a single key for all the devices in the network (once the key is compromised, then all communication is compromised; nevertheless, this can be seen as a general approach in personal, non-enterprise, Wi-Fi networks) or not providing mutual authentication (the station authenticates to the AP but the AP does not authenticate to the users).
On the good side, WEP was part of an open standard, allowing both interoperability and implementation at a large scale, as well as transparent security testing.
More on IEEE 802.11 and Wi-Fi security is available on the IEEE Working Group for WLAN Standards [8] and the Wi-Fi Alliance [9]. A good book to read about Wi-Fi Security, in particular WEP, is [10].

[1] IEEE Standards Association. The Evolution of Wi-Fi Technology and Standards. Available at: https://standards.ieee.org/beyond-standards/the-evolution-of-wi-fi-technology-and-standards/ 
[2] Rivest, R. L., & Schuldt, J. C. (2016). Spritz---a spongy RC4-like stream cipher and hash function. Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2016/856.pdf
[3] Cryptology ePrint archive. Search on RC4. Available at: https://eprint.iacr.org/search?q=rc4 
[4] Kats, J., Lindell, Y. Introduction to Modern Cryptography, CRC PressMore info: http://www.cs.umd.edu/~jkatz/imc.html 
[5] Van Tilborg, H. C., & Jajodia, S. (Eds.). (2014). Encyclopedia of cryptography and security. Springer Science & Business Media. Available at: https://www.researchgate.net/profile/Krzysztof-Kryszczuk/publication/230674947_Springer_Encyclopedia_of_Cryptography_and_Security
[6] Paar, C., & Pelzl, J. (2010). Understanding cryptography (Vol. 1). Springer-Verlag Berlin Heidelberg.
[7] Menezes, A. J., Van Oorschot, P. C., & Vanstone, S. A. (2018). Handbook of applied cryptography. CRC press. Available online: https://cacr.uwaterloo.ca/hac/ 
[8] IEEE 802.11. The Working Group for WLAN Standards. Available at: https://www.ieee802.org/11/
[9] Wi-Fi Alliance. Available at: https://www.wi-fi.org/
[10] Edney, J., & Arbaugh, W. A. (2004). Real 802.11 security: Wi-Fi protected access and 802.11 i. Addison-Wesley Professional.


Comments

Post a Comment

Popular posts from this blog

Stream Ciphers

Image
   Stream ciphers are symmetric-key ciphers (i.e., encryption and decryption use the same key) that perform bit-by-bit encryption. In a stream cipher, any bit of the ciphertext depends on a single bit of the plaintext (and the encryption key). Stream ciphers differ from the other big class of symmetric ciphers - the  block ciphers,  which encrypt block-by-block. In a block cipher, the bits in a ciphertext block depend on (ideally) all bits in the corresponding plaintext block. To the extreme, a stream cipher is a particular type of block cipher with the block's length equal to 1. Compared to block ciphers, stream ciphers are usually faster, but the test of time shows them less secure in general. A stream cipher can be seen as the analog of the One Time Pad (OTP) (see Perfect Secrecy and the One Time Pad (OTP) ) in computational security. Recall OTP, for which encryption is simply a bitwise XOR between the plaintext and the encryption key. The same holds for the str...
Read more

Perfect Secrecy and the One Time Pad (OTP)

Image
I have explained unconditional  (or  information-theoretical)  security in my previous post (see Unconditional vs. Conditional Security ). As I have mentioned there, we can refer to unconditional security in the context of various cryptographic primitives, among which the  encryption schemes (see Symmetric vs. Asymmetric Encryption ). An encryption scheme that is information-theoretically secure provides  perfect secrecy (see, e.g., [1]) ,  because the  ciphertext  perfectly  hides  the  plaintext.  In other words, the adversary has the same probability to correctly indicate the message  m  regardless if he/she knows the corresponding ciphertext  c.  Hence, the knowledge of the ciphertext gives no new information about the plaintext. We ignore the length of the message - which, of course, is exposed - and assume that all the possible messages are equally long. More rigorously, the  a-posteriori ...
Read more

Cryptographic Hash Functions

Image
  The cryptographic hash functions are well-known cryptographic primitives. They are widely used, either as stand-alone or as a building block in other, more complex constructions. Their applicability covers a wide area, some popular examples being password storage, electronic signatures, and blockchain. Please note that cryptographic hash functions must satisfy some (of the) security notions I will discuss later on, while non-cryptographic hash functions do not necessarily have to. Therefore, not all hash functions are cryptographically strong. Non-cryptographic hash functions are also valuable, e.g., in data structures. However, for simplicity, I will sometimes refer to cryptographic hash functions as simply  hash functions . As a note, there are also hash functions with a secret key , known as keyed hash functions. I will not refer to these keyed hash functions here; I will only explain the keyless (or unkeyed ) hash functions.   Cryptographic hash function...
Read more