Cryptography Reference
In-Depth Information
it operates only at the physical and data-link protocol layers, it does not offer
end-to-end security. In fact, several analyses of WEP have been done over the
years and the consensus was that without significant changes, WEP would not
provide a suLcient level of security for WLANs, which led to 802.11i. The
followingis a description of how WEP operates.
In what follows, Alice wishes to send a message
m
to Bob.
1.
Creating Plaintext
: Alice applies the cyclic redundancy code, CRC-32
checksum (see Appendix D on page 541), which we will denote by
ICV
,
to
m
to get
ICV
(
m
). The plaintext is
P
=(
m, ICV
(
m
)).
2.
Creating Ciphertext
: UsingRC4, Alice generates an initialization vector
v
and a secret key
k
, which we denote by
R
(
k,v
)
. Then the ciphertext
C
=
P
⊕
R
(
k,v
)
is formed by addition modulo 2, and she sends
=(
v,C
)
C
to Bob.
3.
Deciphering and Comparing
: Upon receipt of
, Bob regenerates
R
(
k,v
)
C
and forms
P
=
C
R
(
k,v
)
. Then he separates
P
into
m
and
c
. Bob
computes
ICV
(
m
) and compares it to
c
. If they match, he knows Alice's
message was not altered in transit, since then,
m
=
m
.
⊕
The problem with the above is that if two messages are enciphered with the
same
v
and the same
k
, then Mallory can cryptanalyze if he knows one of the
two plaintexts. Even if he does not know one of them, he can mount a dictionary
attack (see Footnote 5.2 on page 201). Moreover, this is a near triviality for
Mallory since the attack is not dependent on the length of
k
, but rather on the
length of
v
, which WEP mandates to be only 24-bits! Even though the WEP
protocol recommends that
v
, and thus both
v
and
k
, be changed after every use,
it does not
require
that this be done. Hence, most implementations do default
to a reuse of the key pair, which is significantly insecure behaviour. Also, there
is no key management protocol in WEP, another security issue.
Cryptanalysis of WEP has been given early and rigorous scrutiny. For in-
stance, see [8], [38], [95], and [274]. The TGi is workingon enhanced security
for WLANs and is fixingthe security in 802.11. These, and other studies, con-
clude that the followingare problems with WEP. We maintain the notation
introduced in the above description of WEP.
WEP Design Problems
1. The bitlength of 24 for
v
, the initialization vector, is insu
L
cient to thwart
attacks on confidentiality.
2. The CRC checksum, called the
Integrity Check Value
(ICV), which is em-
ployed by WEP for safeguarding integrity, is insecure. It does not thwart
attacks where packets can be modified in transit.
3. The mechanism for combining
v
with
k
invites attacks where Eve may
recover
k
after the scrutinizingof a mere few million (a relatively small
number of) enciphered packets.
Search WWH ::
Custom Search