Cryptography Reference
In-Depth Information
3. Alice uses WEP encryption to encrypt
r
B
(importantly for later, note from our
above explanation of the WEP encryption process that this also involves Alice
generating an IV that is used to 'extend' the WEP key).
4. Alice sends the IV and the resulting ciphertext to Bob;
5. Bob decrypts the ciphertext and checks that it decrypts to
r
B
; if it does, he
authenticates Alice.
This simple protocol is based on Bob's assumption that only an authorised user
such as Alice should know the WEP key
K
.
12.2.4
Attacks on WEP
WEP is perhaps the most criticised security standard ever proposed and there is
very little right about it! We will briefly review some of the many concerns.
WEP KEY MANAGEMENT WEAKNESSES
We will start with key management. There are several serious problems withWEP
key management:
Use of a shared fixed key
. The WEP key
K
acts as an overall 'master key' for
the WLAN and, as such, is a single point of failure. If the WEP key can be
compromised (and it suffices that this compromise arises on just one of the
entities forming the WLAN) and an attacker learns the WEP key then the
entire WLAN security is compromised.
Exposure of theWEP key
. In its role as amaster key, theWEP key is unnecessarily
'exposed' through direct use as a component of an encryption key (see
Section 10.4.1). It is also exposed in this way each time an authentication
attempt is made.
No key separation
.WEP abuses the principle of key separation (see Section 10.6.1)
by using the WEP key for multiple purposes.
Key length
. While WEP does allow the WEP key length to vary, the smallest RC4
key length is 40 bits, which is far too short to be secure against contemporary
exhaustive key searches. Perhaps more problematically, many WEP imple-
mentations allowWEP keys to be generated from passwords which, if not long
enough, reduce the effective keyspace that an attacker needs to search.
WEP ENTITY AUTHENTICATION WEAKNESSES
We now look at attacks concerning the entity authentication mechanism.
Rogue wireless access point
. WEP only provides
unilateral
entity authentication
from a device (Alice) to a wireless access point (Bob). This means that an
attacker could set up a rogue access point and allow Alice to authenticate to it,
without Alice realising that she was not dealing with the genuine access point.
Lack of session key
. WEP does not establish a session key during entity
authentication that is later used to protect the communication session. As a
