Cryptography Reference
In-Depth Information
WEP DESIGN FLAWS
The designers of WEP set out with an admiral goal to provide enough security,
but not excessive security, in order to keep WLANs secure but efficient. In doing
so they were attempting to establish a particular efficiency-security tradeoff. It is
clear that they did not succeed and that they sacrificed too much security in the
name of efficiency.
However, some of the problems with the WEP cryptographic design appear to
arise not from knowledgeable tradeoffs, but from fundamental misunderstand-
ings. These include:
Poor key management . The decision to use one shared, fixed, key in a WEP-
protected WLAN to provide all the WEP security services is extremely risky.
We have just seen that WEP encryption keys can be recovered given enough
data packets. Such an attack would be regarded as very serious for any
cryptosystem, even if it changed its keys regularly. For WEP, with its fixed
key, this attack is disastrous.
Failure to appreciate the effective key length . The way that the RC4 encryption
keys are formed in WEP provides a false sense of security with respect to key
length. Even if the WEP key is a respectable length, the RC4 encryption key
only varies in 24 bits each time that an encryption operation is performed. This
leads to problems, such as our birthday attack on IVs .
Lack of a proper cryptographic data origin authentication mechanism . The
poor choice of data integrity mechanism leads to attacks that can exploit
the fact that CRC checksums can be manipulated. Data origin authentication
should have been provided using a suitable cryptographic primitive. Given
that WEP relies on symmetric encryption, the 'correct' tool for this job is
a MAC.
Non-standard use of a cryptographic algorithm . WEP provides an excellent
example of why it is important to use cryptographic algorithms in the
intended way, and not to 'tinker' with them. The key recovery attack that we
mentioned is not an attack on RC4. It is an attack on the fact that RC4
was not used in a standard way in WEP. Instead, the RC4 encryption
keys were formed using a technique that was invented for WEP, but not
one that had been sufficiently analysed by cryptographic experts. Since
it was this technique that was exploited in the powerful key recovery
attack on WEP, this shows that even a small change in the way that a
cryptographic algorithm is used can result in an insecure cryptographic
mechanism.
Weak entity authenticationmechanism . TheWEP entity authenticationmecha-
nism can be exploited in several different ways, as we discussed. Use of a stream
cipher in this mechanism is highly inappropriate.
Thus WEP has provided us with a wide range of valuable cryptographic design
lessons, many of which have wider implications.
Search WWH ::




Custom Search