Graphics Programs Reference
In-Depth Information
Of course, if WEP is turned on, only clients with the proper WEP key
will be allowed to associate to the access point. If WEP is secure, there
shouldn't be any concern about rogue attackers associating and causing
havoc. This begs the question, “How secure is WEP?”
0x771
Wired Equivalent Privacy
WEP was meant to be an encryption method providing security equivalent
to a wired access point. It was originally designed with 40-bit keys; later,
WEP2 came along to increase the key size to 104 bits. All of the encryption is
done on a per-packet basis, so each packet is essentially a separate plaintext
message to send. The packet will be called
M
.
First, a checksum of message M is computed, so the message integrity
can be checked later. This is done using a 32-bit cyclic redundancy check-
sum function aptly named CRC32. This checksum will be called
CS
, so
CS = CRC32(M). This value is appended to the end of the message, which
makes up the plaintext message P
:
Plaintext message P
Message M
CRC(M) CS
Now, the plaintext message needs to be encrypted. This is done using
RC4, which is a stream cipher. This cipher, initialized with a seed value,
can generate a keystream, which is just an arbitrarily long stream of pseudo-
random bytes. WEP uses an initialization vector (IV) for the seed value.
The IV consists of 24 bits generated for each packet. Some older WEP
implementations simply use sequential values for the IV, while others use
some form of pseudo-randomizer.
Regardless of how the 24 bits of IV are chosen, they are prepended to
the WEP key. (These 24 bits of IV are included in the WEP key size in a bit
of clever marketing spin; when a vendor talks about 64-bit or 128-bit WEP
keys, the actual keys are only 40 bits and 104 bits, respectively, combined
with 24 bits of IV.) The IV and the WEP key together make up the seed
value, which will be called S.
Seed value S
24-bit IV
40-bit or 104-bit WEP key
Then the seed value S is fed into RC4, which will generate a keystream.
This keystream is XORed with the plaintext message P to produce the
ciphertext C. The IV is prepended to the ciphertext, and the whole thing is
encapsulated with yet another header and sent out over the radio link.
