8.8 – Securing Wireless LANs
- The IEEE 802.11 WEP protocol was designed in 1999 and uses the symmetric shared key approach.
- WEP does not specify a key management algorithm, so it us assumed that the host and wireless access point have somehow agreed on the key via an out-of-band method.
- Authentication is carried out as follows:
- A wireless host requests authentication by an access point.
- The access point responds to the authentication request with a 128-byte nonce value.
- The wireless host encrypts the nonce using the symmetric key that it shares with the access point.
- The access point decrypts the host-encryption nonce.
- If the decrypted nonce matches the nonce value originally sent to the host, then the host is authenticated by the access point.
- The WEP data encryption algorithm works as follows:
- A secret 40-bit symmetric key, $$K_s$$, is assumed to be known by both a host and the access point.
- A 24-bit Initialization Vector (IV) is appended to the 40-bit key to create a 64-bit key that will be used to encrypt a single frame.
- The IV will change from one frame to another, and hence each frame will be encrypted with a different 64-bit key.
- Encryption is performed as follows:
- First 4-byte CRC values is computed for the data payload.
- The payload and the four CRC bytes are then encrypted using the RC4 stream cipher.
- When presented with a key value, the RC4 algorithm produces a stream of key values, $$K_1^{IV}, K_2^{IV}, K_3^{IV}, ...$$ that are used to encrypt the data and CRC value in a frame.
- We can think of these operations being performed a byte at a time.
- Encryption is performed by XOR-ing the $$i^{th}$$ byte of data, d, with the $$i^{th}$$ key, $$K_i^{IV}$$, in the stream of key values generated by the $$(K_s^{IV}, IV)$$ pair to produce the $$i^{th}$$ byte of ciphertext, $$c_i$$:
- $$c_i = d_i \oplus K_i^{IV}$$
- The IV value changes from one frame to the next and is included in plaintext ni the header of each WEP-encrypted 802.11 frame.
- The receiver takes the secret 40-bit symmetric key that it shares with the sender, appends the IV, and uses the resulting 64-bit key to decrypt the frame:
- $$d_i = c_i \oplus k_i^{IV}$$
- Proper use of the RC4 algorithm requires that the same 64-bit key value never be used more than once.
- Recall that the WEP key changes on a frame-by-frame basis. For a given $$K_s$$, this means that there are $$2^{24}$$ unique keys. If these keys are chosen randomly, we can show that the probability of having chosen the same IV value is more than 99% after only 12000 frames.
- With 1 Kbyte frame sizes and a data transmission rate of 11 Mbps, only a few seconds are needed before 12000 frames are transmitted. Furthermore, since the IV is transmitted in plaintext in the frame, an eavesdropper will know whenever a duplicate IV value is used.
- Consider the following chosen-plaintext attack taken by Trudy against Alice. Suppose that Trudy sends a request to Alice to transmit a file with known content, $$d_1, d_2, d_3, d_4, ...$$ Trudy also observes the encrypted data $$c_1, c_2, c_3, c_4, ...$$ Since $$d_i = c_i \oplus k_i^{IV}$$, if we XOR $$c_i$$ with each side of this equality we have:
- $$d_i \oplus c_i =k_i^{IV}$$
- With this relationship, Trudy can use the known values of $$d_i$$ and $$c_i$$ to compute $$K_i^{IV}$$. The next time Trudy sees the same value of IV being used, she will know the key sequence $$K_1^{IV}, K_2^{IV}, K_3^{IV}, ...$$ and will thus be able to decrypt the encrypted message.
- Another concern with WEP involves the CRC bits. An attacker who changes the encrypted content, computes a CRC over the substituted gibberish, and places the CRC into a WEP frame can produce an 802.11 frame that will be accepted by the receiver.