Attacks on WEP

Let’s learn about the weaknesses of WEP in different cryptographic primitives.

WEP key management weaknesses

There are several serious problems with WEP key management:

  • Use of a shared fixed key: The WEP key KK acts as an overall master key for the WLAN and, as such, is a single point of failure. If the WEP key can be compromised (and it suffices for this compromise to arise on just one of the entities forming the WLAN) and an attacker learns the WEP key, then the entire WLAN security is compromised.

  • Exposure of the WEP key: In its role as a master key, the WEP key is unnecessarily ‘exposed’ through direct use as a component of an encryption key. It is also exposed in this way each time an authentication attempt is made.

  • No key separation: WEP abuses the principle of key separation by using the WEP key for multiple purposes.

  • Key length: While WEP does allow the WEP key length to vary, the smallest RC4 key length is 40 bits, which is far too short to be secure against recent exhaustive key searches. Perhaps more problematically, many WEP implementations allow WEP keys to be generated from passwords which, if not long enough, reduce the effective keyspace an attacker needs to search.

WEP entity authentication weaknesses

We now look at attacks concerning the entity authentication mechanism.

  • Rogue wireless access point: WEP only provides unilateral entity authentication from a device (Alice) to a wireless access point (Bob). This means that an attacker could set up a rogue access point and allow Alice to authenticate to it without Alice realizing that she was not dealing with the real access point.

  • Lack of session key: WEP does not establish a session key during entity authentication that is later used to protect the communication session. As a result, WEP entity authentication is only valid for the ‘instant in time’ it is conducted. WEP thus suffers from the potential for a ‘hijack’ of the communication session.

  • Keystream replay attack: Another serious problem is a lack of protection against replays of the WEP authentication process. An attacker who observes Alice authenticating to Bob can capture a plaintext (the challenge rBr_B and its CRC checksum) and the resulting ciphertext (the encrypted response).

    Since WEP uses the stream cipher RC4, the keystream can be recovered by XORing the plaintext to the ciphertext. We will denote this keystream by KS(IVK)KS(IV || K), since it is the keystream produced by RC4 using the encryption key IVKIV || K.

    Note that this is not yet an ‘attack’ because our standard assumptions dictate that good stream ciphers are designed to offer protection against an attacker who knows corresponding plaintext/ciphertext pairs and hence can recover keystream from this knowledge. However, this relies on the same keystream not being reused predictably.

    This is where WEP fails since the attacker can now falsely authenticate to Bob as depicted in the illustration below and described below:

Get hands-on with 1400+ tech skills courses.