How 802.11i Addresses WEP's Core Deficiencies
Here's how 802.11i provides stronger security than WEP.
July 29, 2003
Wired Equivalent Privacy (WEP) contains three core deficiencies. The first deficiency is the use of static encryption keys. The second deficiency is the ineffective use of initialization vectors (IVs). The third deficiency is the lack of packet integrity assurance.
Static encryption keys. The WEP protocol uses the RC4 algorithm, which is a symmetric cipher. Symmetric means that the sender and receiver must use the exact same key for encryption and decryption purposes. The 802.11 standard doesn't stipulate how to update these keys through an automated process; therefore, in most environments, the RC4 symmetric keys are never changed. Also, all the wireless devices and AP typically share the same key. Imagine everyone in your company using the same password—not a good idea. Vendors have created unique solutions to address these problems, but the deficiencies are present in the core standard.
Ineffective use of IVs. An IV is a numeric seeding value that, along with the symmetric key and RC4 algorithm, provides randomness to the encryption process. Randomness is extremely important in encryption because malicious users are always on the lookout for patterns in your processes that can reveal encryption keys. The wireless software inserts the key and IV value into the RC4 algorithm to generate a key stream, as Figure A shows. The key stream's 1 and 0 values are XORed with the binary values of the individual packets. The result is ciphertext, or encrypted packets. For more information about these processes, see the "Weaknesses in the Key Scheduling Algorithm of RC4" white paper, by Scott Fluhrer, Itsik Mantin, and Adi Shamir, at http://www.securityfocus.com/library/3629.
Most WEP implementations use the same IV values over and over in this process. And because the same symmetric key (or shared secret) is in use, effective randomness in the key stream that the algorithm generates is impossible. The appearance of patterns lets attackers reverse-engineer the process and uncover the original encryption key, which they can use to decrypt future encrypted traffic.
No packet integrity assurance. WLAN products that use only the 802.11 standard have a vulnerability that isn't easy to understand. An attacker can actually alter data within wireless packets by flipping specific bits and altering the integrity check value (ICV) so that the receiver is oblivious to the changes. The ICV works like a cyclical redundancy check (CRC) function: The sender calculates an ICV value and inserts it into a frame's header. The receiver calculates his or her ICV value and compares it with the ICV value that was sent with the frame. If the values are the same, the receiver can be sure that the frame wasn't modified during transmission. If the ICV values are different, a modification took place and the receiver discards the frame. In WEP, certain circumstances exist in which the receiver can't detect alterations to the frame; thus, WEP offers no true integrity assurance.
The new 802.11i standard's use of the Temporal Key Integrity Protocol (TKIP) addresses the deficiencies of WEP pertaining to static WEP keys and inadequate use of IV values. If a company is using products that implement only WEP encryption and isn't using a third-party encryption solution (e.g., a VPN), malicious users can use programs such as AirSnort and WEPCrack to take advantage of these weaknesses and the ineffective use of the key-scheduling algorithm within the WEP protocol. The malicious user can then break that company's encrypted traffic within hours or even minutes, regardless of whether 40-bit or 128-bit keys are in use. The preceding scenario is one of the most serious and dangerous vulnerabilities of the original 802.11 standard.
TKIP provides the ability to rotate encryption keys to help fight against these types of attacks. The protocol increases the length of the IV value and ensures that every frame has a different IV value. The wireless software combines this IV value with the transmitter's Message Authentication Code (MAC) address and the original WEP key so that even if the WEP key is static, the resulting encryption key will be different for each frame. The result is that the encryption process features more randomness, which is necessary to properly thwart cryptanalysis and attacks on cryptosystems. The changing IV values and resulting keys make the resulting key stream less predictable, so attackers have a more difficult time reverse-engineering the process and uncovering the original key.
TKIP also addresses the integrity problem by using a Message Integrity Check (MIC) instead of an ICV function. If you're familiar with a MAC function, you're familiar with MIC. The wireless software uses a symmetric key with a hashing function, which is similar to a CRC function but stronger. The use of MIC instead of ICV ensures that the wireless software will properly alert the receiver should changes to the frame take place during transmission. The sender and receiver calculate separate MIC values. If the receiver generates a MIC value that's different from the value sent with the frame, the wireless software deems the frame compromised and discards it.
About the Author
You May Also Like