WEP (Wired Equivalent Privacy) was developed to provide a wired equivalent safety in case of wireless networks, too. Since LANs are not saved with any encryptions in basic case, thus it was simple to provide such a safety. With the help of WEP data can be encrypted, that in case of interception nobody could gain any information from the data. Besides, user is authenticated before connecting to the network, and only then can he/she decrypt the encrypted data. WEP protocol is built on the RC4 encryption algorithm, which uses a key of 40 or 104 bits, combined with a 24-bit initializing vector (IV). RC4 is a frequently used method for encryption, which operates like this: there is a random series of bytes generated from an encrypted key and a random number, that XOR-es with the bytes of the message. Thus an M message and the control sum (ICV - Integrity check value) are encrypted on the following way:

C = [ M || ICV(M) ] XOR [ RC4(K || IV) ]

There are 40-bit key according to the standard, but the today's hardwares practically all support the 104-bit version. It is easy to understand from this, that the IV is a very important part of the encryption. We can achieve with the help of this, that the RC4 algorihtm could use different encryption keys in each and every occasion.

The RC4 algorithm

RC4 algorithm was developed in 1987 by Ronald Lorin Rivest. During the RC4 coding parties agree in a common secret key. Data encapsulated in the 802.11 frame is coded With the help of this key, and the initializing vector (IV) generated from it according to the figure shown below:

It would be too dangerous, if the algorithm used only the previously determined common key during the encryption, thus we change it with attaching a random value. This random value is calculated from the IV and the WEP key for the determination of the random key flow. Dependently from the implementation of RC4, the size of IV may have different, and in case of WEP it has a 24-bit size. Method of changing of IV is not determined by a standard, it starts from 0 usually in every implementation, and it grows one by one. There are also implementations, which do not change it, degrading the power of RC4 algorithm with it. That is why there is no need for the randomness of IV, because the WEP key, the IV and the key flow generator can ensure together, that different keys could be generated to each and every message. Value of IV changes continuously, but the receiving partner needs the value of IV for decoding the message, thus we attach the IV to the encrypted message without any encryptions. During this process IV is prepared to every frame with the help of the secret key known by partners, on the basis of an initial status block. Partner receiving the coded frame also knows the initial block, so he can decode data from it and using the attached IV. Receiving partner can examine the integrity of the transmitted frame with a control sum prepared with a CRC32 process, which was transmitted with an encryption, too. If the user's own calculated sum does not the same, as the received one, then he/she throws the bundle of data away, and indicates, that the packet got perhaps injured en route.

WEP packet

WEP packet consists of transformation of data of the network layer for the data connection layer, which comprises the encryption, the control of integrity, the incidental fragmentation, and attachment of a header. General model of a WEP packet is shown on the following figure.

Explanation of fields:

PAD - it has a 6-bit size, and its value depends on the Key ID

Key ID - it has a 2-bit size, and it gives the succession of WEP key, if there are more WEP keys used for encryption during the communication

Data és ICV - these are the only encrypted data in the packet

WEP authentication and ciphering

WEP has to find solutions for 2 security problems. One of them is the authentication, and the other one is ciphering. Authentication is made by a challenge-answer based protocol, which consists of 4 messages:

1. Client indicates an authenticate request.
2. AP generates a random number, and sends it as a challenge to the client (authenticate challenge) .
3. Client encrypts the challenge (random number) with a key, which is known by both of them, and sends the result back to the AP.
4. If AP decoded the message successfully, it means, that client really knows the appropriate key, and it sends an authenticate success (or a "failure" in case of an error) message to the client

When the authentication was made, AP and the client communicate with each other with encoded (encrypted) messages. They use the same key for encoding the messages, as for the authentication, and the algorithm is the RC4 key flow encoder. Client can be in 3 different states before the connection, and in the connection. Individual states, and state diagram of the transitions are demonstrated on the following figure:

Client can communicate in the given network, if it accomplished successfully both the authentication and the association.

Lacks of WEP

Examining the WEP process there could be mentioned the following incompletenesses:

• It uses the same key for authentication and encryption
• Authentication happens only in the moment of connecting to the network, and then it does not happen any longer.
• Only the client has to authenticate itself, the AP will not have to do it.
• It applies static keys, and change of the keys is a very time-consuming task in a large system.
• We can read everywhere, that WEP provides a 128bit of safety. But it is not true, because 24 bits from 128 (64) bits always transmitted openly.
• Size of IV is 24 bits long in the implementation used by the WEP, so the number of all the possible IVs is 224 = 16 777 216, which cannot be considered a quite large number at a packet-switched network communication, according to the prevalence of repetitions.
• Every client uses the same key during the communication with the AP, thus all of the messages can be decrypted.
• There are so called weak RC4 keys, from which the RC4 algorithm generates a not totally random series of bytes. If someone is able to observe the first bytes of such a series of bytes, then he/she can conclude to the key from it.

Attacks against WEP

RC4 has several weak points, which are easy to attack. In case of one of the attacking methods attackers apply a simple process with numeric characters. IV has only 24 bits, thus there are permutations with fixed numbers can be used by RC4 to the IV. There are 16 777 216 mathematically existing possible IV-combinations. In this case some minutes, or some hours need for breaking the code, depending on the activity of the client. Number of the possible IVs is finite, which means, that RC4 is forced to apply the same characters for a given IV. So the attacker may recognizer the repeated IVs after a time. In case of enough data he/she can determine the applied WEP-key, but he/she must record not only 2²⁴ packets, but the multiplication of it.

Another attacking method is on the basis of that there are known weak IVs. It derives from the nature of RC4. RC4 algorithm operates with some of the characters simply better, than with other characters. Weak 24-bit characters derive from this, but in spite of this they are used, too. If they use these weak characters, then the attacker can filter the intercepted data through some algorithms, and thus he/she is able to determine the part of the WEP-key. One of the known implementations of this process requires 10-15 million packets for the decoding of the WEP- key.

David Wagner, professor of the University of Berkeley has already learnt in 1995 the statistical weaknesses of the RC4 encryption algorithm, but his publication wasn not get a properly great attention. It is one of the reasons, that the IEEE used the RC4 algorithm for the encryption of the 802.11 standard in 1995. The very first publication, which concretely pointed on the unproper implementation of the RC4 algorithm, was a mutual work of Fluhrer, Mantin and Shamir, which became famous under the name of FMS statistical method (the abbreviation is from the first letters of the names of the authors). After a few months of the appearance of FMS the first practical implementations were ready for decoding of the WEP-keys. Their essence, that the original data content of the encrypted message is known, because IP and ARP-based communications realize most of the general network traffics, which start uniquely with the RFC1042 SNAP header, and the first byte of it has a mandatory "0xAA" value.

One of the improved solutions of FMS is the KOREK method that has got its name from its developer, but also known under the name of "chopper". It has improved the efficiency of the method with 60-70 %, and reduced the number of the necessary IVs.

There are another 2 methods for decoding the WEP key, but neither of them is really efficient and realiable. One of them is the Brute force attack, which tries to use all existing keys one after the other. It can be calculates easily, that at a 64-bit coding the size of the key is 40 bits, so there is 2⁴⁰ possible key altogether. If we see 100 000 key by seconds, then we would need 127 days to find the proper key. In case of a 104-bit key this value would be 6520836420927105974 years.

Another one is the dictionary-based attack, which exploits, that users usually use simple words, or their combinations, as a key word. If we have a good dictionary with the proper amounts of the possible words, and user uses a key containing meaningful words, then we will presumably find it. The problem is, that we cannot be sure, that the method will find the key, because most of the users are fully aware of weakness of the simple key words.

Wi-Fi Protected Access

Lacks of WEP derived from the implementation of RC4 WiFi Alliance tried to eliminate with the issue of WPA recommendation. Thus it made the authentication of the user mandatory, made efforts on behalf of the stronger encryption, of the realization of key management, and of protection against replay. WPA generated by the Wi-fi Alliance allowed the start of development of secure wireless network devices, until the IEEE 802.11 group finished the preparation of the standard. Until this (2004) the Wi-fi Alliance has already prepared also the WPA2 standard, which was built onto the final draft of IEEE 802.11 standard. In 2006 WPA2 became a mandatory recommendation and the WiFi Certified logo only beared by such a product, which supported the WPA2.

Mandatory authentication is an important element of both WPA and WPA2. WPA2 is worth speaking about in details, because its usage is generally prevalent. WPA2 has two different methods of usage: the so called Personal or Enterprise methods. Previous one can be made proper for the already mentioned SOHO environment, and another one is, of course, for the enterprise environment. In Personal mode, with PSK (Pre-shared Key), an in Enterprise mode with authentication and access control solutions described in IEEE 802.1X, and with EAP (Extensible Authentication Protocol). Several methods of EAP are supported by WiFi Alliance, e.g. authentication based on SIM cards of GSM-telephones, or usage of TLS protocol.

In the field of encryption in WPA the TKIP (Temporal Key Integrity Protocol) was used, which was based on RC4. However, it has weaknesses - that was mentioned concerning WEP - which enhances the chance for breakage in case of packages with short, partially known contents. That is why a stronger encryption was used in WPA2, the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) with a 128-bit of AES block cipher.