How to crack WEP encryption

Group:Nguyen Dinh HongNguyen Son Tung

Overview

1.Introduction

2.Encryption details

3.The weakness of WEP

4.How to crack WEP key

5.Conclusion

1. Introduction

WEP = Wired Equivalent Privacy

not

Wireless Encryption Protocol

Encryption protocol for securing 802.11 wireless networks.

Design to provide the same level of security as LAN, not WLAN

History

1997: introduced / original IEEE 802.11

1999: standard ratified

2001: can be cracked

2003: Wifi Alliance → WPA (Wifi protected access)

2004: IEEE declared WEP (40 & 104) “have been deprecated”

Why WEP is still widely in use today?

The divices support: modem, wireless card, etc

Hard to config the new standard like WPA?

2. Encryption details

WEP standard support by:

802.11b: 64-, 128-bit encryption

802.11b+: 64-, 128-, 256-bit

802.11g: 64-, 128-bit

802.11A: 64-, 128-, 152-bit encryption

…

Standard 64-bit and 128-bit encryption

How WEP works?

WEP uses:

– Secret keys to encrypt data.

– RC-4 algorithm to encrypt & decrypt.

– CRC-32 algorithm checksum for integrity.

RC-4 algorithm

RC-4 is a stream cipher

Initialization Vector (IV)

Initialization Vector (IV)

24-bit, random generated by computer

→

64-bit WEP = 24-bit IV + 40-bit Key

128-bit WEP = 24-bit IV + 104-bit Key

Encryption

ICV = Integrity check value

Decryption

WEP authentication

3. The weakness of WEP

WEP is designed to provide the same level of security as that of a wired LAN not WLAN.

WEP is used at the two lowest layers of the OSI model - the data link and physical layers; it therefore does not offer end-to-end security.

The weakness of WEP

WEP use master keys directly.

Usually, only unique WEP key provide (max: 4 keys)

Small key size (40:104-bit)

Reuse and small size IVs

24-bit → ~ 16,7M keystreams

Weak ICV algorithm

CRC-32 is poor in cryptographic hash

Easy forging of SKA authentication messages

4. How to crack?

Brute force attack: very slow

Weak IV attack: slow

Keystream reuse attack: slow

Modern technique:

Injection

ARP request replay

Fake authentication

Fragmentation

…

Aircrack-ng

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.

Tools:

Airmon-ng: enable/disable monitor mode on wireless card

Airodump-ng: capture raw 802.11 frames

Aireplay-ng: inject and replay wireless frames

Packetforge-ng: create varius type of encrypted packets that can be used for injection.

Conclusion

WEP is not secure.

Use WPA / WPA2 encryption.

Strong password.

ReferencesWikipedia

http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

http://en.wikipedia.org/wiki/RC4

http://en.wikipedia.org/wiki/Address_Resolution_Protocol

Aircrack document

http://www.aircrack-ng.org/doku.php?id=simple_wep_crack

http://www.aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients

Others

http://www.docstoc.com/docs/40998810/Wireless-Security---The-Downfall-of-WEP

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

http://www.openxtra.co.uk/articles/wep-weaknesses

http://bit.ly/ePm6XV

http://palisade.plynt.com/issues/2006Dec/wep-encryption/

...

Thank you!

Q&A