WEP Review

From: Karthik Gopalratnam (karthikg@cs.washington.edu)
Date: Wed Nov 24 2004 - 01:07:16 PST

Next message: Tom Christiansen: "Borisov, et al, 2001"

Previous message: Rosalia Tungaraza: "Review #16: Intercepting mobile communications; the insecurity of 802.11"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

WEP Review

This paper considers the various security aspects of the WEP protocol as
part of the 802.11 standard, and exposes the inefficacy of the protocol as
described in the standard in terms of its ability to withstand all classes
of attacks that it was designed to handle.

The WEp protocol is based on the idea of a cryptographic keystream - the
RC4, to generate a ciphertext using a shared private key. The authors
analyze several properties of the keystream method to show that WEP cannot
provide either Confidentiality, Acces Control or Data Integrity. First, WEP
allows users to reuse the clickstream, and that too quite often. Messages
encrypted with the same keystream reveal information about each other. This
opens up the road to mounting dictionary attacks against the receiver,
thereby denying confidentiality.

As for Access control and data integrity, the authors make use of 2
crucial properties of the WEP checksum - i.e. that WEP checksum is a linear,
unkeyed function of the message to demonstrate how arbitrary bits in the
message can be changed without the sender realizing this, thereby denying
data inegrity. They demonstrate that access control is merely a special case
of not having data integrity, since authentication messages can be spoofed
to gain access to the network.

The authors have presented a very compelling case for the presence of
security holes in the WEP standard. However, clearly this is a very
difficult problem to solve for many reasons. First, these are essentially
link-layer problems, and this has considerations differnt from what is
possible at higher layers. The computations carried out for any security
framework have to be very fast for the mechanism to work well. Using SHA1
based methods for instance will significantly slow the network down, and
this could potentially be disastrous for a medium as lossy as RF
propagation. The authors make a valid point that the designers of these
protocols have to consider very seriously the cryptography angle of the
design because overlooking theoretical properties of some of the mechanisms
- such as CRCs and RC4, could have far reaching consequences.

Next message: Tom Christiansen: "Borisov, et al, 2001"

Previous message: Rosalia Tungaraza: "Review #16: Intercepting mobile communications; the insecurity of 802.11"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.6 : Wed Nov 24 2004 - 01:07:17 PST