Menu

Database

WEP Weak IVs Vulnerability

WVE ID: WVE-2005-0021

Type: Vulnerability

Status: Candidate

Classification:
Cryptographic
Design Flaw

Description:
The WEP encryption system used by 802.11 networks utilizes RC4 in a flawed manner which can lead to a WEP key becoming compromised.

Discussion:
The WEP encryption algorithm utilizes the RC4 cipher to ensure confidentiality of transmitted data. WEP encrypted data frames are constructed by concatenating a 24 bit initialization vector (IV) with a shared secret known only to those participating in the network. This shared key can be either 40 or 104 bits giving a total of either 64 or 128 bits of input data into the RC4 algorithm respectively. The reason for using an IV is to prevent the same key from encrypting the same data more than once, which if observed could lead to a compromise of the key.

The output of the RC4 algorithm, called the keystream, is then bitwise XOR-ed with the plaintext payload. However in order for the reciever to decrypt the ciphertext successfully it needs to know the IV that was used in the encryption process. Thus the IV is sent in an unencrypted form to the receiver.

The problem with this arises from an observations made in Fluhrer, Mantin, and Shamir's (FMS's) paper titled "Weaknesses in the Key Scheduling Algorithm of RC4." This paper showed that the first byte of a subset of IVs (deemed "weak") could be correlated with individual bytes of the secret key at a probability of 5%. Thus if enough frames containing these IVs are gathered, they can then be statistically analyzed to derive the secret key used for encryption.

Credits
Author: Scott Fluhrer (sfluhrer@cisco.com) : Cisco Systems
Author: Itsik Mantin (itsik@wisdmon.weizmann.ac.il) : The Weizmann Institute
Author: Adi Shamir (shamir@wisdom.weizmann.ac.il) : The Weizmann Institute

References
URL: http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf

Released: 2001-08-16

Submitter
Andrew Lockhart (alockhart@networkchemistry.com) : Network Chemistry

Submitted: Mon Oct 31 12:38:50 -0800 2005

Candidate Date: Mon Oct 31 12:39:27 -0800 2005


Recent Entries

TKIP Replay and Plaintext Discovery
WVE-2008-0013 11/18/2008
Active Https Cookie Hijacking
WVE-2008-0012 9/18/2008
Auto Immune Attack
WVE-2008-0011 9/17/2008
Marvell Null SSID Association Request
WVE-2008-0010 9/15/2008
Marvell EAPOL-Key Length Overflow
WVE-2008-0009 9/15/2008
Atheros IE Tag Overflow
WVE-2008-0008 9/15/2008
Weaknesses in the A5/1 Cipher
WVE-2008-0007 4/9/2008
Block ACK DoS
WVE-2008-0006 4/9/2008
GF Mode WIDS Rogue AP Evasion
WVE-2008-0005 4/9/2008
HT Intolerant Degradation of Service
WVE-2008-0004 4/9/2008
More Entries...

News

SANS Institute Sponsors WVE
4/19/2008
Wireless Attackers and Honeypot Technology
4/15/2008
High Speed Risks in 802.11n Slides Posted
4/11/2008
Vulnerabilities in 802.11n
4/9/2008
WVE Editors Speaking at SHARKFEST.08
1/3/2008
More News...