March 06, 2003
While wired equivalent privacy (WEP) encryption is not good enough for mission critical data, its still better than nothing for most WLANs. Heres why WEP does what it does, and the elbow grease you can apply to make it more secure.
We all know by now that 802.11swired equivalent privacy(WEP) isnt good enough to protect our data. That isnt just the theory, its a fact. Sure, WEP will stop Joe Wireless, but freely available programs likeAirSnortenable Joe Cracker break into your WLAN with little trouble.
Thus equipped, a cracker only needs some patience to mount a successful invasion. Specifically, it usually takes only five to ten million packets to break WEP encryption. And, at fifteen million packets, its almost dead certain that a dedicated attacker can pry the lid off your network traffic. Or, to put it another way, a small WLAN with four active users is almost certain to be cracked with two weeks of eavesdropping.
Making matters even worse, the cracking techniques most frequently used will work equally well no matter what WEP key length youre using. Thus, a 128-bit key is just as vulnerable as a 64-bit key. Indeed, even if a WEP key was 1,204 bits, it still as crackable by todays methods as ones that the minimal 64-bits.
How can that be? To understand how that works, you have to look closely at how WEP actually generates and manages, or more to the point doesnt, manage its encryption keys.
Every WEP packet is encrypted separately with an RC4 cipher stream generated by an encryption key. That key is made up of a 24-bit initialization vector (IV) and either a 40-bit or 104-bit WEP key thats usually set by your wireless device. Combined, they have a total length of 64 or 128-bits, hence the popular names of 64 and 128-bit WEP keys (some vendors use to call the 64-bit key a 40-bit key, but they simply werent including the 24-bit IV so 64 and 40-bit WEP are the same thing). This transmitted packet is generated by a mathematical operation called bitwise exclusive OR (XOR) using the packet sent to your network interface card (NIC) by your computer and the RC4 encryption key.
With me so far? Now, the first thing that kills WEPs fundamental security is that every packet you send also includes the IV in plaintext. In short, any would-be snooper can immediately see part of the key.
Now, because the IV is only 24-bits long, you can only get 16,777,216 different RC4 encryption streams for every key, regardless of how long the rest of the key is. Sounds like a lot doesnt it? Its not even close to enough. The plaintext IV is constantly reused and it takes many packets to send even a quick Hi, how are you? instant message, so it doesnt take long for a snooper to gather up enough packets to start cracking your messages.
If that was WEPs only weakness, it would still be insecure but it would take a serious processing power and a lot more packets to break into a WLAN. Unfortunately, RC4 has another problem. Not all of those close to 17-million possible IV numbers work as well as others in RC4. When one of these approximately 9,000 Weak IVs, are used to encrypt packets, a snooping program can recognize and collect them. These Weak IVs give additional clues on the full encryption key, no matter its length, and so they make breaking WEP that much easier.
There are other theoretical ways to take advantage of WEP, but the combination of these two ways of exploiting the IV have proven to be easy and effective enough that little effort is being spent on developing software to exploit these holes. Trust me, the existing way to pry open a WEP-protected network work more than well enough.
Well, for one thing you cant wait around for a solution. Yes, there are replacements to WEP coming likeWi-Fi Protected Access(WPA), but it hasproblems of its own. 802.11i, which hopefully will take care of wireless security until someone works out bigger and better ways of cracking wireless, is still a work in progress.
In the meantime, you can make the most of WEP by changing your key frequently. I would recommend small offices with security concerns do this once a week, while companies with ten or more wireless PCs with sensitive information should change the WEP daily.
Sounds easy doesnt it? Its not. When they built WEP, they didnt build in network key management. With almost all WLAN NICs and APs, you have to manually reset WEP to the new IV on each and every device, one by one.
That may only be annoying in your home office, but its a true pain in the rump for network administrators with dozens or even hundreds of wireless-enabled devices. Not to mention that if you enter the IV wrong on a PC, its user will find that it cant get on the network. Adding insult to injury, if you get it wrong on an access point (AP), the entire area of the network that access point serves will be out of action.
Of course, you could have your users reset their own computers WEP settings, but thats just asking for a technical support disaster of epic proportions.
Besides simply resetting your WEP key, you should follow these simple rules for making WEP as secure as possible. If your WEP software asks you for a passphrase or string to generate a key, donotuse your SSID, company name, network name, or any other easy to guess alphanumeric string. Treat setting WEP keys the same way you a strong password. Why make life any easier for a cracker then it already is, right?
If you must manually enter the key, youre restricted to the numbers 0-9 and letters a-f In this case, dont simply hit the same key over and over again or use some simple pattern like 1,2,3, and so on.
If you do this, and change your key frequently, you can maximize WEPs minimal protection. Good security? Heck no! But, its definitely better.
Come the day that802.1xarrives in all wireless, well finally get key management. Alas, while 802.1x is available in Windows XP, and some access points and proprietary setups, but its still relatively uncommon. Implementing it properly in WLANs is an issue being dealt with in the still unfinished 802.11i. Eventually, well all use 802.1x for our WLANs, but that day isnt here yet.
Of course, there are add-on solutions, like Ciscos LEAP which is adds a proprietary take on Extensible Authentication Protocol (EAP) combined with RADIUS. It works well, and it enables new WEP keys per session. It also, however, requires that all the equipment be LEAP enabled, which isnt cheap you then have to replace any older WLAN NICs and access points.
Another path often taken is to use a Virtual Private Network (VPN) to encrypt all WLAN communications. While straight-forward it enough, it does mean that youll need to either add VPN software, or in the case of some operating systems like Windows XP, Linux and the BSDs, implement their VPN features. VPNs must also be coordinated across the network, but VPNs can be centrally managed thus making running them much easier for administrators and users alike.
So, in summary, if you want the best WLAN security today, either use an add-on approach like LEAP and be ready to use only equipment from a single vendoror be ready to work with the added complexity of a VPN.
But, if youre willing to take the time and trouble, WEP alone can still be useful.
Here is the original post:
Making the Most from WEP - Wi-FiPlanet.com - Wi-Fi Planet
- WhatsApp to bring in encryption for backup chats after privacy fears - The Guardian - October 15th, 2021
- WhatsApp end-to-end encrypted backups are rolling out on both Android and iOS - GSMArena.com news - GSMArena.com - October 15th, 2021
- Encryption: Why security threats coast under the radar - Philstar.com - October 15th, 2021
- Encryption Management Solutions Market 2021 : Industry Analysis ,Size, Share, Revenue, Prominent Players, Developing Technologies, Tendencies and... - October 15th, 2021
- TLS Support Redis - October 12th, 2021
- Signal >> Documentation - October 12th, 2021
- Encryption Consulting announces their first-ever virtual conference - "Encryption Consulting Virtual conference 2021." - Tyler Morning... - October 12th, 2021
- [Update: Rolling out] WhatsApp adds end-to-end encryption for Android cloud backups - 9to5Google - October 12th, 2021
- Homomorphic Encryption Market New Coming Industry to Witness Great Growth Opportunities in Coming Years From 2021 to 2027: Microsoft (US), IBM... - October 12th, 2021
- SmartKargo Incorporates EDIfly Advanced Aviation Messaging At No Cost for Customers of its E-Commerce Logistics Solution - Yahoo Finance - October 12th, 2021
- No outages, no data leaks: The new WhatsApp killer built on the blockchain creates privacy-focused encrypted messenger - Cointelegraph - October 12th, 2021
- Mosyle's $ 16M Series A Drives Growth by Launching the Mosyle Business with the Market's First Encrypted DNS Filtering and Security Solution -... - October 6th, 2021
- Tips to Secure and Encrypt your WIFI Network Security - H2S Media - October 6th, 2021
- Data Encryption Standard (DES)? - All You Need to Know | Techfunnel - TechFunnel - October 4th, 2021
- XSOC CORP Recognized by CyberSecurity Breakthrough Awards Program for Overall Encryption Solution of the Year - Business Wire - October 4th, 2021
- Encryption: Why security threats coast under the radar - Express Computer - October 4th, 2021
- Hardware Encryption Devices Market 2021 Technology Development, Key Manufacturers, Forecast Based on Major Drivers and Trends Up to 2027 - Digital... - October 4th, 2021
- Container security without governance is neither secure nor governed - The Register - October 4th, 2021
- Sectigo Certificate Manager Wins 2021 CyberSecurity Breakthrough Award for Overall Encryption Solution Provider of the Year - PRNewswire - October 4th, 2021
- Customs and Border Protection Signs Major Contract With Amazon-Owned Encrypted Chat App Wickr - Gizmodo - October 4th, 2021
- Encryption cant be used as excuse to deny sharing details to law enforcement: Govt - The Financial Express - October 4th, 2021
- Facebook announces WhatsApp end-to-end encrypted (E2EE) backups - Techiexpert.com - TechiExpert.com - October 4th, 2021
- Bluefin Issues New Payment Security Brief on PCI-validated P2PE for Petroleum and Convenience Stores - PR Web - October 4th, 2021
- Get a lifetime of easy, automatic encryption for all of the files on your computer for just $30 - ZDNet - September 24th, 2021
- Tide encryption is ready to end the cyber breach pandemic - TechCrunch - September 24th, 2021
- The FBI has kept the presence of the encryption key secret from Casey for three weeks. - Cheraw Chronicle - September 24th, 2021
- Braves non-tracking, browser-based video conferencing tool is out of beta - TechCrunch - September 24th, 2021
- 5 ways to stay ahead of government-targeted ransomware - GCN.com - September 24th, 2021
- Encryption Software Market expectation surges with rising demand and changing trends by industry analysis through 2026 Stillwater Current -... - September 24th, 2021
- What Is a Hardware Security Module? HSMs Explained - Hashed Out by The SSL Store - September 24th, 2021
- Brave, the startup behind untracked browser-based video conferencing tool is out of beta - Security News - BollyInside - September 24th, 2021
- Hardware Encryption Devices Market Is Expected To Witness Healthy Growth At A CAGR Of More Than 40% - Herefordshire Live - Herefordshire Live - September 24th, 2021
- WhatsApp launches encryption in iCloud and Google Drive backups - InTallaght - September 24th, 2021
- WhatsApp boosts end-to-end encryption - BusinessTech - September 17th, 2021
- WhatsApp to offer encryption on cloud backups: Heres all you need to know - India Today - September 17th, 2021
- London's Top Cop Says 'Big Tech,' Encryption Are Letting The Terrorists Win - Techdirt - September 17th, 2021
- Zoom unveils new security features including end-to-end encryption for Zoom Phone, verified identities and... - ZDNet - September 15th, 2021
- Insights on the Hardware Encryption Global Market to 2026 - by Algorithm & Standard, Architecture, Product, Application and Region - PRNewswire - September 15th, 2021
- Light Start: WhatsApp rolls out backup encryption, LG is more attractive, Google goes dark and iPhones only laak gud vaabs Stuff - Stuff Magazines - September 15th, 2021
- Revenant REvil. WhatsApp offers encryption. Hortum spyware in Turkey. Update on the UN data breach. Healthcare breaches disclosed. - The CyberWire - September 15th, 2021
- How a glitch in the Matrix led to apps potentially exposing encrypted chats - The Register - September 15th, 2021
- Secure cloud storage: which are the most secure providers? - ITProPortal - September 15th, 2021
- WhatsApp is finally allowing users to encrypt chat backups uploaded to iCloud and Google Drive - Buzz.ie - September 15th, 2021
- WhatsApp is adding encrypted backups - The Verge - September 11th, 2021
- What Is Fully Homomorphic Encryption (FHE)? - CIO Insight - September 11th, 2021
- WhatsApp end-to-end encrypted messages arent that private after all - Ars Technica - September 11th, 2021
- UK government backs Apple, and wants to scan encrypted messages for CSAM - 9to5Mac - September 11th, 2021
- VPN and Email Encryption Provider, WiTopia, Inc., Is Now Raising Capital Via StartEngine - PRNewswire - September 11th, 2021
- Future in the cloud for encryption - Capacity Media - September 8th, 2021
- WhatsApps Claims Of End-To-End Encryption Might Be Entirely True - Ubergizmo - September 8th, 2021
- Debunking Wi-Fi Security Myths: Wi-Fi Encryption Is Weak - TechSpective - September 8th, 2021
- WhatsApp Flaw Casts Doubt on End-to-End Encryption - Security Boulevard - September 8th, 2021
- Bluefin Receives U.S. Patent on Systems for Vaultless Tokenization and Encryption - WFMZ Allentown - September 8th, 2021
- Priti Patel backs ad campaign that criticises Facebook's stance on end-to-end encryption - Graham Cluley Security News - September 8th, 2021
- EXCLUSIVE: What's in the new zero-trust strategy - Politico - September 8th, 2021
- 3 ways to protect yourself from cyberattacks in the midst of an IT security skill shortage - Help Net Security - September 8th, 2021
- Apple Has Betrayed Its Privacy Legacy and Will Undermine End-to-end Encryption Everywhere - Privacy News Online - September 8th, 2021
- IBM's first 7nm Power10 chip arrives in E1080 server system with a wealth of shiny features - The Register - September 8th, 2021
- The adoption of multi-cloud drives the need for better data protection and management of encryption keys an... - Security Boulevard - August 26th, 2021
- Cryptomator Vs. BoxCryptor: Which One Is The Best Encryption Software? - Analytics Insight - August 26th, 2021
- Why you should encrypt your data on your computer and how to do it - The Star Online - August 26th, 2021
- Video end-to-end encryption on Ring to be available worldwide - ITP.net - August 26th, 2021
- What is a Vocoder? How an audio encryption device used in WW2 became the sound of electro and modern pop - Mixdown - August 26th, 2021
- Privacera partners with StreamSets to strengthen data security for ETL processing in the cloud - Help Net Security - August 26th, 2021
- R400m cocaine-in-a-boat accused used encryption app to communicate - TimesLIVE - August 26th, 2021
- Evervaults encryption as a service is now open access - TechCrunch - August 24th, 2021
- How to Encrypt Your Own Windows and Mac Devices (and Why You Need To) - Lifehacker - August 24th, 2021
- Why encryption is the key to digital fitness, according to Thales - iTnews - August 24th, 2021
- How to check each of your WhatsApp chats are ACTUALLY private right now and not being intercepted by h... - The Sun - August 24th, 2021
- WebCam: How Australia paved the way for Apple's encryption backflip - Crikey - August 24th, 2021
- Staggering 400% rise in child sexual abuse images detected by Facebook as fears over encryption plans g... - The Sun - August 24th, 2021
- Hardware-based Full Disk Encryption Market 2021 and Analysis to 2027 Micron Technology Inc, Seagate Technology PLC, Toshiba, Intel - The Market... - August 24th, 2021
- WhatsApp could soon have an iPad app for the first time - Engadget - August 24th, 2021
- Facebook is bringing end-to-end encryption to Messenger calls and Instagram DMs - TechCrunch - August 14th, 2021
- Apple opens the encryption Pandora's box - Axios - August 14th, 2021
- How to encrypt your computer (and why you should) - Mashable - August 14th, 2021
- Protects User Privacy With Encryption and Authentication - Security Magazine - August 14th, 2021
- An Overview of Blockchain in Supply Chain: Whats the Link? - JD Supra - August 14th, 2021
- Facebook introduces end-to-end encryption for its voice & video call features - Techstory - August 14th, 2021
- Hardware Encryption Devices Market Research Report 2021 Elaborate Analysis With Growth Forecast To 2027 Intel, Toshiba, Micron Technology Inc,... - August 14th, 2021