March 06, 2003
While wired equivalent privacy (WEP) encryption is not good enough for mission critical data, its still better than nothing for most WLANs. Heres why WEP does what it does, and the elbow grease you can apply to make it more secure.
We all know by now that 802.11swired equivalent privacy(WEP) isnt good enough to protect our data. That isnt just the theory, its a fact. Sure, WEP will stop Joe Wireless, but freely available programs likeAirSnortenable Joe Cracker break into your WLAN with little trouble.
Thus equipped, a cracker only needs some patience to mount a successful invasion. Specifically, it usually takes only five to ten million packets to break WEP encryption. And, at fifteen million packets, its almost dead certain that a dedicated attacker can pry the lid off your network traffic. Or, to put it another way, a small WLAN with four active users is almost certain to be cracked with two weeks of eavesdropping.
Making matters even worse, the cracking techniques most frequently used will work equally well no matter what WEP key length youre using. Thus, a 128-bit key is just as vulnerable as a 64-bit key. Indeed, even if a WEP key was 1,204 bits, it still as crackable by todays methods as ones that the minimal 64-bits.
How can that be? To understand how that works, you have to look closely at how WEP actually generates and manages, or more to the point doesnt, manage its encryption keys.
Every WEP packet is encrypted separately with an RC4 cipher stream generated by an encryption key. That key is made up of a 24-bit initialization vector (IV) and either a 40-bit or 104-bit WEP key thats usually set by your wireless device. Combined, they have a total length of 64 or 128-bits, hence the popular names of 64 and 128-bit WEP keys (some vendors use to call the 64-bit key a 40-bit key, but they simply werent including the 24-bit IV so 64 and 40-bit WEP are the same thing). This transmitted packet is generated by a mathematical operation called bitwise exclusive OR (XOR) using the packet sent to your network interface card (NIC) by your computer and the RC4 encryption key.
With me so far? Now, the first thing that kills WEPs fundamental security is that every packet you send also includes the IV in plaintext. In short, any would-be snooper can immediately see part of the key.
Now, because the IV is only 24-bits long, you can only get 16,777,216 different RC4 encryption streams for every key, regardless of how long the rest of the key is. Sounds like a lot doesnt it? Its not even close to enough. The plaintext IV is constantly reused and it takes many packets to send even a quick Hi, how are you? instant message, so it doesnt take long for a snooper to gather up enough packets to start cracking your messages.
If that was WEPs only weakness, it would still be insecure but it would take a serious processing power and a lot more packets to break into a WLAN. Unfortunately, RC4 has another problem. Not all of those close to 17-million possible IV numbers work as well as others in RC4. When one of these approximately 9,000 Weak IVs, are used to encrypt packets, a snooping program can recognize and collect them. These Weak IVs give additional clues on the full encryption key, no matter its length, and so they make breaking WEP that much easier.
There are other theoretical ways to take advantage of WEP, but the combination of these two ways of exploiting the IV have proven to be easy and effective enough that little effort is being spent on developing software to exploit these holes. Trust me, the existing way to pry open a WEP-protected network work more than well enough.
Well, for one thing you cant wait around for a solution. Yes, there are replacements to WEP coming likeWi-Fi Protected Access(WPA), but it hasproblems of its own. 802.11i, which hopefully will take care of wireless security until someone works out bigger and better ways of cracking wireless, is still a work in progress.
In the meantime, you can make the most of WEP by changing your key frequently. I would recommend small offices with security concerns do this once a week, while companies with ten or more wireless PCs with sensitive information should change the WEP daily.
Sounds easy doesnt it? Its not. When they built WEP, they didnt build in network key management. With almost all WLAN NICs and APs, you have to manually reset WEP to the new IV on each and every device, one by one.
That may only be annoying in your home office, but its a true pain in the rump for network administrators with dozens or even hundreds of wireless-enabled devices. Not to mention that if you enter the IV wrong on a PC, its user will find that it cant get on the network. Adding insult to injury, if you get it wrong on an access point (AP), the entire area of the network that access point serves will be out of action.
Of course, you could have your users reset their own computers WEP settings, but thats just asking for a technical support disaster of epic proportions.
Besides simply resetting your WEP key, you should follow these simple rules for making WEP as secure as possible. If your WEP software asks you for a passphrase or string to generate a key, donotuse your SSID, company name, network name, or any other easy to guess alphanumeric string. Treat setting WEP keys the same way you a strong password. Why make life any easier for a cracker then it already is, right?
If you must manually enter the key, youre restricted to the numbers 0-9 and letters a-f In this case, dont simply hit the same key over and over again or use some simple pattern like 1,2,3, and so on.
If you do this, and change your key frequently, you can maximize WEPs minimal protection. Good security? Heck no! But, its definitely better.
Come the day that802.1xarrives in all wireless, well finally get key management. Alas, while 802.1x is available in Windows XP, and some access points and proprietary setups, but its still relatively uncommon. Implementing it properly in WLANs is an issue being dealt with in the still unfinished 802.11i. Eventually, well all use 802.1x for our WLANs, but that day isnt here yet.
Of course, there are add-on solutions, like Ciscos LEAP which is adds a proprietary take on Extensible Authentication Protocol (EAP) combined with RADIUS. It works well, and it enables new WEP keys per session. It also, however, requires that all the equipment be LEAP enabled, which isnt cheap you then have to replace any older WLAN NICs and access points.
Another path often taken is to use a Virtual Private Network (VPN) to encrypt all WLAN communications. While straight-forward it enough, it does mean that youll need to either add VPN software, or in the case of some operating systems like Windows XP, Linux and the BSDs, implement their VPN features. VPNs must also be coordinated across the network, but VPNs can be centrally managed thus making running them much easier for administrators and users alike.
So, in summary, if you want the best WLAN security today, either use an add-on approach like LEAP and be ready to use only equipment from a single vendoror be ready to work with the added complexity of a VPN.
But, if youre willing to take the time and trouble, WEP alone can still be useful.
Here is the original post:
Making the Most from WEP - Wi-FiPlanet.com - Wi-Fi Planet
- WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- GOP demands inquiry into EPA use of encrypted messaging apps - CNET [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Encryption Apps Help White House Staffers Leakand Maybe Break the Law - WIRED [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Confide in me! Encryption app leaks sensitive info from Washington DC - SC Magazine UK [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Gmail v7.2 Prepares to Add Support for S/MIME Enhanced Encryption - XDA Developers (blog) [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Top 6 Data Encryption Solutions - The Merkle [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Google helps put aging SHA-1 encryption out to pasture - Engadget [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Decipher your Encryption Challenges - Infosecurity Magazine [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How the Politics of Encryption Affects Government Adoption - Freedom to Tinker [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog) [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Set up VMware VM Encryption for hypervisor-level security - TechTarget [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Encryption patent that roiled Newegg is dead on appeal | Ars Technica - Ars Technica [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Research proposes 'full-journey' email encryption - The Stack [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Database-as-a-service platform introduces encryption-at-rest - BetaNews [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Encrypted Messaging Service 'Signal' Adds Video Call Option - Top Tech News [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Germany, France lobby hard for terror-busting encryption backdoors ... - The Register [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- How to Send Encrypted Nudes, a Guide for the Discerning Lover - Inverse [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC - Yahoo Finance [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- The Best Email Encryption Software of 2017 | Top Ten Reviews [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- No, you shouldn't delete Signal or other encrypted apps - TechCrunch [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Best encryption software: Top 5 - Computer Business Review [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Encryption Backdoors, Vault 7, and the Jurassic Park Rule of Internet Security - Just Security [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- That Encrypted Chat App the White House Liked? Full of Holes - WIRED [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - New York Times [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Snake-Oil Alert Encryption Does Not Prevent Mass-Snooping - Center for Research on Globalization [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Customer Letter - Apple [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Don't Let WikiLeaks Scare You Off of Signal and Other Encrypted Chat Apps - WIRED [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- BT to offer customers encryption service for data - Capacity Media (registration) [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Encryption - technet.microsoft.com [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Use FileVault to encrypt the startup disk on ... - Apple Support [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Viber launches secret chats to go beyond encryption - SlashGear [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- Zix wins 5-vendor email encryption shootout - Network World [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- A lesson from the CIA WikiLeaks dump: Encryption works - The Seattle Times [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Google Cloud adds new customer-supplied encryption key partners ... - ZDNet [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Preseeding Full Disk Encryption - Linux Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology - Boston Business Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- SecurityBrief NZ - Gemalto introduces on-prem encryption key solution for 'highly regulated' organisations - SecurityBrief NZ [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- 'Always Be Concerned': US Court Slaps Down Fifth Amendment Defense of Encryption - Sputnik International [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Quantum Key System Uses Unbreakable Light-Based Encryption to Secure Data - Photonics.com [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Wikileaks Only Told You Half The Story -- Why Encryption Matters More Than Ever - Forbes [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- EPA Sued For Withholding Info On Encrypted Text Messages | The ... - Daily Caller [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Opinion Data encryption efforts ramp up in face of growing security threats - Information Management [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Bypassing encryption: Lawful hacking is the next frontier of law enforcement technology - Salon [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- NeuVector Announces Container Visualization, Encryption, and Security Solution for NGINX Plus - DABCC.com [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Is encryption one of the required HIPAA implementation specifications? - TechTarget [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Paper Spells Out Tech, Legal Options for Encryption Workarounds - Threatpost [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Encryption debate needs to be nuanced, says FBI's Comey - TechTarget [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Comey Renews Debate Over Encryption - 550 KTSA [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- UK minister says encryption on messaging services is unacceptable - Reuters [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- The why and how of encrypting files on your Android smartphone - Phoenix Sun [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- UK targets WhatsApp encryption after London attack - Yahoo News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Critical flaw alert! Stop using JSON encryption | InfoWorld - InfoWorld [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- SecureMyEmail is email encryption for everyone - TechRepublic - TechRepublic [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Apple iOS 10.3 will introduce encryption which makes it MORE difficult for cops and spooks to crack into ISIS nuts ... - The Sun [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- How to Analyze An Encryption Access Proposal - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Questions for the FBI on Encryption Mandates - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Justice Department anti-terror chief keeps pressing on encryption - Politico (blog) [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- UK government can force encryption removal, but fears losing, experts say - The Guardian [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Encryption FAQs [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Why isn't US military email protected by standard encryption tech? - Naked Security [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- How have ARM TrustZone flaws affected Android encryption? - TechTarget [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Keeping the enterprise secure in the age of mass encryption - Information Age [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Lack of encryption led to Dallas siren hack - WFAA [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Internet Society tells G20 nations: The web must be fully encrypted - The Register [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Make Encryption Ubiquitous, Says Internet Society - Infosecurity ... - Infosecurity Magazine [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Can we encrypt the web while giving governments a backdoor to snoop? - SC Magazine UK [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Why we need to encrypt everything - InfoWorld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Hacked Dallas sirens get extra encryption to fend off future attacks - Computerworld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- SHA-1 Encryption Has Been Broken: Now What? - Forbes [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Hewlett Packard Enterprise touts encryption tool for federal clients - The Hill [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Encryption on the Rise in Age of Cloud - Infosecurity Magazine - Infosecurity Magazine [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Lawmaker Pushes Bill That Requires Encryption by Pennsylvania State Employees - Government Technology [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Disk encryption - Wikipedia [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- The apps to use if you want to keep your messages private - Recode [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]