User's Manual

ManualsBrandsSchweitzer Engineering Laboratories ManualsElectronicsSEL-3022

Table Of Contents

SEL-3022 Transceiver Instruction Manual Date Code 20050615

Wireless Operator Interface Security

IEEE 802.11 WEP Security

C.6

Cryptographic Manual—Do Not Copy

WEP Security Flaws Explanation

WEP is based on a two-part encryption algorithm called RC-4. The first stage of the

encryption process, known as the Key Scheduling Algorithm (KSA), takes a string of

key bits as input and forms an output initialization string. The second stage, known as

the Pseudo-Random Generation Algorithm (PRGA), produces a pseudo-random

bitstream of arbitrary length. The value of this string of bits depends on the initializing

permutation the KSA produces. Note that a given KSA input will always produce the

same PRGA output. The designers of the IEEE 802.11 standard wanted the process of

decrypting a single packet to be independent of all previous and future packets.

Because of this requirement, the output of the PRGA function has to be reset at the

beginning of every packet. If this were done without also changing the input to the

KSA function, the encryption stream would be identical for every packet and the

resulting encryption process would be trivially broken. Because of this, the input to the

KSA function is a concatenation of a secret key (104 bits in the case of the SEL-3022

wireless operator interface) with a 24-bit Initialization Vector (IV). By changing the IV

on every packet, the WEP encryption process ensures that the probability of any two,

randomly chosen packets being encrypted with the same PRGA output (known as an

“IV collision”) is sufficiently low.

For each data packet, the concatenation of the key and IV serves as the input to the RC-

4 algorithm, which produces a string of pseudo-random encryption bits (with a length

equal to the length of the original data packet). To perform the encryption operation,

the encryption bit string is added modulo 2 (XOR) to the original contents of the

packet. The IV used during the encryption process is then concatenated with the

resulting ciphertext to form the final message. A major contributor to the relative

weaknesses of the WEP encryption process is the fact that the IV is appended to the

ciphertext and transmitted unencrypted. The following text explains the details of these

weaknesses.

In an August 2001 presentation at the Eighth Annual Workshop on Selected Areas in

Cryptography of an article titled “Weaknesses in the Key Scheduling Algorithm of

RC4,” authors Fluhrer, Mantin, and Shamir published formal proofs of some potential

weaknesses in the RC-4 algorithm. In a later paper, published in the AT&T Labs

Technical Report TD-4ZCPZZ of August 2001 titled “Using the Fluhrer, Mantin, and

Shamir Attack to Break WEP,” authors Stubblefield, Ioannidis, and Rubin

demonstrated that the WEP algorithm was designed in such a way as to contain the

worst of the weaknesses that Fluhrer, Mantin, and Shamir’s paper outlined.

Furthermore, Stubblefield, Ioannidis, and Rubin demonstrated that a passive attack

could be used to successfully determine a 104-bit secret key in just a few hours on a

moderately loaded wireless LAN. Based on these results, Stubblefield, Ioannidis, and

Rubin urged network designers to assume that the IEEE 802.11 link layer offers very

little security and to employ additional security measures in addition to WEP. The

SEL-3022 design incorporates these additional security measures in the form of

cryptographically sound 128-bit AES encryption and HMAC SHA-1 authentication

(see The SEL Security Application on page C.9 for further explanation).

Preliminary Copy