5m ago

31 Views

0 Downloads

513.09 KB

10 Pages

Transcription

,1INovember 1994DOC: IEEE P8Q2. 11-94/249WEP: The "Wired Equivalent Privacy" Algorithm.7 November 1994Revision 1.0AbstractThis submission proposes an optional "wire equivalent" encryption algorithm to be optionally implementedin 802.11 compliant stations. The algorithm exhibits good security and efficiency, is self-synchronizingand is free of IP restrictions.Issues Addressed:6.6Is there any additional work on Security that needs to be done by 802.11 in addition tothe work that is done by 802.10?6.10Shall the minimal Security algorithms set be extended to include a Privacy equivalent towired LANs?IntroductionWith the decision to incorporate 802.1 Ob Secure Data Exchange in the 802.11 standard, we have provideda mechanism that allows cooperating stations to communicate in a secure fashion . However, 802. lOb doesnot afford any security in and of itself; it is up to 802.11 to determine which security services are requiredon the wireless data link and to specify implementations.This paper defines "security equivalent to that of a wired LAN" as at least protecting authorized users of awireless LAN from casual eavesdropping and data injection. The first of these LAN security threats isformally known as unauthorized disclosure and can be protected against by the use of a data confidentiality(privacy) service! . The second issue is more complex and usually requires the use of security services inaddition to privacy (e.g. Authentication).Eavesdropping is a familiar problem to users of other types of wireless technology. For example, manycorporations have policies which prohibit employees from discussing confidential business over cellulartelephones. By specifying a wired LAN equivalent data confidentiality service in the 802. II standard, asignificant barrier to market penetration can be eliminated.11EEE Std 802.10-1992, "Interoperable LAN/MAN Security (SILS), 5 February 1993IEEE 802.11 Submissionpage 1

DOC; IEEE P802.11-94/249November 1994Data confidentiality depends on an external key management service to authenticate users and distributedata enciphering/deciphering keys, and on an appropriate cryptographic algorithm. While the security ofthe cryptosystem may by reduced by a poor choice for either of these components, they are complementaryfunctions and may be considered independently. This submission focuses on a cryptographic algorithm(WEP).The algorithm described is in the public domain. The algorithm was posted to various Internet news groupsduring 1994. Subsequent analysis of the algorithm by the Internet security community has indicated thatthe algorithm is resource efficient, quick, and reasonably secure. The original Internet posting asserted thatthe algorithm is functionally equivalent to the RC4 algorithm from RSA. For the purpose of 802.11 "wiredequivalency" it is irrelevant whether or not the algorithm actually is functionally equivalent to RC4, itmight in fact be either better or worse than RC4.The posted public algorithm does meet the requirements of 802.11 for providing a "wired equivalent"privacy algorithm. For the purposes of this paper, the algorithm is given the name "WEP" for "WiredEquivalent Privacy".Properties of the WEP AlgorithmWEP was evaluated against the desired properties of a MAC layer cryptographic algorithm as discussed inissue 6.10:The following paragraphs use term (k and IV) which are defined in the theory of operation section.Reasonably Strong:The security afforded by the algorithm relies on the difficulty of discovering the secret key through a bruteforce attack. This in turn is related to the length of the secret key (usually expressed in bits) and thefrequency of changing keys. However, it may be an easier problem to discover k through statisticalmethods if the key sequence remains fixed and significant quantities of ciphertext are available to theattacker. WEP avoids this by frequently changing the IV and hence k .Self Synchronizing:Provided by the IV, as described. This property is critical for a data-link level encryption algorithm, where"best effort" delivery is assumed and packet loss rates can be high. An algorithm that assumes reliabledelivery in order to maintain synchronization between sender and receiver would not provide acceptableperformance.Efficient:The WEP algorithm is very efficient in comparison to traditional block ciphers. It uses few resources andcan be implemented efficiently in either hardware or software. Refer to the algorithm specification sectionfor more details.IPcontent:The WEP proposal in this paper is IP free. A previous similar proposal (RT; 94122) contained two pieces ofIP; The RC4 algorithm licensed by RSA (not used in this proposal); and an implementation specific keycaching scheme (absent as it is not required for system operation).Exportability :Given the current political and legal climate in the United States regarding Cryptography, it is not possibleto predict the exportability of any specific privacy scheme. In fact, export licenses are granted for specificproducts, not for algorithms. Further, there is no legal guarantee that two different implementations of theIEEE 802.11 Submissionpage 2

POC; IEEE PS02. J J-941249November 1994same algorithm will be treated identically for export consideration. (While this may not sit well with some,it is factual as ofthe writing of this paper.)Every effort has been made to design the WEP system operation so as to maximize the chances of exportvia the Commerce Department.Requirement for an 802.11 Option:Because of the interest of 802.11 members in making international products, coupled with the vagary ofUS export law, the usage of the WEP algorithm is specifically proposed to be an optional portion of the802.11 standard.Detailed draft text for WEP:The remainder of this document is written as changes to 2083 and contains the detailed text anddiagrams that are proposed for adoption.Motion:That the following detailed changes (derived from draft 20B3) be adopted andincorporated in the 20B4 802.11 draft standard and that Issues 6.6 and 6.10 beclosed to reflect the adoption of the WEP proposal.IEEE 802.11 Submissionpage 3

November 1994DOC: IEEE P802.l1.-94/2491.2 DefinitionsWired Equivalent Privacy (WEP)' The optional cryptographic privacy algorithm specified by 802.11used to provide data confidentiality which is subjectively equivalent to a wired media.1.3 AbbreviationsWEPWired Equivalent Privacy.2.4.3.2 PrivacyIEEE 802.11 specifies an optional privacy algorithm (WEP) that is designed to satisfy the goal ofwired LAN "equivalent" privacy. The algorithm is not designed for ultimate security but rather to be"at least as secure as a wire". See section XX for more details.2.7.5 PrivacyNote: 802.10 does not specify specific cryptographic algorithms fo r privacy . P802.11 has registered thefollowing algorithms with 802.10:No Privacy Ale;orithm in use:Value -?Wired Equivalent Privacy (WEP) ale;orithm:Value ?This satisfies the minimal operational needs of 802.11.Additional privacy algorithms. which have been registered with 802. 10 for llse with in 8Q2.1 1implementations. and were known at the time of publication are contai ned in appendix XX.2.7.6 AuthenticationNote: 802.10 does not specify specific cryptographic algorithms for authent icatjon or privacy. However thealgorithm numbers must be known for proper operation of 802.1 1. P802.1 I has registered the followingalgorithms with 802.10:No Authentication ale;orithm in use:Value - ?This satisfies the minimal operational needs of 802.11.Additional authentication al orithms which have been registered with 802.10 for lise within 802. J 1implementations and were known at the time of publication are contained in appendix XX.x.x.x.x The Wired Equivalent Privacy Algorithm (WEP)IntroductionEavesdropping is a familiar problem to users of other types of wireless technology. P802.11 specifies awired LAN equivalent data confidentiality algorithm. Wired equivalent privacy is defined as protectingIEEE 802.11 Submissionpage 4

DOC; IEEE P802.) 1-94/249November J 994authorized users of a wireless LAN from casual eavesdropping. This service is intended to providefunctionality for the Wireless LAN equivalent to that provided by the physical security attributes inherentto a wired media.Data confidentiality depends on an external key management service to authenticate users and distributedata enciphering/deciphering keys. P802. 11 specifically recommends against running an 802.11 withprivacy but without authentication. While this combination is possible, it leaves the system open tosignificant security threats.Properties of the WEP AlgorithmThe WEP algorithm has the following properties:Reasonably Strong:The security afforded by the algorithm relies on the difficulty of discovering the secret key through a bruteforce attack. This in turn is related to the length of the secret key and the frequency of changing keys.WEP allows for the changing of the key (k) and frequent changing the Initialization Vector (IV).Self Synchronizing:WEP is self-synchronizing for each message. This property is critical for a data-link level encryptionalgorithm, where "best effort" delivery is assumed and packet loss rates can be high.Efficient:The WEP algorithm is efficient and can be implemented in either hardware or software.Exportability:Every effort has been made to design the WEP system operation so as to maximize the chances of exportvia the Commerce Department. However, due to the legal and political climate toward Cryptography at thetime of publication, no guarantee could be made that any specific 802.11 implementations which uses WEPwould be exportable from the United States.Therefore, the implementation and use of WEP is an 802.11 option.WEP Theory of OperationThe process of disguising (binary) data in order to hide its information content is called encryption2 . Datathat is not enciphered is called plaintext (denoted by P) and data that is enciphered is called ciphertext(denoted by C). The process of turning ciphertext back into plaintext is called decryption. Acryptographic algorithm, or cipher, is a mathematical function used for enciphering or deciphering data.Modern cryptographic algorithms use a key (denoted by k) to modify their output. The encryption functionE operates on P to produce C:EkfP) CIn the reverse process, the decryption function D operates on C to produce P:2Sruce Schneier, "Applied Cryptography, Protocols, Algorithms and Source Code in COl, JohnWiley & Sons, Inc. 1994IEEE 802.11 Submissionpage 5

November 1994DOC; rEEE P802. 1 1-94/249DIJC) PAs illustrated in Figure 1, note that if the same key is used for encryption and decryption thenDIJEIJP)) PSecure Side text,. I Encryptiod Ir::D::-e-c-rypt io-'d EavesdropperFigure 1. A Confidential Data ChannelThe WEP algorithm proposed in this submission is a form of electronic code book in which a block ofplaintext is bitwise XOR'd with a pseudo random key sequence of equal length. The key sequence isgenerated by the WEP algorithm.InitializationVector (IV)LSecret Key - - .IV SeedE9IWEP. PRNGIKey Sequence(MAX MSG sZ)B-- CiphertexPlaintext[Integrity Check Value (lCV) ,- IC V -,I Integrity A l g o r i t h r 1 r - - - - - - - - - - - - ,.MessageFigure 2. WEP Encipherment Block DiagramReferring to Figure 2 and following from left to right, encipherment begins with a secret key that has beendistributed to cooperating stations by an external key management service. WEP is a symmetric algorithmin which the same key is used for encipherment and decipherment.The secret key is combined with an initialization vector (IV) and the resulting seed is input to a pseudorandom number generator (PRNG). The PRNG outputs a key sequence k of pseudo-random bits equalin length to the largest possible MSDU. Two processes are applied to the plaintext MSDU. To protectagainst unauthorized data modification, an integrity algorithm operates on P to produce an integrity checkvalue (ICV). Encipherment is then accomplished by mathematically combining the key sequence with P.The output of the process is a message containing the resulting ciphertext, the IV, and the ICV.The WEP PRNG is the critical component of this process, since it transforms a relatively short secret keyinto an arbitrarily long key sequence. This greatly simplifies the task of key distribution as only the secretkey needs to be communicated between stations. The IV extends the useful lifetime of the secret key andprovides the self-synchronous property of the algorithm. The secret key remains constant while the IVchanges periodically. Each new IV results in a new seed and key sequence, thus there is a one-to-onecorrespondence between the IV and k. The IV may be changed as frequently as every MSDU and, since ittravels with the message, the receiver will always be able to decipher any message. The IV may betransmitted in the clear since it does not provide an attacker with any information about the secret key .IEEE 802.11 Submissionpage 6

November 1994DOC: IEEB PS02. I 1-94/249The WEP key (k) is 40 bits.Because IV and the ICV must be transmitted with the MSDU, fragmentation may be invoked. The WEPalgorithm is applied to an MSDU. The {IV, MSDU, ICV} triplet forms the actual data to be sent in the dataframe.For WEP protected Data frames, the first octets of the frame contain the IV for the MSDU. The WEP IV is16 bits. The IV is followed by the MSDU, which is followed by the ICV. The WEP ICV is 32 bits. TheWEP Integrity Check algorithm is CRC 32.The entire {IV, MSDU, ICV} package may be split into several fragments (depending on the realtivevalues of the MSDU and the active MPDU size).As stated previously, WEP combines k with P using bitwise XOR.Secret Key----t. B,-----,--I. IVEeKey SequenceWEP PRNG PI1aintextCiphertexu----------------------------- L:JIIntegrity Algorithli ICV'ICV ICV?MessageFigure 3. WEP Decipherment Block DiagramRefe