Page 219 - StudyBook.pdf
P. 219

Communication Security: Wireless • Chapter 4  203

                 number of open-source tools have appeared, which do precisely this.Two such
                 popular tools for cracking WEP are Airsnort and WepCrack.
                    Some vendors, such as Agere (which produces the ORiNOCO product line),
                 responded to the weakness in key scheduling by modifying the key scheduling in
                 their products to avoid the use of weak keys, making them resistant to attacks based
                 on weak key scheduling.This feature is known as WEPplus.

                 Stream Cipher Vulnerability

                 WEP uses an RC4 stream cipher, which differs from block ciphers such as DES or
                 AES, which perform mathematical functions on blocks of data, in that the data or
                 the message is treated as a stream of bits.To encrypt the data, the stream cipher per-
                 forms an Exclusive OR (XOR) of the plaintext data against the keystream to
                 create the ciphertext stream. (An XOR is a mathematical function used with
                 binary numbers. If the bits are the same the result of the XOR is “0”; if different,
                 the result of the XOR is “1.”)
                    If a keystream were always the same, it would be relatively easy to crack the
                 encryption if an attacker had both the plaintext and the ciphertext version of the
                 message (known as a plaintext attack).To create keystreams that are statistically
                 random, a key and a PRNG are used to create a keystream that is XOR’d against
                 the plaintext message to generate the ciphertext.
                    In the case of WEP, a number of other elements are involved to encrypt and
                 decrypt messages.To encrypt an 802.11 frame, the following process occurs:
                      1. A cyclic redundancy check (CRC), known as an ICV, is calculated for the
                         message and appended to the message to produce the plaintext message.
                      2. RC4 is used to create a pseudorandom keystream as a function of a 24-bit
                         IV and the shared secret WEP key.The IV and the shared secret WEP key
                         are used to create the RC4 key schedule.A new IV is used for every
                         frame to be transmitted.

                      3. The resulting keystream is XOR’d with the plaintext message to create a
                         ciphertext.
                      4. The IV is concatenated with the ciphertext in the appropriate field and
                         bit set to indicate a WEP-encrypted frame.
                    To decrypt the ciphertext, the receiving station does the following:

                      1. Checks the bit-denoting encryption.






                                                                              www.syngress.com
   214   215   216   217   218   219   220   221   222   223   224