Academic literature by Cam-Winget, Housley, Wagner and Walker (2003) and other authors on the subject of WEP security show that the WEP IEEE 802.11 is a shared key (40 or 140 bits long) encryption standard, which was designed to provide confidentiality and security of data packets by protecting them from unauthorised access using the RC4 encryption algorithm. Studies by Geier (2002) have proved WEP to a be standard with several vulnerabilities, which have made WEP easy for an attacker to crack its security code in a very short time using a variety of tools, which include BackTrack and its suite of tools. Typically, BackTrack has a suite of other tools, which can be used to test the security of WEP by subjecting it to a number of vulnerability assessment tests and attacks, which include traffic injection, duplication of recorded traffic, time based attacks, and Denial-of-Service attacks (Cam-Winget, Housley, Wagner & Walker, 2003).
WEP Vulnerabilities
Some of the vulnerabilities discovered in WEP include data modification and eavesdropping (Cam-Winget, Housley, Wagner and Walker, 2003). According to Mehta (2001), the rationale of performing tests to discover the vulnerabilities in WEP is because when WEP in a LAN is disables or enabled, its weaknesses still persist. It is possible for a LAN running on WEP to be compromised and have the integrity and confidentiality of data on transmission lost because of the standard’s weaknesses. Other vulnerabilities include the ability to compromise the WEP by the use of passive attacks, which is a condition where an attacker selects both the cipher text and the plain-text to attack WEP secured data (Boulmalf, Barka & Lakas, 2007).
Active attacks
Active attacks on the WEP protocol are possible to inject traffic into the mainstream traffic (Pritchett, 2012). The vulnerabilities of WEP are exploited here because the situation is that the attacker is knowledgeable about the exact message being, which has been encrypted and can be modified. The attacker can use knowledge about the message to create a correctly encrypted message packet by calculating the CRC-32 by performing an additional operation of bit flips on the originally encrypted message (Potter, 2003). The operation enables the attacker to change the plain-text to a new message, which can be sent to a legitimate target and accepted as a legitimate message (Pritchett, 2012). The operation is done by exploiting the RC4(X) xor X xor Y = RC4(Y) property. If the attack is slightly modified, the attack becomes even more insidious (Sheldon, Weber, Yoo & Pan, 2012).
Another vulnerability of WEP is its susceptibility to time based attacks. A time based attack is one where the attacker is able to utilise the limited time available during the transmission of data to build a decryption table to compute the RC4 key-stream (Sheldon, Weber, Yoo & Pan, 2012). WEP security relies on a secret key, which has two parts. Those parts include the 40 bit long root key and a vector (IV), which is randomly selected and, which is 24 bits long. WEP functions by fitting the key into the RC4 stream cipher to initialise its internal state to generate the key stream (Stubblefield, Ioannidis & Rubin, 2004). One of the tools, which are used for vulnerability assessment of the WEP standard, is BackTrack. BackTrack (using one of the suite of tools in its collection such as Aircrack-ng) is a vulnerability assessment tool, which can be used to assess the vulnerabilities of the WEP standard. Some of the vulnerabilities, which can be tested in WEP, include weak key invariance, 802.1 fragmentation, dictionary attacks, and decryption of WEP encrypted files (Cam-Winget, Housley, Wagner & Walker, 2003). An attack WEP is vulnerable to include the FMS attack, which yields the first byte of key streams with the probability of 0.005 failures. WEP is also vulnerable to fragmentation attacks (Stubblefield, Ioannidis & Rubin, 2004).
Typically, the WEP IEEE 802.11 WEP (wired equivalent protocol) uses the RC4 stream encryption algorithm, which has a byte oriented operation with variable key sized streams (Cam-Winget, Housley, Wagner & Walker, 2003). The algorithm relies on random permutations with a period of 10100. To ensure that the security and complete implementation of the algorithm is done, a machine makes sixteen operations for each byte. WEP depends on vector initialisation, which begins with S [0] and ends with S [255]. Here, RC4 is considered to be a strong algorithm, which implies that the main problem is with the WEP standard (Stubblefield, Ioannidis & Rubin, 2004). The problem with WEP is that it has a serious flaw, which originates from the use of CRC integrity, which is not designed for crypto integrity but for error detection (Stubblefield, Ioannidis & Rubin, 2004).
A critical analysis of the WEP standard reveals that the protocol integrity does not actually provide the integrity required because CRC is a stream cipher, which depends on the XOR operations. It is also possible to change the cipher text to CRC, which results in the same checksum after 4823 packets have been tried (Stubblefield, Ioannidis & Rubin, 2004). In addition, CRC has been proved not to be able to detect errors, which can be introduced in to the LAN, and cannot detect intelligently introduced errors. If the attacker knows the destination IP address and the key stream used to encrypt the IP address, it becomes possible to replace the destination IP with the attacker’s IP address. Because there are no integrity checks done on the packets being transmitted, integrity fails and the packets can be transmitted to an illegitimate destination (Stubblefield, Ioannidis & Rubin, 2004; Stubblefield, Ioannidis & Rubin, 2004).
The tool (BackTrack) provides the attacker with the ability to discover the vulnerability associated with the WEP standard. Here, the tool provides the attacker with the ability to identify the vulnerability of WEP to passive attacks, eavesdropping, and to intercept wireless traffic by waiting for the IV collision to occur (Jiang, 2006). The tool enables the attacker to perform the XOR operations on the two packets that use the same IV to recover the plain text message. The XOR results can then be used to deduce the contents of the plain text message and sometimes the exact content of the messages can be determined (Jiang, 2006).
Specific WEP vulnerabilities where BackTrack is applied
The specific WEP vulnerabilities where BackTrack is applied include key stream reuse, message integrity, and key management vulnerability assessment issues (Ali & Heriyanto, 2011). BackTrack has shown that the probability of reusing the same key especially when the traffic is high on a busy network is very high. It is possible for the attacker to get the key in a matter of hours or minutes after launching an attack on the system.
A key stream can be reused based on the use of a short 24 bit key to enable the attacker to recover the plain text being transmitted (Ali & Heriyanto, 2011). Ali and Heriyanto (2011) have shown that BackTrack can be used to discover the vulnerability in WEP even if a 64 bit or a 128 bit key is used. On the other hand, BackTrack enables the discovery of vulnerabilities in WEP, which deal with the integrity of messages on transmission. On the other hand, the issue of key management is critical for the provision of WEP services, because when the keys are shared between two people, the key is not secure (Bock & Lynn, 2007). To attack the WEP key, the attacker just enters the BackTrackcaptured-data.cap instruction into the application. The BackTrack provides an interactive mode for the user to provide instructions on what they intend the software to accomplish (Bock & Lynn, 2007). Then, the user issues instructions for the vulnerability assessment actions to begin. BackTrack provides certain techniques for discovering the WEP key quickly. It is advisable to try to capture the keys using the after making 250, 000 or more unique machine runs. It is also advisable to try to use the tool to crack the WEP key after 200,000 IVs to ensure that the application does not spend time brute forcing the keys (Bock & Lynn, 2007).
Shared secret key authentication
The BackTrack tool enables the attacker to discover and see the keys on a wireless network device. Here, the attacker can steal the key and own it. The authentication can be based on the use of IP addresses. The authentication can also be password based. This is where the stored passwords can be accessed and decrypted based on the cryptographic authentication methods (Bock & Lynn, 2007). The BackTrack tool enables vulnerability assessment to be done to discover how the WEP standard can be attacked using brute force attack (Bock & Lynn, 2007).
How BackTrack performs vulnerability assessments
According to Bock and Lynn (2007), the approach for performing vulnerability assessment using BackTrack is based on the use of certain tools, which are within BackTrack’s suite of tools. One of the tools is Aircrack-ng. It is worth noting that vulnerability assessment is a passive process, which is an advanced stage of information gathering and foot printing (Ali & Heriyanto, 2011). Foot printing involves understanding and identifying where the weak points lie in the local area network (LAN). The rationale of entering this phase is to discover the weaknesses in WEP, which allows the user to make unauthorised access to confidential information. For Backtrack, the procedure starts with the vulnerability scanning.
Another tool that BackTrack depends on to carry out vulnerability assessment is the OpenVAS. The process involves starting the Openvas scanner. Once the application is started, it is possible to see the plug-ins being loaded, and the speed of the operation depends on the hardware platform being used. The application opens the user interface and prompts one to run the first scan by clicking on the OpenVAS-Client interface.
Quality of tool in relation to vulnerability identification
Using BackTrack leads to the discovery of certain vulnerabilities, which include susceptibility to a wide range of attacks. The attacks discovered include the parking lot attack, time based attacks, key-stream attacks, the shared key authentication flaws, and service set identifier flaws and the discovery of weaknesses in other tools.
Limitations of BackTrack
The BackTrack as a tool used to perform vulnerability assessments and its weaknesses is based on the weaknesses of the backtracking algorithms. One of the weaknesses in the algorithm is thrashing. With the thrashing problem the standard does not identify the variables that cause failure in WEP. In addition, the algorithm does not remember the conflicts, which occur during intelligent backtracking, detects the conflicts, but maps the variables when it is too late, making some vulnerabilities is to remain undetected.
Installation of the tool
BackTrack can be installed on a number of operating systems and the installation procedures are different from one operating system platform to the other. The application consists of a wide range of tools, which can be used for a variety of purposes ranging from port scanning, password cracking, and vulnerability assessment of the network. Some of the tools in its collection include Metasploit for integration, Nmap, Hydra, Aircrack-ng, Wireshark, and Ophcrack. The first step in the installation of BackTrack is to install and configure the program on the host operating system.
The system will start to load, it will run and at one point, it will demand for the user responsible for the installation to issues a ‘startx’ command to allow the system load its graphical user interface (GUI). Once the installation of the GUI is complete, it brings one to the BackTrack’s Desktop. The next step is for one is to double click on the install BackTrack icon, which prompts the user to enter their site and time configuration GUI. The time zone is selected at this point and the system requests for the installer to create sufficient disk space for the software to be installed. The next step is to review installation information, continue the installation, and then reboot the system.
It is important to log in using the username: root, password ‘toor’ credentials. After that the ‘ifconfig’ command is issued to check the system IP address. Once the network is down, services can be restarted by issuing the ‘ifconfig’ command to restart all the services required. Then the process of exploiting the vulnerabilities of the WEP can start using tools such as Aircrack-ng.
How to fix Vulnerabilities in WEP
A variety of solutions have been proposed to address the weaknesses in WEP. One of the problems identified in the study is the WEP IV 24 bit long problem. One suggestion was to look for a new cipher and mode of operation. Here, the symmetric key encryption should be accomplished using the AES block cipher. Using the block cipher allows for a very efficient implementation of the WEP algorithm on any platform and recommends that RC4 should not be used for WEP encapsulation. In addition, the use of 128-bit AES should be mandatory to implement the cipher. In addition to that it is important to use AES in Offset Codebook Mode (OCB) for message authentication on WEP to produce a secure message authentication code, which prevents the messages on transmission being forged. The plain-text and cipher text are of the same length when encrypted using OCB based on the use of a single key. It is possible for the OCB to be optimised to encrypt/decrypt and tag/verify a message on transmission with only a single pass. On the other hand, it is recommended that the use of the of a session key derivation scheme, which enables the removal of the base key from being directly attacked. Here, an algorithm is recommended, which produces two session keys. Those keys include one for sending and the other for receiving the data. The sender MAC address is concatenated with BSSID using a manually configured key as per the following mode: session-key ← OCB-AES-tag base-key (0, BSSID | sender-mac-addr | receiver-mac-address).
The other recommendation for securing WEP is to use a WEP encapsulation strategy where a 128-IV bit, use of a 32 bit sequence number for quantity encryption, and use of a 128 bit OCB data authentication tag.
The WPA standard was developed to address the weaknesses in WEP. The solution was based on a software upgrade of WEP and provided significant solutions to the problems of WEP. WAP provides the ability to perform complex data encryption based on the temporal Key Integrity Protocol combined with the Message Integrity Code (MIC), which is targeted at avoiding bit-flip flop attacks, which can easily compromise the WEP, which is based on the hashing technique. WAP provides improved cryptographic message integrity, new IV sequencing technique, and the ability to provide re-keying mechanisms.
Conclusion
In conclusion, the use of WEP suffered from a significant number of software vulnerabilities, which include the possibility of eavesdropping, the inability of WEP to prevent forgery attacks, wrong use of RC4, ease of data modification without any detection, inherent problems with the RC4 encryption algorithm, and the forgery of authentication messages. To address those problems, a number of suggestions have been made in academic literature, which includes the use of WPA algorithm, which provides improved data encryption using the TKIP protocol, use of the Message Integrity Code (MIC), and the use of user authentication methods and tools. The use of WPA provides the capability to avoid the forgery of messages and the ability to strengthen the use of IV keys.
References
Ali, S., & Heriyanto, T. (2011). BackTrack 4: Assuring Security by Penetration Testing: Master the Art of Penetration Testing with BackTrack. Packt Publishing Ltd.
Bock, J., & Lynn, M. (2007). Hacking Exposed Wireless. McGraw-Hill, Inc.
Boulmalf, M., Barka, E., & Lakas, A. (2007). Analysis of the effect of security on data and voice traffic in WLAN. Computer Communications, 30(11), 2468-2477.
Cam-Winget, N., Housley, R., Wagner, D., & Walker, J. (2003). Security flaws in 802.11 data link protocols. Communications of the ACM, 46(5), 35-39.
Geier, J. (2002). 802.11 WEP: Concepts and vulnerability. Wi-Fi Planet, 20.
Jiang, X. I. O. N. G. (2006). WEP Protocol-based Wireless LAN Secure Improvement Mentality [J]. Computer Science, 12, 024.
Mehta, P. C. (2001). Wired Equivalent Privacy Vulnerability. Level One Security Essentials Track.
Pritchett, W. (2012). BackTrack 5 Cookbook. Packt Publishing Ltd.
Potter, B. (2003). Wireless security’s future. Security & Privacy, IEEE, 1(4), 68-72.
Sheldon, F. T., Weber, J. M., Yoo, S. M., & Pan, W. D. (2012). The Insecurity of Wireless Networks. Security & Privacy, IEEE, 10(4), 54-61.
Stubblefield, A., Ioannidis, J., & Rubin, A. D. (2004). A key recovery attack on the 802.11 b wired equivalent privacy protocol (WEP). ACM transactions on information and system security (TISSEC), 7(2), 319-332.