The RC4 encryption algorithm's keystream is a long sequence of pseudorandom bytes that performs an exclusive OR (XOR) logic function against the plaintext message to create the ciphertext. If an attacker obtains the keystream that encrypted a message, he or she needs only to reverse the process to acquire the plaintext message.
The RC4 stream cipher uses two components to derive a keystream: a secret key and a cleartext IV. Each user in an organization can have a unique secret key, or all users can share the same key. The 802.11 standard doesn't outline a method for providing each user a different key, so in many organizations, all users have the same key. The IV is a random, publicly available number with a maximum of only 24 bits. If an organization uses one secret key for all its users, the IV must use every possible available value; otherwise, the keystreams will be redundant and easier to crack. This scenario relies heavily on the IV's randomness to ensure that each keystream is unique. However, because the 802.11 standard allocates only 24 bits for the IV value—or 224 possibilities—all available unique values will be used up in less than a day. The result is reused IV values and reused keystreams.
To decrypt any message that passes between devices, an attacker needs only to learn the different keystreams that a network uses. Your goal is to use the widest possible range of IV values to make your keystreams unobtainable and unpredictable. The more IV values available to the wireless device for calculating keystreams, the more keystreams the attacker needs to uncover and record. However, the 802.11 standard further compounds the problem by failing to specify that the IV value must use at least all 224 possibilities. As a result, most vendors use only a handful of IV values. So, not only is 224 not enough, but most implementations don't even use that many.
Calculating the Keystream
WEP's major flaws relate to the way that it generates IVs. Under the 802.11 security architecture, WEP's weaknesses permit quick deduction of the keystream. After an attacker determines the keystream, decrypting future packets is simply a matter of effort and patience.
So far, you understand the following:
Message1 + CRC = Plaintext1
IV + Secret Key = Keystream
Plaintext1 XOR Keystream =
Ciphertext1
I want to explore the weakness in this equation—that is, the calculation of the keystream.
WEP doesn't dictate the method of IV calculation for each packet and doesn't require that each packet have a different IV value. These limitations have led many vendors to implement elementary and predictable IV calculations, which drastically reduce the number of unique keystreams that a network uses. If a device sets the IV value to 0 at each reboot and increments the value by 1 each time the NIC initializes, that device might be limited to IV values of 0 through 4. Binary math dictates that the resulting 25 possibilities produce only as many as 32 possible IV values—which obviously wouldn't provide the necessary complexity for an effective security mechanism. One wireless device can generate thousands of packets daily. Multiply those thousands by the number of wireless devices you have on your network, and you'll have some idea of the number of packets—each with a corresponding IV value—traveling across your wireless network each day.
The WEP protocol transmits the IV value in clear text along with the ciphertext. Therefore, to obtain the IV values that a network is using, an attacker needs only to passively eavesdrop on wireless network traffic. If the attacker finds two messages that use the same IV value, he or she can simply perform an XOR function against those two messages. (The XOR function requires two pieces of data.) The attacker can then obtain the two plaintext message's XOR values. Because IP traffic is often predictable and includes much redundancy, knowledge of these XOR values lets the attacker perform statistical attacks to ultimately recover the plaintext messages.
After an attacker has the plaintext and ciphertext values, a few simple calculations—plugged into the previously stated equation—can determine the keystream value. If the attacker places these calculations into a script or program (which automatically runs all the intercepted packets through the program to build the described database), he or she can assemble a database that contains an entire network's IV values and corresponding keystream values—assuming that everyone on the network is using the same key. Therefore, this newly armed traffic sniffer would be able to capture a packet, compare the packet's unencrypted IV value against the database of keystream values, extract the corresponding keystream value, and apply it to the packet—which would automatically decrypt the encrypted information.
Ideally, each packet would have a different IV value—thus, a different keystream value—which would make any efforts to obtain and track this type of information too processor-intensive for current technology. But the 802.11 standard doesn't require that each packet have a different IV value (although the standard suggests it), and it doesn't provide a method for calculating random IV values.
Sidney Moore May 21, 2002