Schweitzer Engineering Laboratories SEL-3022 Instruction Manual page 88

C.6 Wireless Operator Interface Security
IEEE 802.11 WEP Security
WEP Security Flaws Explanation
WEP is based on a two-part encryption algorithm called RC-4. The first stage of the
encryption process, known as the Key Scheduling Algorithm (KSA), takes a string of
key bits as input and forms an output initialization string. The second stage, known as
the Pseudo-Random Generation Algorithm (PRGA), produces a pseudo-random
bitstream of arbitrary length. The value of this string of bits depends on the initializing
permutation the KSA produces. Note that a given KSA input will always produce the
same PRGA output. The designers of the IEEE 802.11 standard wanted the process of
decrypting a single packet to be independent of all previous and future packets.
Because of this requirement, the output of the PRGA function has to be reset at the
beginning of every packet. If this were done without also changing the input to the
KSA function, the encryption stream would be identical for every packet and the
resulting encryption process would be trivially broken. Because of this, the input to the
KSA function is a concatenation of a secret key (104 bits in the case of the SEL-3022
wireless operator interface) with a 24-bit Initialization Vector (IV). By changing the IV
on every packet, the WEP encryption process ensures that the probability of any two,
randomly chosen packets being encrypted with the same PRGA output (known as an
"IV collision") is sufficiently low.
For each data packet, the concatenation of the key and IV serves as the input to the RC-
4 algorithm, which produces a string of pseudo-random encryption bits (with a length
equal to the length of the original data packet). To perform the encryption operation,
the encryption bit string is added modulo 2 (XOR) to the original contents of the
packet. The IV used during the encryption process is then concatenated with the
resulting ciphertext to form the final message. A major contributor to the relative
weaknesses of the WEP encryption process is the fact that the IV is appended to the
ciphertext and transmitted unencrypted. The following text explains the details of these
weaknesses.
In an August 2001 presentation at the Eighth Annual Workshop on Selected Areas in
Cryptography of an article titled "Weaknesses in the Key Scheduling Algorithm of
RC4," authors Fluhrer, Mantin, and Shamir published formal proofs of some potential
weaknesses in the RC-4 algorithm. In a later paper, published in the AT&T Labs
Technical Report TD-4ZCPZZ of August 2001 titled "Using the Fluhrer, Mantin, and
Shamir Attack to Break WEP," authors Stubblefield, Ioannidis, and Rubin
demonstrated that the WEP algorithm was designed in such a way as to contain the
worst of the weaknesses that Fluhrer, Mantin, and Shamir's paper outlined.
Furthermore, Stubblefield, Ioannidis, and Rubin demonstrated that a passive attack
could be used to successfully determine a 104-bit secret key in just a few hours on a
moderately loaded wireless LAN. Based on these results, Stubblefield, Ioannidis, and
Rubin urged network designers to assume that the IEEE 802.11 link layer offers very
little security and to employ additional security measures in addition to WEP. The
SEL-3022 design incorporates these additional security measures in the form of
cryptographically sound 128-bit AES encryption and HMAC SHA-1 authentication
(see The SEL Security Application on page C.9 for further explanation).
SEL-3022 Transceiver
Cryptographic Manual—Do Not Copy
Preliminary Copy
Instruction Manual
Date Code 20050615