— Fluhrer, Mantin, and Shamir, "Weaknesses in the Key Scheduling Algorithm of RC4" (2001)">
Classroom Glossary Public page

WIR-101 Week 3 — WEP: A Cryptographic Autopsy

1,034 words

"WEP is broken... RC4 was never designed to be used with related keys." — Fluhrer, Mantin, and Shamir, "Weaknesses in the Key Scheduling Algorithm of RC4" (2001)

Lecture (50 min)

3.1 WEP Design Goals and the Shared Key Model

Wired Equivalent Privacy (1997) was 802.11's original security mechanism. The design goal was simple: provide a level of privacy equivalent to a wired network. The threat model was a passive eavesdropper in the parking lot, not a cryptanalyst.

WEP uses:

  • RC4 stream cipher for encryption
  • 24-bit IV (Initialization Vector) prepended to the key
  • CRC-32 for integrity (ICV -- Integrity Check Value)
  • 40-bit or 104-bit shared key (64-bit or 128-bit total, including IV)

The WEP encryption process:

  1. Choose a 24-bit IV (often sequential or random; the spec does not mandate random)
  2. Concatenate IV + Shared Key → input to RC4 key scheduling algorithm (KSA)
  3. RC4 KSA produces a keystream
  4. XOR keystream with (Plaintext + ICV)
  5. Transmit: IV (cleartext) + Ciphertext

The IV is transmitted in cleartext so the receiver can reconstruct the same keystream.

3.2 Why RC4 + Small IV Breaks

RC4 is a stream cipher. XOR-based stream ciphers have a critical property: if the same keystream is used twice, XORing the two ciphertexts eliminates the keystream:

C1 = P1 XOR KS
C2 = P2 XOR KS
C1 XOR C2 = P1 XOR P2

With a 24-bit IV, there are only 2^24 = ~16 million possible IVs. On a busy access point, IV collisions occur within hours. The FMS attack (Fluhrer, Mantin, Shamir, 2001) goes further: certain IV values (called "weak IVs") leak information about the key bytes due to biases in RC4's key scheduling algorithm.

The attack:

  1. Collect IVs with specific patterns (e.g., first byte = 3, second byte = N+1, third byte = anything)
  2. Each weak IV leaks one byte of the key with 5% probability
  3. With enough weak IVs, statistical analysis recovers the full key

In practice: aircrack-ng can crack a 40-bit WEP key with ~5,000 IVs and a 104-bit key with ~40,000 IVs, collected in minutes on a busy network.

3.3 The Chopchop Attack and ICV Weakness

CRC-32 is not a cryptographic MAC. It is linear: flipping a bit in the ciphertext results in a predictable, correctable change to the ICV. The Chopchop attack exploits this:

  1. Capture an encrypted WEP packet
  2. Strip the last byte; compute a modified ICV
  3. Submit the modified packet to the AP; if the AP responds with an ACK, the byte was guessed correctly
  4. Repeat for all bytes, recovering the plaintext one byte at a time
  5. Use recovered plaintext to generate an RC4 keystream for that IV
  6. Inject arbitrary packets encrypted under that IV

The Chopchop + ARP replay combination allows an attacker to generate traffic at high speed without knowing the WEP key, accelerating IV collection and shortening crack time to minutes.

3.4 The KoreK and PTW Improvements

The 2004 KoreK attacks and the 2007 Pyshkin-Tews-Weinmann (PTW) improvement significantly reduced the IVs needed:

  • KoreK (2004): 17 statistical attacks running simultaneously; requires ~500,000 IVs for 104-bit key
  • PTW (2007): correlates full RC4 keystream against the key, exploits first-byte bias; requires ~40,000 IVs for 104-bit with 50% success; ~85,000 IVs for 95%

The PTW attack is what modern aircrack-ng implements. On a real busy WEP network, collection time is measured in minutes.

3.5 Lessons from WEP's Failure

WEP failed not from an implementation bug but from fundamental design flaws:

  1. No IV freshness guarantee: the spec permits any IV, including repeated or sequential values
  2. Short key space: 24-bit IV is too small for the collision resistance required
  3. Non-cryptographic integrity: CRC-32 is designed for error detection, not authentication; it does not prevent forgery
  4. Keying material reuse: the KSA is sensitive to related keys; concatenating IV + key produces related-key inputs

WPA (2003) was an emergency patch standard designed to run on existing WEP hardware with a firmware update. It introduced TKIP (Temporal Key Integrity Protocol), which addressed the IV problem by using a 48-bit IV and mixing the per-frame key before feeding it to RC4. WPA2 (2004) replaced RC4 entirely with AES-CCMP.

The WEP autopsy teaches a universal principle: cryptographic security requires that the underlying primitive be used as its designers specify. RC4 is not broken per se; using it with related keys derived from a short IV is broken.

Lab Preview

Lab 3 runs the full WEP crack chain against the instructor-provided WEP AP: monitor mode → IV capture → ARP replay to accelerate collection → aircrack-ng PTW crack. By end of lab, you have recovered the WEP key and can generate valid WEP-encrypted frames.

Homework

Reading (45 min): Read the abstract and introduction of the original FMS paper (Fluhrer, Mantin, Shamir, 2001 -- linked from the course portal). Then read the Wikipedia article on RC4's key scheduling algorithm weakness. You are building intuition for why the attack works, not implementing it.

Hands-on (60 min): Using the provided WEP PCAP file (course portal), run aircrack-ng in PTW mode. Record: number of IVs at crack success, the recovered key (in hex), the time taken. Then answer: if the WEP key were 256 bits but the IV were still 24 bits, would the FMS/PTW attack still work? Explain.

Toolchain Diary Entry

First-introduce this week: aircrack-ng

aircrack-ng -K capture.pcap: run PTW attack against WEP capture. The -K flag selects Korek/PTW; default (no flag) is FMS/KoreK. PTW is faster and preferred.

aircrack-ng -a 1 -b BSSID capture.pcap: explicitly target WEP mode (-a 1) on a specific AP.

aireplay-ng -3 -b BSSID -h OWN_MAC wlan0mon: ARP replay attack. Captures ARP requests and replays them to generate new encrypted traffic (and thus new IVs) at high speed.

Key Terms

  • RC4: stream cipher; XOR-based; vulnerable to related-key attacks when IV is short and prepended to the key
  • IV (Initialization Vector): per-frame random (or sequential) value prepended to the WEP key before RC4; must be unique per key to prevent keystream reuse
  • FMS attack: Fluhrer-Mantin-Shamir; exploits RC4 KSA bias to recover key bytes from weak IVs
  • PTW attack: Pyshkin-Tews-Weinmann; more efficient than FMS; requires ~40k IVs for 104-bit WEP
  • ICV: Integrity Check Value; CRC-32 appended to plaintext before RC4 encryption; not a cryptographic MAC
  • Chopchop attack: byte-at-a-time ICV manipulation to recover WEP plaintext without the key
  • ARP replay: inject replayed ARP requests to generate traffic and accelerate IV collection