WEP

Do i need WEP at all?

An authentic user, Bob uses his laptop to check his Gmail account everyday. He has
a wireless card in his laptop which automatically detects his ISP's wireless access
point (WAP) just across the street. Once he's connected to the WAP he can go
ahead and check his Email. Alice is a sneaky user who doesn't want to pay the ISP
for access to the Internet. She however knows that the ISP across the street has an
access point which anyone can connect to and access the Internet. She plugs in her
laptop and is soon downloading music from the Internet. WEP was designed to
ensure that users authenticate themselves before using resources, to block out
Alice, and allow Bob. Let's see how it does this.
How WEP works
WEP uses the RC4 algorithm to encrypt the packets of information as they are sent
out from the access point or wireless network card. As soon as the access point
receives the packets sent by the user's network card it decrypts them.
Each byte of data will be encrypted using a different packet key. This ensures that if
a hacker does manage to crack this packet key the only information that is leaked
is that which is contained in that packet.
The actual encryption logic in RC4 is very simple. The plain text is XOR-ed with an
infinitely long keystream. The security of RC4 comes from the secrecy of the packet
key that's derived from the keystream.
So what's a packet key?
The packet key is formed by combining a pre-shared password, a state array and
an initialization vector (IV). Let's first understand each of these terms:
Pre-shared Password: The same pre-shared password is used by all users for each
packet that is transmitted.
State Array: It's a series of numbers which are scrambled and then used by RC4 to
construct the key stream.
Initialization Vector (IV): The IV is a 3-byte random number generated by the
computer. It's either prepended or appended to the cipher text and sent to the
receiver who strips the IV off before decrypting the cipher text.
The RC4 algorithm consists of 2 main parts:
The Key Scheduling Algorithm: The KSA process involves creating a scrambled
state array . This state array will now be used as input in the second phase, called
the PRGA phase.
The Pseudo Random Generation Algorithm: The state array from the KSA process
is used here to generate a final key stream. Each byte of the key stream generated
is then Xor'ed with the corresponding plain text byte to produce the desired cipher
text.
Key Scheduling Algorithm
The IV is calculated using a state array and properties of the pre-shared password.
This is accomplished by creating an array of values equal to the index you want to
use in the algorithm. The Index for WEP by default is 256. The components required
for the KSA are the values of the variables i and j, the index value, the pre-shared
password and its length.
Initialization:
For i=0 ... index-1

S[i]=i

J=0
Scrambling:
For i=0 ... index-1

J = j + state[i] + K[I mod length]

Swap(state[i] , state[j])
A loop first runs from 0 to index-1 to initialize the state array with values from 0 to
index. For eg. If index =4 the state array will be filled with values from 0 to 3.
Therefore the array values will be as follows:
s[0]=0 s[1]=1 s[2]=2 s[3]=3
The value of j is set to 0. Another loop is then started. For every time through the
loop, the value of j is calculated, and the array value held in state[i] is swapped for
the value held in state[j] .
Pseudo Random Generation Algorithm (PRGA)
A pseudorandom number generator (PRNG) is an algorithm that generates a
random sequence of numbers. The PRGA is responsible for creating the streaming
values used to encrypt the plaintext, which is based on the state array, the output
of the KSA . The methodology that the PRGA follows is outlined below.
Initialization:
I=0 j=0 index=4
Generation Algorithm
I=(i+1) mod index

J=(j+state[i]) mod index

Swap(state[i], state[j])

Z=state[state[i] + state[j]mod index]

The streaming value is created by looping through the algorithm for each byte of
the packet. The variables i and j are initialized to 0. For each packet the value of j is
calculated, and the array value held in state[i] is swapped for the value held in
state[j] . The output z is then calculated for each packet. At the end of the process
we have a PRGA stream.
The PRGA stream is then Xor'ed with the plain text to generate cipher text which is
transmitted to the other party.
An Example
Let's illustrate the above concepts in the form of an example. The plain text that is
to be encrypted is TEST. The password which will be used here is 6258. The initial
values of our variable are as follows:
i=0 j=0 password=6258 pass length=4 index=4
Following the algorithm we get:
Step-1
State array: State[0]=0 State[1]=1 State[2]=2 State[3]=3

Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8

j = [0 + S[0] + K[0]] mod 4 = 6 mod 4 = 2

Swap(State[0] , State[2]) = Swap(0,2)

State[0]=2 State[1]=1 State[2]=0 State[3]=3

Step-2
i=1 j=2

State array: State[0]=2 State[1]=1 State[2]=0 State[3]=3

Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8

j = [2 + S[1] + K[1]] mod 4 = 5 mod 4 = 1

Swap(State[1], State[2]) = Swap(1,0)

State[0]=2 State[1]=0 State[2]=1 State[3]=3

Step 3
i=2 j=1

State array: State[0]=2 State[1]=0 State[2]=1 State[3]=3

Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8

j = [1 + State[2] + K[2]]mod 4 = 7 mod 4 = 3

Swap(State[2], State[3]) = Swap(1,3)

State[0]=2 State[1]=0 State[2]=3 State[3]=1

Step 4
i=3 j=3

State array: State[0]=2 State[1]=0 State[2]=3 State[3]=1

Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8

j = [3 + State[3] +K[3]]mod 4 = 12 mod 4 = 0

Swap(State[3], State[0]) = Swap(1,2)

State[0]=1 State[1]=0 State[2]=3 State[3]=2

Final State Array: State[0]=1 State[1]=0 State[2]=3 State[3]=2

Once the KSA state array is ready, the PRGA procedure is initialized. The
procedure is as follows:
Initially i=0 j=0

K[0]=6 K[1]=2 K[2]=5 K[3]=8

First Loop:
State[0]=1 State[1]=0 State[2]=3 State[3]=2

i=1 j=0+State[1]=0+0=0

Swap(State[1], State[0]) = Swap(0,1)

State[0]=0 State[1]=1 State[2]=3 State[3]=2

z = State[State[1] + State[0] mod 4] = State[1] = 1

z1 = 00000001
Second Loop:
 State[0]=0 State[1]=1 State[2]=3 State[3]=2

i=2 j=0+State[2]=3

Swap(State[2], State[3]) = Swap(3,2)

State[0]=0 State[1]=1 State[2]=2 State[3]=3

z = State[State[2] + State[3] mod 4] = State[1] = 1

z2 = 00000001
Third Loop:
State[0]=0 State[1]=1 State[2]=2 State[3]=3

i=3 j=3+State[3]=6 mod 4 = 2

Swap(State[3],State[2]) = Swap(3,2)

State[0]=0 State[1]=1 State[2]=3 State[3]=2

z = State[State[3] + State[2]] mod 4 = State[1] = 1

z3=00000001
Fourth Loop:
State[0]=0 State[1]=1 State[2]=3 State[3]=2

i=4 j=2+State[4]=2+State[4 mod 4] = 2+State[0] = 2

Swap(State[4],State[2]) = Swap(State[0],State[2]) = Swap(0,3)

State[0]=3 State[1]=1 State[2]=0 State[3]=2

z4 = State[State[4] + State[2]] = State[State[0] +

State[2]] = State[3] = 2

z4=00000010
The outputs z1-z4 at the end of each loop must be Xor'ed with the ASCII of each
character of plain text which in our case is TEST. Hence the cipher text for the plain
text TEST will be as follows:
T xor z1 = 01010100 xor 00000001 = 01010101 = U

E xor z2 = 01000101 xor 00000001 = 01000100 = D

S xor z3 = 01010011 xor 00000001 = 01010010 = R

T xor z4 = 01010100 xor 00000010 = 01010110 = U

The word TEST when encrypted with WEP is UDRU.

ASCII printable characters[redakto | përpunoni burim]

Code 32 is the "space" character, denoting the space between words, which is produced by the large space bar of a
keyboard. Codes 33 to 126 are called the printable characters, which represent letters, digits, punctuation marks, and
a few miscellaneous symbols.
Seven bit ASCII provided seven "national" characters and, if the combined hardware and software permit, can use
overstrikes to simulate some additional international characters: a BackSpace can be followed with the grave accent
(which the American and British standards, but only the American and British standards, also call "opening single
quotation mark"), a tilde, or a breath mark (inverted vel).

Binary Decimal Hex Graphic Binary Decimal Hex Graphic Binary Decimal Hex Graphic
0010 0000 32 20 (blank) (␠) 0100 0000 64 40 @ 0110 0000 96 60 `
0010 0001 33 21 ! 0100 0001 65 41 A 0110 0001 97 61 a
0010 0010 34 22 " 0100 0010 66 42 B 0110 0010 98 62 b
0010 0011 35 23 # 0100 0011 67 43 C 0110 0011 99 63 c
0010 0100 36 24 $ 0100 0100 68 44 D 0110 0100 100 64 d
0010 0101 37 25 % 0100 0101 69 45 E 0110 0101 101 65 e
0010 0110 38 26 & 0100 0110 70 46 F 0110 0110 102 66 f
0010 0111 39 27 ' 0100 0111 71 47 G 0110 0111 103 67 g
0010 1000 40 28 ( 0100 1000 72 48 H 0110 1000 104 68 h
0010 1001 41 29 ) 0100 1001 73 49 I 0110 1001 105 69 i
0010 1010 42 2A * 0100 1010 74 4A J 0110 1010 106 6A j
0010 1011 43 2B + 0100 1011 75 4B K 0110 1011 107 6B k
0010 1100 44 2C , 0100 1100 76 4C L 0110 1100 108 6C l
0010 1101 45 2D - 0100 1101 77 4D M 0110 1101 109 6D m
0010 1110 46 2E . 0100 1110 78 4E N 0110 1110 110 6E n
0010 1111 47 2F / 0100 1111 79 4F O 0110 1111 111 6F o
0011 0000 48 30 0 0101 0000 80 50 P 0111 0000 112 70 p
0011 0001 49 31 1 0101 0001 81 51 Q 0111 0001 113 71 q
0011 0010 50 32 2 0101 0010 82 52 R 0111 0010 114 72 r
0011 0011 51 33 3 0101 0011 83 53 S 0111 0011 115 73 s
0011 0100 52 34 4 0101 0100 84 54 T 0111 0100 116 74 t
0011 0101 53 35 5 0101 0101 85 55 U 0111 0101 117 75 u
0011 0110 54 36 6 0101 0110 86 56 V 0111 0110 118 76 v
0011 0111 55 37 7 0101 0111 87 57 W 0111 0111 119 77 w
0011 1000 56 38 8 0101 1000 88 58 X 0111 1000 120 78 x
0011 1001 57 39 9 0101 1001 89 59 Y 0111 1001 121 79 y
0011 1010 58 3A : 0101 1010 90 5A Z 0111 1010 122 7A z
0011 1011 59 3B ; 0101 1011 91 5B [ 0111 1011 123 7B {
0011 1100 60 3C < 0101 1100 92 5C \ 0111 1100 124 7C |
0011 1101 61 3D = 0101 1101 93 5D ] 0111 1101 125 7D }
0011 1110 62 3E > 0101 1110 94 5E ^ 0111 1110 126 7E ~
0011 1111 63 3F ? 0101 1111 95 5F _