WEP stands for Wired Equivalent Privacy. It is a kind of encryption protocol used to protect a wireless network. WEP key is like a security passcode for the Wifi devices. It allows a group of devices on a local network to exchange encrypted messages between them while hiding the actual contents of the messages from being viewed easily by outsiders.
WEP was introduced in September 1999 but, within a few years, researchers found out several faults in its design. It was found to be very weak and, it was possible for a hacker to determine the WEP key for breaking into an active wifi network, by using some tools, in a jiffy.
Therefore, its use was terminated gradually in favor of several strong and better protocols like WPA and WPA2.
In this article, we will get to know how does a WEP key functions, its importance, the reasons for it to become obsolete and what are its replacements.
How does a WEP key work?
Network administrators select the WEP keys to be used on their networks. Standard 64-bit WEP uses a 40-bit key and has a 24-bit initialization vector (IV) associated with it. It is also called WEP-40.
Initially, cryptographic technology restricted the key size. With the abolishment of all the restrictions, an extended 128-bit WEP protocol was developed using a 104-bit key (WEP-104).
64-bit WEP and 128-bit WEP
A 64-bit WEP key is generally entered as a string of 10 hexadecimal characters comprising of (0-9) and (A-F). Every character represents 4 bits, and there are 10 characters. Thus, 4*10=40 bits.
On concatenating the 24-bit initialization vector, the complete 64-bit WEP key is produced. Many devices also permit the user to enter the key as 5 ASCII characters (0-9, a-z, A-Z) where each of them is of 8 bits.
For this case, it will be (8 bits *5 + 24 bits IV) = 64-bit WEP key.
A 128-bit WEP key is typically entered as a string of 26 hexadecimal characters. Each character is of 4 bits, and thus 26 digits of 4 bits each produce 104 bits.
On adding the 24-bit IV (26*4 + 24=128), the 128-bit WEP key is obtained.
Many devices permit the user to enter the key as 13 ASCII characters of 8 bits each, and on concatenating them with the 24-bit IV, the 128-bit WEP key is produced.
Some examples of WEP keys are as follows
The length of the key depends on the version of the WEP standard run by the network.
Authentication of WEP
WEP has two types of authentication process:
- Open System authentication
- Shared key authentication
In the first type, while authenticating, there is no need for the WLAN client to provide its credentials to the Access Point.
When WEP keys are used for encrypting the data frames, then the client must possess the right keys.
In the second type, the method of authentication involves a four-step challenge-response handshake. They are given below.
- An authentication request is sent by the client to the Access Point.
- The Access Point responds with a clear-text challenge
- The client encrypts this text with the help of the configured WEP key and resends to the Access Point in another request.
- The Access Point replies with a positive response if the request from client matches with the challenge text after decryption.
Some public websites are available that help in generating WEP keys with random key values. This makes it difficult for outsiders to guess it.
Also, few wireless network equipment brands help in the automatic creation of correct WEP keys from regular text (passphrase).
What is the importance of WEP key?
When Wifi networking first originated, the security of wireless networks was remarkably less compared with that of wired Ethernet network.
There were repeated instances of network sniffer programs helping intruders to gain access to other active wifi networks illegally.
Thus, the sniffers could easily view confidential information of the users like login credentials, passwords, and data sent over the networks. This technique came to be known as wardriving.
Also, the internet connection could be used without the legitimate user’s consent.
Thus, WEP was introduced with the motive of protecting Wifi networks. It intended to provide security and data confidentiality to the wireless networks, just like the one supplied by wired networks.
It provides security by encrypting the data transmitted over the WLAN. Data encryption protects the vulnerable wireless link between clients and access points.
WEP was the only standard, supporting wifi protection, during the earlier period.
Why did WEP keys turn obsolete?
Several faults were figured out in WEP, as time passed by. Anyone with appropriate tools and technical skills could easily break into the WEP-protected networks in just a few minutes.
The underlying encryption engine of WEP is RC4, and the problem concerning WEP is not RC4, but the way RC4 has been incorporated.
To be specific, there is a fault in the implementation of IV as it allows IV-repetition. This violates the very first rule of RC4 – “Never reuse a key”.
There are weaknesses in the Key Scheduling Algorithm of RC4. These vulnerabilities are exploited by several tools like AirSnort, WEPCrack, etc. They can crack WEP keys by analyzing traffic from passive data captures.
If your network is continuously generating traffic at high speeds, then the WEP key can be cracked by capturing just a few hours of encrypted data.
However, on a network with minimal activity, this attack can take several days or weeks.
Management and administration of WEP keys are abysmal on large networks. Users seldom change keys, and therefore the hacker gets ample time to gather packets for launching an attack.
Also, master keys are often used to generate temporary keys, which is not recommended from the cryptographic point of view.
Thus, there are significant chances of hackers gaining access over your sensitive data if you use WEP.
How was the WEP issue fixed?
Some techniques were undertaken to fix the flaws of WEP, but they could not ultimately hold WEP’s position in the market. However, they were
It extended the IV value as well as, increased the key values to 128-bits. WEP2 attempted to remove duplicate IV issues and reduce brute force key attacks.
But soon, the entire WEP algorithm was declared insufficient, and hence both WEP and WEP2 were dropped.
Agere Systems tried to improve WEP by avoiding the weak IVs. However, WEP+ failed to avert replay attacks.
Moreover, WEP+ worked effectively only when it was in use at both the ends of the connection, which is undoubtedly a significant limitation.
It changes WEP keys dynamically.
So, we see that though modifications were applied to WEP, still it could not meet the targets for ensuring the security of the users online. That’s why its use got terminated eventually.
What are the replacements of WEP? WEP, WPA
WEP was replaced by WPA (Wi-fi Protected Access) in 2004. It offers stronger encryption than WEP by the use of technology named Temporal Key Integrity Protocol (TKIP).
Unlike WEP, WPA also provides in-built authentication support.
WPA was upgraded to WPA2 in 2006 with more strengthened encryption method by implementing Advanced Encryption Standard (AES) technology.
Suggested read – Wireless Security Protocols – WEP, WPA, and WPA2
So, WEP was primarily introduced to provide security to the wireless networks when wifi networking first became famous. It encrypts data transmitted over the network by using keys and tries to offer protection and maintain data confidentiality.
But researchers eventually discovered multiple flaws in the entire WEP protocol. , and the WEP keys could be cracked down effortlessly. Thus, there was a high chance of privacy breach of users.
Reasons like the use of short IVs, reuse of IVs, weak keys, direct application of master keys, etc have outdated its use. Nowadays, newer techniques like WPA and WPA2 are implemented in place of WEP for providing better security online.