Question

Consider the following pseudo-WEP protocol. The key is 4 bits and the IV is 2 bits. The IV is appended to the end of the key when generating the keystream. Suppose that the shared secret key is 1010. The keystreams for the four possible inputs are as follows: 101000: 0010101101010101001011010100100 . . . 101001: 1010011011001010110100100101101 . . . 101010: 0001101000111100010100101001111 . . . 101011: 1111101010000000101010100010111 . . . Suppose all messages are 8-bits long. Suppose the ICV (integrity check) is 4-bits long, and is calculated by XOR-ing the first 4 bits of data with the last 4 bits of data. Suppose the pseudo-WEP packet consists of three fields: first the IV field, then the message field, and last the ICV field, with some of these fields encrypted. a. We want to send the message m = 10100000 using the IV = 11 and using WEP. What will be the values in the three WEP fields? b. Show that when the receiver decrypts the WEP packet, it recovers the message and the ICV. c. Suppose Trudy intercepts a WEP packet (not necessarily with the IV = 11) and wants to modify it before forwarding it to the receiver. Suppose Trudy flips the first ICV bit. Assuming that Trudy does not know the keystreams for any of the IVs, what other bit(s) must Trudy also flip so that the received packet passes the ICV check? d. Justify your answer by modifying the bits in the WEP packet in part (a), decrypting the resulting packet, and verifying the integrity check.

Short answer

(a) [11, 01011010, 0010]. (b) The receiver recovers m = 10100000 and ICV = 1010. (c) Trudy must also alter the message bits to maintain ICV consistency. (d) Adjust message to match new ICV.

Step-by-step solution

Calculate the ICV for Message m

The ICV is calculated by XOR-ing the first 4 bits of the message with the last 4 bits of the message. For message \(m = 10100000\): first 4 bits are \(1010\) and last 4 bits are \(0000\). The ICV is \(1010 \oplus 0000 = 1010\).

Determine the Keystream for IV = 11

The shared secret key is \(1010\) and the IV is \(11\), so the input to generate the keystream is \(101011\). The keystream for this input is \(1111101010000000\ldots\).

Encrypt the Message and ICV

To encrypt the message, XOR it with the first 8 bits of the keystream. For \(m = 10100000\) and keystream \(11111010\), \[10100000 \oplus 11111010 = 01011010\]For the ICV \(1010\) and the next 4 bits of the keystream \(1000\), \[1010 \oplus 1000 = 0010\].

Form the WEP Packet

The WEP packet consists of the IV, followed by the encrypted message, and then the encrypted ICV. The packet is \([11, 01011010, 0010]\).

Decrypt the WEP Packet at Receiver

To decrypt, the receiver XORs the encrypted message \(01011010\) with the same keystream \(11111010\) to get the original message:\[01011010 \oplus 11111010 = 10100000\]Similarly, the encrypted ICV \(0010\) is XORed with the next keystream bits \(1000\) to retrieve it:\[0010 \oplus 1000 = 1010\].

Trudy's Modification - Initial ICV Flip

Trudy wants to flip the first ICV bit. If the ICV is \(0010\), flipping the first bit results in \(1010\). The changed ICV must be \(\text{new ICV} = 1010\).

Adjust the Message for ICV Consistency

Since the ICV \(1010\) is derived by XOR-ing the first 4 bits with the last 4 bits, Trudy also needs to alter the message such that \(1010 \oplus \text{new last 4 bits} = \text{first 4 bits}\). She must XOR the first 4 bits of the altered message with the new ICV \(1010\).

Verify the Modified WEP Packet

To ensure the packet passes the integrity check, after the modifications, recalculate to verify the ICV. Adjusting the last 4 bits in step 7 ensures consistency with the flipped ICV, allowing the packet to be accepted by the receiver despite alterations.

Key concepts

WEP Protocol

The WEP (Wired Equivalent Privacy) protocol is an old security protocol designed for wireless networks. It aims to provide confidentiality and integrity to data transmitted over the network. WEP utilizes a combination of a secret shared key and an Initial Vector (IV) to generate a keystream. This keystream is used for encrypting and decrypting the data.

Though WEP was revolutionary when introduced, it has several well-known vulnerabilities. It relies on short keys, and its IV is transmitted in plaintext, which leads to susceptibility to attacks. Modern Wi-Fi networks typically use more secure alternatives, such as WPA or WPA2, for safeguarding transmitted information.

In the pseudo-WEP protocol described, the key length is 4 bits, which, although illustrative, emphasizes the lack of security inherent in WEP's design.

Encryption

Encryption in WEP involves the use of a keystream to alter the message data, making it unreadable to anyone who doesn't have the key or know the keystream. The encryption process involves XOR-ing the plaintext message with the first bits of the keystream.

For instance, in the given exercise, when the message ("m = 10100000") is encrypted, each bit is XOR-ed with the corresponding bit of the keystream. This encoded message is then transmitted across the network, where only someone with the shared key and the correct IV can decrypt it.

This method of encryption is simple, but again, it is not very secure by modern standards. With WEP, if an attacker captures enough packets, they can potentially discern the key and keystream used, allowing them to decrypt further communications.

Integrity Check

Integrity checks in WEP ensure that the message has not been altered during transmission. This is performed by using an Integrity Check Value (ICV), which is a form of checksum. In the exercise, the ICV is obtained by XOR-ing the first 4 bits of the data with the last 4 bits.

Once calculated, the ICV itself is also encrypted and sent with the message. Upon receipt, the receiver decrypts the ICV and verifies it with the recalculated ICV from the message to check for alterations.

However, the ICV is not cryptographically strong, and simple packet manipulations can bypass it, which is a critical flaw in WEP's design. This enables potential attackers to modify packets deliberately to pass these integrity checks without having access to the key or keystream.

Keystream Generation

Keystream generation is crucial in WEP for encrypting and decrypting data. It is produced by combining the shared secret key with the IV. The combined key and IV are used as input into a pseudo-random number generator, resulting in the keystream that encrypts the data.

In the exercise scenario, different values of the IV result in a different segment of the keystream being used. For the given IV of 11 and a key of 1010, the keystream used starts with 11111010. This unique keystream is essential to ensure that data encrypted with one IV cannot be trivially decrypted by listening to another.

Unfortunately, due to the limited IV space and weaknesses in WEP's algorithm, repeated use of the same keystream allows an attacker to sample enough packets to eventually crack the encryption and hence discover the keystream as well.