Editing Wired Equivalent Privacy

{{short description|Deprecated security algorithm for wireless networks}}
'''Wired Equivalent Privacy''' ('''WEP''') is an obsolete, and insecure [[Wireless security|security]] algorithm for 802.11 [[Wireless_LAN|wireless networks]]. It was introduced as part of the original [[IEEE 802.11]] standard ratified in 1997. The intention was to provide a level of security and privacy comparable to that of a traditional wired [[local area network|network]].<ref name=802.11-1997>{{Cite book  |doi = 10.1109/IEEESTD.1997.85951|publisher = IEEE STD 802.11-1997|pages = 1–445|isbn = 1-55937-935-9|date = November 1997 | title=IEEE Standard for Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications }}</ref> WEP, recognizable by its key of 10 or 26 [[hexadecimal]] digits (40 or 104 bits), was at one time widely used, and was often the first security choice presented to users by router configuration tools.<ref name="Final_Nail">{{cite conference |author1=Andrea Bittau |author2=Mark Handley |author3=Joshua Lackey |url=http://www.cs.ucl.ac.uk/staff/M.Handley/papers/fragmentation.pdf |title=The Final Nail in WEP's Coffin |conference=2006 IEEE Symposium on Security and Privacy |access-date=2008-03-16 |url-status=live |archive-url=https://web.archive.org/web/20081031161532/http://www0.cs.ucl.ac.uk/staff/M.Handley/papers/fragmentation.pdf |archive-date=2008-10-31 |doi=10.1109/SP.2006.40}}</ref><ref>{{cite press release|title=Wireless Adoption Leaps Ahead, Advanced Encryption Gains Ground in the Post-WEP Era|url=http://www.rsa.com/press_release.aspx?id=8451|publisher=[[RSA Security]]|date=2007-06-14|access-date=2007-12-28|archive-url=https://web.archive.org/web/20080202141331/http://www.rsa.com/press_release.aspx?id=8451|archive-date=2008-02-02|url-status=dead}}</ref> After a severe design flaw in the algorithm was disclosed in 2001,<ref name=1stfatalflaw>{{cite web |url=https://www.cs.cornell.edu/people/egs/615/rc4_ksaproc.pdf |title=Weaknesses in the Key Scheduling Algorithm of RC4 |first1=Scott |last1=Fluhrer |first2=Itsik |last2=Mantin |first3=Adi |last3=Shamir |date=2001}}</ref> WEP was no longer considered a secure method of wireless connection; however, in the vast majority of cases, Wi-Fi hardware devices relying on WEP security could not be upgraded to secure operation. Some of WEP's design flaws were addressed in WEP2, but it also proved insecure, and never saw wide adoption or standardization.<ref>{{Cite web |date=10 October 2024 |title=WEP2: Wired Equivalent Privacy 2 |url=https://www.videoexpertsgroup.com/glossary/wep2 |access-date=14 May 2025 |website=Video Experts Group}}</ref> 

In 2003, the [[Wi-Fi Alliance]] announced that WEP and WEP2 had been superseded by [[Wi-Fi Protected Access]] (WPA). In 2004, with the ratification of the full 802.11i standard (i.e. WPA2), the IEEE declared that both WEP-40 and WEP-104 have been deprecated.<ref>{{cite web|title=What is a WEP key? |url=http://lirent.net/wifi/what-is-a-wep-key.html |access-date=2008-03-11 |url-status=dead |archive-url=https://web.archive.org/web/20080417005957/http://lirent.net/wifi/what-is-a-wep-key.html |archive-date=April 17, 2008}}</ref> WPA retained some design characteristics of WEP that remained problematic.<!-- Loshin again "The first version of WPA increased key length to 128 bits, and replaced the CRC-32 integrity check with the Temporal Key Integrity Protocol. However, WPA still uses the RC4 encryption algorithm, and retained other weaknesses from WEP." -->

WEP was the only encryption protocol available to [[802.11a]] and [[802.11b]] devices built before the WPA standard, which was available for [[802.11g]] devices. However, some 802.11b devices were later provided with firmware or software updates to enable WPA, and newer devices had it built in.<ref>{{cite web|url=https://www.techrepublic.com/article/solutionbase-80211g-vs-80211b/|title=SolutionBase: 802.11g vs. 802.11b|website=techrepublic.com|date=19 August 2004 }}</ref>

==History==
WEP was ratified as a Wi-Fi security standard in 1999. The first versions of WEP were not particularly strong, even for the time they were released, due to U.S. restrictions on the export of various cryptographic technologies. These restrictions led to manufacturers restricting their devices to only 64-bit encryption. When the restrictions were lifted, the encryption was increased to 128 bits. Despite the introduction of 256-bit WEP, 128-bit remains one of the most common implementations.<ref>{{cite web |url=https://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/
 |title=The Difference Between WEP, WPA and WPA2 Wi-Fi Passwords |last=Fitzpatrick |first=Jason |date=September 21, 2016 |website=How to Geek|access-date= November 2, 2018}}</ref>

==Encryption details==
WEP was included as the privacy component of the original [[IEEE 802.11]]<ref name=":0" /> standard ratified in 1997.<ref>{{cite book|last1=Harwood|first1=Mike|title=CompTIA Network+ N10-004 Exam Prep|date=29 June 2009|publisher=Pearson IT Certification|isbn=978-0-7897-3795-3|page=287|url=https://books.google.com/books?id=7b6_va4Sci0C|access-date=9 July 2016|chapter=Securing Wireless Networks|quote=WEP is an IEEE standard introduced in 1997, designed to secure 802.11 networks.}}</ref><ref>{{cite web|last1=Walker|first1=Jesse|title=A History of 802.11 Security|url=http://www.winlab.rutgers.edu/pub/docs/JesseWalker.pdf|website=Rutgers WINLAB|publisher=Intel Corporation|access-date=9 July 2016|archive-url=https://web.archive.org/web/20160709103935/http://www.winlab.rutgers.edu/pub/docs/JesseWalker.pdf|archive-date=9 July 2016|quote=IEEE Std 802.11-1997 (802.11a) defined  Wired  Equivalent Privacy (WEP).}}</ref> WEP uses the [[stream cipher]] [[RC4]] for [[confidentiality]],<ref name="inform">{{cite web|title=WPA Part 2: Weak IV's|url=http://www.informit.com/guides/content.aspx?g=security&seqNum=85|publisher=informit.com|access-date=2008-03-16|archive-url=https://web.archive.org/web/20130516204046/http://www.informit.com/guides/content.aspx?g=security&seqNum=85|archive-date=2013-05-16|url-status=dead}}</ref> and the [[CRC-32]] checksum for [[Data integrity|integrity]].<ref>{{cite web|title=An Inductive Chosen Plaintext Attack against WEP/WEP2|url=http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm|publisher=cs.umd.edu|access-date=2008-03-16}}</ref> It was deprecated in 2004 and is documented in the current standard.<ref name=802.11i>{{cite book|title=IEEE 802.11i-2004: Medium Access Control (MAC) Security Enhancements|url=http://standards.ieee.org/getieee802/download/802.11i-2004.pdf|year=2004|access-date=2007-12-18|archive-url=https://web.archive.org/web/20071129084500/http://standards.ieee.org/getieee802/download/802.11i-2004.pdf|archive-date=2007-11-29|url-status=dead}}</ref>

[[Image:Wep-crypt-alt.svg|frame|Basic WEP encryption: RC4 keystream XORed with plaintext]]
Standard 64-bit WEP uses a 40-[[bit]] key (also known as WEP-40), which is concatenated with a 24-bit [[initialization vector]] (IV) to form the RC4 key. At the time that the original WEP standard was drafted, [[Export of cryptography from the United States|the U.S. Government's export restrictions on cryptographic technology]] limited the [[key size]]. Once the restrictions were lifted, manufacturers of access points implemented an extended 128-bit WEP protocol using a 104-bit key size (WEP-104).

A 64-bit WEP key is usually entered as a string of 10 [[hexadecimal]] (base 16) characters (0–9 and A–F). Each character represents 4 bits, 10 digits of 4 bits each gives 40 bits; adding the 24-bit IV produces the complete 64-bit WEP key (4 bits × 10 + 24-bit IV = 64-bit WEP key). Most devices also allow the user to enter the key as 5 [[ASCII]] characters (0–9, a–z, A–Z), each of which is turned into 8 bits using the character's byte value in ASCII (8 bits × 5 + 24-bit IV = 64-bit WEP key); however, this restricts each byte to be a printable ASCII character, which is only a small fraction of possible byte values, greatly reducing the space of possible keys.

A 128-bit WEP key is usually entered as a string of 26 hexadecimal characters. 26 digits of 4 bits each gives 104 bits; adding the 24-bit IV produces the complete 128-bit WEP key (4 bits × 26 + 24-bit IV = 128-bit WEP key). Most devices also allow the user to enter it as 13 ASCII characters (8 bits × 13 + 24-bit IV = 128-bit WEP key).

152-bit and 256-bit WEP systems are available from some vendors. As with the other WEP variants, 24 bits of that is for the IV, leaving 128 or 232 bits for actual protection. These 128 or 232 bits are typically entered as 32 or 58 hexadecimal characters (4 bits × 32 + 24-bit IV = 152-bit WEP key, 4 bits × 58 + 24-bit IV = 256-bit WEP key). Most devices also allow the user to enter it as 16 or 29 ASCII characters (8 bits × 16 + 24-bit IV = 152-bit WEP key, 8 bits × 29 + 24-bit IV = 256-bit WEP key).

==Authentication==
Two methods of authentication can be used with WEP: Open System authentication and Shared Key authentication.

In Open System authentication, the WLAN client does not provide its credentials to the access point during authentication. Any client can authenticate with the access point and then attempt to associate. In effect, no authentication occurs. Subsequently, WEP keys can be used for encrypting data frames. At this point, the client must have the correct keys.

In Shared Key authentication, the WEP key is used for authentication in a four-step [[challenge–response]] handshake:
# The client sends an authentication request to the access point.
# The access point replies with a [[plaintext|clear-text]] challenge.
# The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request.
# The access point decrypts the response. If this matches the challenge text, the access point sends back a positive reply.

After the authentication and association, the pre-shared WEP key is also used for encrypting the data frames using RC4.

At first glance, it might seem as though Shared Key authentication is more secure than Open System authentication since the latter offers no real authentication. However, it is quite the reverse. It is possible to derive the keystream used for the handshake by capturing the challenge frames in Shared Key authentication.<ref name="Intercepting_Mobile_Comm_Nik_Ian_Dav">{{cite conference| author1=Nikita Borisov| author1-link=Nikita Borisov| author2=Ian Goldberg| author2-link=Ian Goldberg| author3=David Wagner| author3-link=David A. Wagner| title=Intercepting Mobile Communications: The Insecurity of 802.11| conference=Proceedings of the 7th Annual International Conference on Mobile Computing and Networking| url=http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf| access-date=2006-09-12| url-status=dead| archive-url=https://web.archive.org/web/20061001050959/https://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf| archive-date=2006-10-01| doi=10.1145/381677.381695| isbn=1581134223}}</ref> Therefore, data can be more easily intercepted and decrypted with Shared Key authentication than with Open System authentication. If privacy is a primary concern, it is more advisable to use Open System authentication for WEP authentication, rather than Shared Key authentication; however, this also means that any WLAN client can connect to the AP. (Both authentication mechanisms are weak; Shared Key WEP is deprecated in favor of WPA/WPA2.)

==Weak security==
{{Further|Fluhrer, Mantin and Shamir attack}}
Because RC4 is a [[stream cipher]], the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plaintext, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a [[related-key attack]]. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5,000 packets.

In August 2001, [[Scott Fluhrer]], [[Itsik Mantin]], and [[Adi Shamir]] published a [[cryptanalysis]] of WEP<ref name=1stfatalflaw/> that exploits the way the RC4 ciphers and IV are used in WEP, resulting in a passive attack that can recover the RC4 [[key (cryptography)|key]] after eavesdropping on the network. Depending on the amount of network traffic, and thus the number of packets available for inspection, a successful key recovery could take as little as one minute. If an insufficient number of packets are being sent, there are ways for an attacker to send packets on the network and thereby stimulate reply packets, which can then be inspected to find the key. The attack was soon implemented, and automated tools have since been released. It is possible to perform the attack with a personal computer, off-the-shelf hardware, and freely available software such as [[aircrack-ng]] to crack ''any'' WEP key in minutes.

Cam-Winget et al.<ref>{{cite journal |url=http://www.cs.berkeley.edu/~daw/papers/wireless-cacm.pdf |title=Security Flaws in 802.11 Data Link Procotols |first1=Nancy |last1=Cam-Winget |first2=Russ |last2=Housley |first3=David |last3=Wagner |first4=Jesse |last4=Walker |journal=Communications of the ACM |date=May 2003 |volume=46 |issue=5 |pages=35–39|doi=10.1145/769800.769823 |s2cid=3132937 }}</ref> surveyed a variety of shortcomings in WEP. They wrote "''Experiments in the field show that, with proper equipment, it is practical to eavesdrop on WEP-protected networks from distances of a mile or more from the target.''" They also reported two generic weaknesses:
* the use of WEP was optional, resulting in many installations never even activating it, and
* by default, WEP relies on a single [[shared key]] among users, which leads to practical problems in handling compromises, which often leads to ignoring compromises.

In 2005, a group from the U.S. [[Federal Bureau of Investigation]] gave a demonstration where they cracked a WEP-protected network in three minutes using publicly available tools.<ref>{{cite web |url=http://www.smallnetbuilder.com/index.php?option=com_content&task=view&id=24251&Itemid=100 |title=Wireless Features |website=www.smallnetbuilder.com |date=31 March 2005 }}</ref> Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir, which can additionally be used to break WEP in WEP-like usage modes.

In 2006, Bittau, [[Mark Handley (computer scientist)|Handley]], and Lackey showed<ref name="Final_Nail" /> that the 802.11 protocol itself can be used against WEP to enable earlier attacks that were previously thought impractical. After eavesdropping a single packet, an attacker can rapidly bootstrap to be able to transmit arbitrary data. The eavesdropped packet can then be decrypted one byte at a time (by transmitting about 128 packets per byte to decrypt) to discover the local network IP addresses. Finally, if the 802.11 network is connected to the Internet, the attacker can use 802.11 fragmentation to replay eavesdropped packets while crafting a new IP header onto them. The access point can then be used to decrypt these packets and relay them on to a buddy on the Internet, allowing real-time decryption of WEP traffic within a minute of eavesdropping the first packet.

In 2007, Erik Tews, Andrei Pyshkin, and Ralf-Philipp Weinmann were able to extend Klein's 2005 attack and optimize it for usage against WEP. With the new attack<ref>{{cite web |url=http://eprint.iacr.org/2007/120.pdf |title=Breaking 104 bit WEP in less than 60 seconds |first1=Erik |last1=Tews |first2=Ralf-Philipp |last2=Weinmann |first3=Andrei |last3=Pyshkin}}</ref> it is possible to recover a 104-bit WEP key with a probability of 50% using only 40,000 captured packets. For 60,000 available data packets, the success probability is about 80%, and for 85,000 data packets, about 95%. Using active techniques like [[Wi-Fi deauthentication attack]]s and [[Address Resolution Protocol|ARP]] re-injection, 40,000 packets can be captured in less than one minute under good conditions. The actual computation takes about 3 seconds and 3&nbsp;MB of main memory on a [[Pentium-M]] 1.7&nbsp;GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40-bit keys with an even higher success probability.

In 2008 the [[Payment Card Industry Security Standards Council]] (PCI SSC) updated the [[PCI DSS|Data Security Standard]] (DSS) to prohibit use of WEP as part of any credit-card processing after 30 June 2010, and prohibit any new system from being installed that uses WEP after 31 March 2009. The use of WEP contributed to the [[TJ Maxx]] parent company network invasion.<ref>{{cite news |title=T.J. Maxx data theft likely due to wireless 'wardriving' |url=http://www.informationweek.com/tj-maxx-data-theft-likely-due-to-wireles/199500385 |access-date=2012-09-03 |work=Information Week |first=Larry |last=Greenemeier |date=2007-05-09 |df=mdy-all |archive-date=2013-06-15 |archive-url=https://web.archive.org/web/20130615032639/http://www.informationweek.com/tj-maxx-data-theft-likely-due-to-wireles/199500385 |url-status=dead }}</ref>

===Caffe Latte attack===

The Caffe Latte attack is another way to defeat WEP. It is not necessary for the attacker to be in the area of the [[Computer network|network]] using this exploit. By using a process that targets the [[Microsoft Windows|Windows]] wireless stack, it is possible to obtain the WEP key from a remote client.<ref>{{cite web|title=The Caffe Latte Attack: How It Works—and How to Block It|author=Lisa Phifer|url=http://www.wi-fiplanet.com/tutorials/article.php/10724_3716241_1|publisher=wi-fiplanet.com|access-date=2008-03-21}}</ref> By sending a flood of encrypted [[Address Resolution Protocol|ARP]] requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes.<ref>{{cite web|title=Caffe Latte with a Free Topping of Cracked WEP: Retrieving WEP Keys from Road-Warriors|url=http://www.airtightnetworks.com/home/news/pr/select_category/14/article/123/airtight-wireless-security-researcher-reveals-wep-can-be-cracked-without-an-access-point.html|access-date=2008-03-21|archive-date=2015-05-11|archive-url=https://web.archive.org/web/20150511224754/http://www.airtightnetworks.com/home/news/pr/select_category/14/article/123/airtight-wireless-security-researcher-reveals-wep-can-be-cracked-without-an-access-point.html|url-status=dead}}</ref>

==Countermeasures==
Use of encrypted [[tunneling protocol]]s (e.g., [[IPsec]], [[Secure Shell]]) can provide secure data transmission over an insecure network. However, replacements for WEP have been developed with the goal of restoring security to the wireless network itself.

===802.11i (WPA and WPA2)===
The recommended solution to WEP security problems is to switch to WPA2. [[Wi-Fi Protected Access|WPA]] was an intermediate solution for hardware that could not support WPA2. Both WPA and WPA2 are much more secure than WEP.<ref>{{cite web|title=802.11b Update: Stepping Up Your WLAN Security|url=http://www.networkmagazineindia.com/200112/focus3.htm|publisher=networkmagazineindia.com|access-date=2008-03-16|archive-date=2008-03-24|archive-url=https://web.archive.org/web/20080324180427/http://www.networkmagazineindia.com/200112/focus3.htm|url-status=dead}}</ref> To add support for WPA or WPA2, some old Wi-Fi [[wireless access point|access point]]s might need to be replaced or have their [[firmware]] upgraded. WPA was designed as an interim software-implementable solution for WEP that could forestall immediate deployment of new hardware.<ref>{{cite web|title=Wireless Network Security|url=http://www.proxim.com/learn/library/whitepapers/wireless_security.pdf|publisher=[[Proxim Wireless]]|access-date=2008-03-16|url-status=dead|archive-url=https://web.archive.org/web/20090206165213/http://www.proxim.com/learn/library/whitepapers/wireless_security.pdf|archive-date=2009-02-06}}</ref> However, [[Temporal Key Integrity Protocol|TKIP]] (the basis of WPA) has reached the end of its designed lifetime, has been partially broken, and has been officially deprecated with the release of the 802.11-2012 standard.<ref>{{cite web|url=https://mentor.ieee.org/802.11/file/08/11-08-1127-12-000m-tgmb-issues-list.xls|title=802.11mb Issues List v12|date=20 Jan 2009|format=excel|page=CID 98|quote=The use of TKIP is deprecated. The TKIP algorithm is unsuitable for the purposes of this standard}}</ref>

===Implemented non-standard fixes===

==== WEP2 ====
This stopgap enhancement to WEP was present in some of the early 802.11i drafts. It was implementable on ''some'' (not all) hardware not able to handle WPA or WPA2, and extended both the IV and the key values to 128 bits.<ref name=":0">{{cite web|title=WEP2, Credibility Zero|url=http://www.starkrealities.com/wireless003.html|publisher=starkrealities.com|access-date=2008-03-16|archive-date=2007-12-24|archive-url=https://web.archive.org/web/20071224123250/http://www.starkrealities.com/wireless003.html|url-status=dead}}</ref> It was hoped to eliminate the duplicate IV deficiency as well as stop [[Brute-force attack|brute-force key attack]]s.

After it became clear that the overall WEP algorithm was deficient (and not just the IV and key sizes) and would require even more fixes, both the WEP2 name and original algorithm were dropped. The two extended key lengths remained in what eventually became WPA's [[Temporal Key Integrity Protocol|TKIP]].

====WEPplus====
WEPplus, also known as WEP+, is a proprietary enhancement to WEP by [[Agere Systems]] (formerly a subsidiary of [[Lucent Technologies]]) that enhances WEP security by avoiding "weak IVs".<ref>{{cite news|title=Agere Systems is First to Solve Wireless LAN Wired Equivalent Privacy Security Issue; New Software Prevents Creation of Weak WEP Keys|url=http://findarticles.com/p/articles/mi_m0EIN/is_2001_Nov_12/ai_79954213|publisher=[[Business Wire]]|access-date=2008-03-16 | date=2001-11-12}}</ref> It is only completely effective when WEPplus is used at ''both ends'' of the wireless connection. As this cannot easily be enforced, it remains a serious limitation. It also does not necessarily prevent [[replay attack]]s, and is ineffective against later statistical attacks that do not rely on weak IVs.

====Dynamic WEP====
Dynamic WEP refers to the combination of 802.1x technology and the [[Extensible Authentication Protocol]]. Dynamic WEP changes WEP keys dynamically. It is a vendor-specific feature provided by several vendors such as [[3Com]].

The dynamic change idea made it into 802.11i as part of TKIP, but not for the WEP protocol itself.

==See also==
* [[Stream cipher attacks]]
* [[Wireless security]]
* [[Wi-Fi Protected Access]]

==References==
{{Reflist}}

==External links==
* [http://homes.soic.indiana.edu/ktbenton/research/benton_wireless.pdf The Evolution of 802.11 Wireless Security, by Kevin Benton, April 18th 2010] {{Webarchive|url=https://web.archive.org/web/20160302132133/http://homes.soic.indiana.edu/ktbenton/research/benton_wireless.pdf |date=2016-03-02 }}

[[Category:Broken cryptography algorithms]]
[[Category:Cryptographic protocols]]
[[Category:Computer network security]]
[[Category:IEEE 802.11]]
[[Category:Wireless networking]]