WEP Security Improvements - How pervasive and how tight?

I read recently that manufacturers of some wi-fi equipment have improved
their software so that WEP is more difficult to crack. Specifically, they
have reportedly quit sending type 4 packets (as I recall it is type 4) which
are apparently the key to WEP cracking.

Anyone know the straight scoop on this. Is this correct? How widespread
have these improvements been implemented? How to tell if implemented on
your equipment?



--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004

> I read recently that manufacturers of some wi-fi equipment have improved
> their software so that WEP is more difficult to crack. Specifically, they
> have reportedly quit sending type 4 packets (as I recall it is type 4) which
> are apparently the key to WEP cracking.

I doubt it can fix the real problem. I.e. it might make it harder (10min
instead of 5), but who cares: use WPA and forget about it,


Stefan

"Bob Alston" <(E-Mail Removed)> wrote in message
news:aOqZc.132114$Lj.31258@fed1read03...
> I read recently that manufacturers of some wi-fi equipment have improved
> their software so that WEP is more difficult to crack. Specifically, they
> have reportedly quit sending type 4 packets (as I recall it is type 4)
which
> are apparently the key to WEP cracking.
>
> Anyone know the straight scoop on this. Is this correct? How widespread
> have these improvements been implemented? How to tell if implemented on
> your equipment?

No. I don't know what "type 4 packets" are, but 802.11 frames have a 2-bit
type and a 4-bit subtype field. The type field values range from 0 - 3, with
3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
So-called SSID hiding is a modification to beacon frames that nearly all
vendors support. It is claimed to be a security improvement, in that your
network id is no longer broadcast 10 times a second, but the improvement is
in fact trivial. It has nothing to do with WEP or WPA.

>
>
>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>
>

"gary" <(E-Mail Removed)> wrote in message
news:N0rZc.15840$(E-Mail Removed) om...
>
> "Bob Alston" <(E-Mail Removed)> wrote in message
> news:aOqZc.132114$Lj.31258@fed1read03...
>> I read recently that manufacturers of some wi-fi equipment have improved
>> their software so that WEP is more difficult to crack. Specifically,
>> they
>> have reportedly quit sending type 4 packets (as I recall it is type 4)
> which
>> are apparently the key to WEP cracking.
>>
>> Anyone know the straight scoop on this. Is this correct? How widespread
>> have these improvements been implemented? How to tell if implemented on
>> your equipment?
>
> No. I don't know what "type 4 packets" are, but 802.11 frames have a 2-bit
> type and a 4-bit subtype field. The type field values range from 0 - 3,
> with
> 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
> So-called SSID hiding is a modification to beacon frames that nearly all
> vendors support. It is claimed to be a security improvement, in that your
> network id is no longer broadcast 10 times a second, but the improvement
> is
> in fact trivial. It has nothing to do with WEP or WPA.
>
>>
>>
>>
>> --
>> Bob Alston
>>
>> bobalston9 AT aol DOT com
>>
>>
>> ---
>> Outgoing mail is certified Virus Free.
>> Checked by AVG anti-virus system (http://www.grisoft.com).
>> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>>
>>
>
>

The link below is an example of the reference I was recalling, and states
that "the weak IV exploit is virtually non-existent".

http://www.security-focus.com/infocus/1792

Not sure if this is but one exploit that allows WEP to be cracked.

--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004

"Bob Alston" <(E-Mail Removed)> wrote in message
newsRsZc.132341$Lj.9128@fed1read03...
>
> "gary" <(E-Mail Removed)> wrote in message
> news:N0rZc.15840$(E-Mail Removed) om...
>>
>> "Bob Alston" <(E-Mail Removed)> wrote in message
>> news:aOqZc.132114$Lj.31258@fed1read03...
>>> I read recently that manufacturers of some wi-fi equipment have improved
>>> their software so that WEP is more difficult to crack. Specifically,
>>> they
>>> have reportedly quit sending type 4 packets (as I recall it is type 4)
>> which
>>> are apparently the key to WEP cracking.
>>>
>>> Anyone know the straight scoop on this. Is this correct? How
>>> widespread
>>> have these improvements been implemented? How to tell if implemented on
>>> your equipment?
>>
>> No. I don't know what "type 4 packets" are, but 802.11 frames have a
>> 2-bit
>> type and a 4-bit subtype field. The type field values range from 0 - 3,
>> with
>> 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
>> So-called SSID hiding is a modification to beacon frames that nearly all
>> vendors support. It is claimed to be a security improvement, in that your
>> network id is no longer broadcast 10 times a second, but the improvement
>> is
>> in fact trivial. It has nothing to do with WEP or WPA.
>>
>>>
>>>
>>>
>>> --
>>> Bob Alston
>>>
>>> bobalston9 AT aol DOT com
>>>
>>>
>>> ---
>>> Outgoing mail is certified Virus Free.
>>> Checked by AVG anti-virus system (http://www.grisoft.com).
>>> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>>>
>>>
>>
>>
>
> The link below is an example of the reference I was recalling, and states
> that "the weak IV exploit is virtually non-existent".
>
> http://www.security-focus.com/infocus/1792
>
> Not sure if this is but one exploit that allows WEP to be cracked.
>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
>


O'Reilly's comments:

http://www.oreillynet.com/cs/user/view/cs_msg/26023

--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004

"Bob Alston" <(E-Mail Removed)> wrote in message
newsRsZc.132341$Lj.9128@fed1read03...
>
> "gary" <(E-Mail Removed)> wrote in message
> news:N0rZc.15840$(E-Mail Removed) om...
> >
> > "Bob Alston" <(E-Mail Removed)> wrote in message
> > news:aOqZc.132114$Lj.31258@fed1read03...
> >> I read recently that manufacturers of some wi-fi equipment have
improved
> >> their software so that WEP is more difficult to crack. Specifically,
> >> they
> >> have reportedly quit sending type 4 packets (as I recall it is type 4)
> > which
> >> are apparently the key to WEP cracking.
> >>
> >> Anyone know the straight scoop on this. Is this correct? How
widespread
> >> have these improvements been implemented? How to tell if implemented
on
> >> your equipment?
> >
> > No. I don't know what "type 4 packets" are, but 802.11 frames have a
2-bit
> > type and a 4-bit subtype field. The type field values range from 0 - 3,
> > with
> > 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
> > So-called SSID hiding is a modification to beacon frames that nearly all
> > vendors support. It is claimed to be a security improvement, in that
your
> > network id is no longer broadcast 10 times a second, but the
improvement
> > is
> > in fact trivial. It has nothing to do with WEP or WPA.
> >
> >>
> >>
> >>
> >> --
> >> Bob Alston
> >>
> >> bobalston9 AT aol DOT com
> >>
> >>
> >> ---
> >> Outgoing mail is certified Virus Free.
> >> Checked by AVG anti-virus system (http://www.grisoft.com).
> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
> >>
> >>
> >
> >
>
> The link below is an example of the reference I was recalling, and states
> that "the weak IV exploit is virtually non-existent".
>
> http://www.security-focus.com/infocus/1792
>
> Not sure if this is but one exploit that allows WEP to be cracked.

The article was a survey of security issues. It looked reasonably accurate
and complete to me. I see no reference to "type 4 packets" or even SSID
hiding. It does mention that WEP is an incorrect implementation of RC4, a
common stream cypher algorithm. The defects of the WEP implementation are
not completely curable, but there is a problem called "weak IVs" which has
been eliminated in newer chipsets. You'll probably get weak IV suppression
with recent 802.11g chipsets, and maybe also as a firmware upgrade to some
older 802.11b devices.

If I were you, I'd follow the bullet list under "Basic Steps to Fix WEP
Problems" and not worry too much about weak IVs. Use 128-bit keys or better
if you have them (40/64 can be cracked by brute force). Change keys
reasonably often ("reasonable" depends on how much traffic you generate, and
how important security is to you). Use a wifi firewall in addition to a
regular one. For anything that *really* needs security, use independent
encryption (secure HTTP, PGP, VPN, whatever). And if you really need good
security, buy WPA-capable equipment that can be upgraded to WPA2 with AES
(that is, equipment that can do AES in the wifi chipset).

>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>
>

"gary" <(E-Mail Removed)> wrote in message
newsitZc.15870$(E-Mail Removed) om...
>
> "Bob Alston" <(E-Mail Removed)> wrote in message
> newsRsZc.132341$Lj.9128@fed1read03...
>>
>> "gary" <(E-Mail Removed)> wrote in message
>> news:N0rZc.15840$(E-Mail Removed) om...
>> >
>> > "Bob Alston" <(E-Mail Removed)> wrote in message
>> > news:aOqZc.132114$Lj.31258@fed1read03...
>> >> I read recently that manufacturers of some wi-fi equipment have
> improved
>> >> their software so that WEP is more difficult to crack. Specifically,
>> >> they
>> >> have reportedly quit sending type 4 packets (as I recall it is type 4)
>> > which
>> >> are apparently the key to WEP cracking.
>> >>
>> >> Anyone know the straight scoop on this. Is this correct? How
> widespread
>> >> have these improvements been implemented? How to tell if implemented
> on
>> >> your equipment?
>> >
>> > No. I don't know what "type 4 packets" are, but 802.11 frames have a
> 2-bit
>> > type and a 4-bit subtype field. The type field values range from 0 - 3,
>> > with
>> > 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
>> > So-called SSID hiding is a modification to beacon frames that nearly
>> > all
>> > vendors support. It is claimed to be a security improvement, in that
> your
>> > network id is no longer broadcast 10 times a second, but the
> improvement
>> > is
>> > in fact trivial. It has nothing to do with WEP or WPA.
>> >
>> >>
>> >>
>> >>
>> >> --
>> >> Bob Alston
>> >>
>> >> bobalston9 AT aol DOT com
>> >>
>> >>
>> >> ---
>> >> Outgoing mail is certified Virus Free.
>> >> Checked by AVG anti-virus system (http://www.grisoft.com).
>> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>> >>
>> >>
>> >
>> >
>>
>> The link below is an example of the reference I was recalling, and states
>> that "the weak IV exploit is virtually non-existent".
>>
>> http://www.security-focus.com/infocus/1792
>>
>> Not sure if this is but one exploit that allows WEP to be cracked.
>
> The article was a survey of security issues. It looked reasonably accurate
> and complete to me. I see no reference to "type 4 packets" or even SSID
> hiding. It does mention that WEP is an incorrect implementation of RC4, a
> common stream cypher algorithm. The defects of the WEP implementation are
> not completely curable, but there is a problem called "weak IVs" which has
> been eliminated in newer chipsets. You'll probably get weak IV suppression
> with recent 802.11g chipsets, and maybe also as a firmware upgrade to some
> older 802.11b devices.
>
> If I were you, I'd follow the bullet list under "Basic Steps to Fix WEP
> Problems" and not worry too much about weak IVs. Use 128-bit keys or
> better
> if you have them (40/64 can be cracked by brute force). Change keys
> reasonably often ("reasonable" depends on how much traffic you generate,
> and
> how important security is to you). Use a wifi firewall in addition to a
> regular one. For anything that *really* needs security, use independent
> encryption (secure HTTP, PGP, VPN, whatever). And if you really need good
> security, buy WPA-capable equipment that can be upgraded to WPA2 with AES
> (that is, equipment that can do AES in the wifi chipset).
>
>>
>> --
>> Bob Alston
>>
>> bobalston9 AT aol DOT com
>>
>>
>> ---
>> Outgoing mail is certified Virus Free.
>> Checked by AVG anti-virus system (http://www.grisoft.com).
>> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>>
>>
>
>

The portion of the article I was intending to refer to was the following:

"...the weak IV exploit is virtually non-existent. The manufacturers have
eliminated that issue, at least as far as I have been able to tell. I have
only been able to crack it once in the past several years and that was
because an old wireless adaptor with outdated firmware was on the system."

--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004

"Bob Alston" <(E-Mail Removed)> wrote in message
news:%xtZc.132398$Lj.62506@fed1read03...
>
>
>
> "gary" <(E-Mail Removed)> wrote in message
> newsitZc.15870$(E-Mail Removed) om...
> >
> > "Bob Alston" <(E-Mail Removed)> wrote in message
> > newsRsZc.132341$Lj.9128@fed1read03...
> >>
> >> "gary" <(E-Mail Removed)> wrote in message
> >> news:N0rZc.15840$(E-Mail Removed) om...
> >> >
> >> > "Bob Alston" <(E-Mail Removed)> wrote in message
> >> > news:aOqZc.132114$Lj.31258@fed1read03...
> >> >> I read recently that manufacturers of some wi-fi equipment have
> > improved
> >> >> their software so that WEP is more difficult to crack.
Specifically,
> >> >> they
> >> >> have reportedly quit sending type 4 packets (as I recall it is type
4)
> >> > which
> >> >> are apparently the key to WEP cracking.
> >> >>
> >> >> Anyone know the straight scoop on this. Is this correct? How
> > widespread
> >> >> have these improvements been implemented? How to tell if
implemented
> > on
> >> >> your equipment?
> >> >
> >> > No. I don't know what "type 4 packets" are, but 802.11 frames have a
> > 2-bit
> >> > type and a 4-bit subtype field. The type field values range from 0 -
3,
> >> > with
> >> > 3 unused. Type 0 (management) frames have a subtype 4, which is
beacon.
> >> > So-called SSID hiding is a modification to beacon frames that nearly
> >> > all
> >> > vendors support. It is claimed to be a security improvement, in that
> > your
> >> > network id is no longer broadcast 10 times a second, but the
> > improvement
> >> > is
> >> > in fact trivial. It has nothing to do with WEP or WPA.
> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Bob Alston
> >> >>
> >> >> bobalston9 AT aol DOT com
> >> >>
> >> >>
> >> >> ---
> >> >> Outgoing mail is certified Virus Free.
> >> >> Checked by AVG anti-virus system (http://www.grisoft.com).
> >> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
> >> >>
> >> >>
> >> >
> >> >
> >>
> >> The link below is an example of the reference I was recalling, and
states
> >> that "the weak IV exploit is virtually non-existent".
> >>
> >> http://www.security-focus.com/infocus/1792
> >>
> >> Not sure if this is but one exploit that allows WEP to be cracked.
> >
> > The article was a survey of security issues. It looked reasonably
accurate
> > and complete to me. I see no reference to "type 4 packets" or even SSID
> > hiding. It does mention that WEP is an incorrect implementation of RC4,
a
> > common stream cypher algorithm. The defects of the WEP implementation
are
> > not completely curable, but there is a problem called "weak IVs" which
has
> > been eliminated in newer chipsets. You'll probably get weak IV
suppression
> > with recent 802.11g chipsets, and maybe also as a firmware upgrade to
some
> > older 802.11b devices.
> >
> > If I were you, I'd follow the bullet list under "Basic Steps to Fix WEP
> > Problems" and not worry too much about weak IVs. Use 128-bit keys or
> > better
> > if you have them (40/64 can be cracked by brute force). Change keys
> > reasonably often ("reasonable" depends on how much traffic you generate,
> > and
> > how important security is to you). Use a wifi firewall in addition to a
> > regular one. For anything that *really* needs security, use independent
> > encryption (secure HTTP, PGP, VPN, whatever). And if you really need
good
> > security, buy WPA-capable equipment that can be upgraded to WPA2 with
AES
> > (that is, equipment that can do AES in the wifi chipset).
> >
> >>
> >> --
> >> Bob Alston
> >>
> >> bobalston9 AT aol DOT com
> >>
> >>
> >> ---
> >> Outgoing mail is certified Virus Free.
> >> Checked by AVG anti-virus system (http://www.grisoft.com).
> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
> >>
> >>
> >
> >
>
> The portion of the article I was intending to refer to was the following:
>
> "...the weak IV exploit is virtually non-existent. The manufacturers have
> eliminated that issue, at least as far as I have been able to tell. I have
> only been able to crack it once in the past several years and that was
> because an old wireless adaptor with outdated firmware was on the system."

The comment you cited from the O'Reilly site says about as much as can be
said about who fixed weak IVs and by what date. Fixing weak IVs does not
eliminate all the weaknesses of WEP. The fundamental problem is that the
fixed portion of the key never changes, and the changeable part - the
Initialization Vector, or IV - is 24 bits long. After *at most* 2^24 frames,
the IV has to repeat, and therefore the keystream to encrypt the frame
repeats. Not to mention that crackers can inject known data into your
network to build a partial dictionary of IV/keystream pairs ... there are
lots of possible attacks. WPA/WPA2 are much stronger than WEP ever will be.
But WEP is perfectly useful for ordinary people who are not likely to be
targets of sustained attacks. Just use long, random hex keys and change them
fairly often.

>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>
>

On Wed, 01 Sep 2004 21:18:37 GMT, "gary" <(E-Mail Removed)>
wrote:

>
>"Bob Alston" <(E-Mail Removed)> wrote in message
>news:aOqZc.132114$Lj.31258@fed1read03...
>> I read recently that manufacturers of some wi-fi equipment have improved
>> their software so that WEP is more difficult to crack. Specifically, they
>> have reportedly quit sending type 4 packets (as I recall it is type 4)
>which
>> are apparently the key to WEP cracking.
>>
>> Anyone know the straight scoop on this. Is this correct? How widespread
>> have these improvements been implemented? How to tell if implemented on
>> your equipment?

>No. I don't know what "type 4 packets" are, but 802.11 frames have a 2-bit
>type and a 4-bit subtype field. The type field values range from 0 - 3, with
>3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
>So-called SSID hiding is a modification to beacon frames that nearly all
>vendors support. It is claimed to be a security improvement, in that your
>network id is no longer broadcast 10 times a second, but the improvement is
>in fact trivial. It has nothing to do with WEP or WPA.

Agreed. A bit more detail plagerized from:
802.11 7.1.3.1

Table 1—Valid type and subtype combinations
Type value Type Subtype value Subtype description
b3 b2 description b7 b6 b5 b4



00 Management 0000 Association request
00 Management 0001 Association response
00 Management 0010 Reassociation request
00 Management 0011 Reassociation response
00 Management 0100 Probe request
00 Management 0101 Probe response
00 Management 0110–0111 Reserved
00 Management 1000 Beacon
00 Management 1001 Announcement traffic indication message
(ATIM)
00 Management 1010 Disassociation
00 Management 1011 Authentication
00 Management 1100 Deauthentication
00 Management 1101–1111 Reserved
01 Control 0000–1001 Reserved
01 Control 1010 Power Save (PS)-Poll
01 Control 1011 Request To Send (RTS)
01 Control 1100 Clear To Send (CTS)
01 Control 1101 Acknowledgment (ACK)
01 Control 1110 Contention-Free (CF)-End
01 Control 1111 CF-End + CF-Ack
10 Data 0000 Data
10 Data 0001 Data + CF-Ack
10 Data 0010 Data + CF-Poll
10 Data 0011 Data + CF-Ack + CF-Poll
10 Data 0100 Null function (no data)
10 Data 0101 CF-Ack (no data)
10 Data 0110 CF-Poll (no data)
10 Data 0111 CF-Ack + CF-Poll (no data)
10 Data 1000–1111 Reserved
11 Reserved 0000–1111 Reserved

Notice that there's no such thing as a WEP frame or "Type 4" packet.

That's because *EVERY* management and data frame is preceeded by a WEP
key frame. It's described in excruciating detail in 802.11 8.1. I
don't see anything that can be deleted to make it more difficult to
crack. Basically, AirSnort, WEPCrack, and other collect the WEP 24
bit initialization vectors looking for a pattern.

Oh, I see the confusion. Initialization Vector is often acronymified
as "IV" which is Roman numberal 4. Maybe that's where the type 4
stuff came from?


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# (E-Mail Removed)
# 831.421.6491 digital_pager (E-Mail Removed) AE6KS

On Wed, 1 Sep 2004 18:23:12 -0500, "Bob Alston"
<(E-Mail Removed)> wrote:


>The link below is an example of the reference I was recalling, and states
>that "the weak IV exploit is virtually non-existent".
>
>http://www.security-focus.com/infocus/1792
>
>Not sure if this is but one exploit that allows WEP to be cracked.

Here's a good article on how WEP works:
http://www.wi-fiplanet.com/tutorials...le.php/2106281

The problem is that the IV (initialization vector) tends to get
re-used. One of the fixes in WPA is TKIP, which increases the size of
the initialization vector from 24 to 48bits, and make sure it doesn't
get re-used.
http://www.wi-fiplanet.com/tutorials...le.php/2148721

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# (E-Mail Removed)
# 831.421.6491 digital_pager (E-Mail Removed) AE6KS