We All Weep for WEP
What can we learn from the epic failure of Wired Equivalent Privacy?
WEPor Wired Equivalent Privacywas the ill-fated security layer around early 802.11b, 802.11a, and 802.11g Wi-Fi wireless networks. And yes, it is still supported as a legacy feature of most Wi-Fi routers these days.
NOTE: If you are using WEP, run screaming from it. Upgrade immediately. Turn it off, even. Youre far better off moving your network security up one layer to an IPSec-based VPN technology. (But VPN technology is another topic for another time and column.)
Yes, WEP is an über-classic example of a failed design by a committee. But rather than just ridiculing it from afar, lets explore what lessons we can gleam from the experience. As an engineer by training, Ive always felt that, while we shouldnt embrace failure, we should always examine it and see how we can prevent similar failures in the future.
|Recent Alignment Articles|
Spammers Find New Ways Around Filters
Vista Exploit Looking For Achilles' Heel
Spam Bust: The Lessons of Yesmail
Symantec Overhauls System Backup Suite
First, just whats so bad about it? There have been countless papers published in the past several years providing one WEP design flaw after another. The symmetric session key is shared and extremely difficult to manage. Much of the key itself is transmitted in plaintext over the network for any eavesdropper to intercept. The list goes on. It is currently estimated that any WEP protected network can be cracked in about a minute using commonly and freely available tools. Go Google it for yourself and see.
So, what went wrong? Wasnt the design committee aware of these problems? Well, Im not a cryptographer and I wasnt present in the meetings where the design was debated, so I can only speculate. I have no doubt that any competent cryptographer that was present should be ashamed, and if no competent cryptographers were present, then whoever decided on the committee participants should be ashamed. Perhaps it was the age-old problem of the designers focusing too much on functional specification and not enough on what things can go wrong with a design.
If we compare WEPs design process with how NIST selected the Advanced Encryption Standard (AES), however, there are vast differences. The AES process invited all comers to submit their encryption algorithms, which were then subjected to an extended period of public scrutiny and open discussion. Finally, the winning algorithm (Rijndael, after the two Belgian cryptographers who invented it) was selected.
Now, I fully realize that a crypto algorithm is different than a cryptographic network protocol, but perhaps using a similar process could have resulted in catching the most egregious of the defects before the standard was ratified? Perhaps thats too naïve an outlook, or perhaps it would have been too slow to enable the product vendors to get their products to market in any reasonable period of time. But I cant help but think we squandered an opportunity to prevent disaster here.