11

According to this analysis of WEP,

These attacks point to the importance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided.

It is my understanding that the design flaws of WEP were well known from its beginning. In WEP’s design process, why were no people with sufficient “expertise in cryptographic protocol design” involved in the creation of a cryptographic protocol intended for broad adoption?

Henry Elliott
  • 211
  • 1
  • 2
  • 2
    My best guess: because it never occurred to the WEP designers that they needed crypto review... – poncho Aug 11 '17 at 13:32
  • 2
    Because WEP is from a time when ad-hoc crypto designs where much more common. Only that so many custom and ad-hoc designs failed has lead to the current more cautious approaches. – Elias Aug 11 '17 at 14:32

1 Answers1

3

It is my understanding that the design flaws of WEP were well known from its beginning.

WEP on Wikipedia states, was introduced in IEEE 802.11 in 1997, and it was based on the stream cipher RC4.

There has been quite a lot of research to break WEP and its stream cipher RC4, but that's spread out over the last 20 years. Most notably for breaking WEP was the attack from Fluhrer, Mantin and Shamir in 2001. And earlier in 2001, this work was presented at a workshop and a conference (thanks @poncho for this reference).

For RC4, it was public knowledge that it is distinguishable from random, as pointed out by @SqueamishOssifrage in this source. Today that would surely disqualify the streamcipher to be considered secure, but mindsets change over time and I don't know if that was acceptable or not. E.g. the linked source states: "If your application can't stand a bias of 1 part per million, then don't use RC4." Also, we do not know whether the people in charge of WEP were aware of this or not.

So no, your statement is wrong. Just because the flaws are well known today does not mean they were back then. If you're questioning decisions, you need to adapt the point of view from the time of that decision.

In WEP’s design process, why were no people with sufficient “expertise in cryptographic protocol design” involved in the creation of a cryptographic protocol intended for broad adoption?

This can't be answered properly, unless you ask someone who actually was involved in that process. The only suggestion I have would be to contact the IEEE 802.11 working group and ask them.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
tylo
  • 12,654
  • 24
  • 39
  • 5
    Actually, WEP has significant flaws beyond the cryptographical weaknesses of RC4; see http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html ; it was presented on January 30, 2001 at the Mac Crypto Conference (so predates the FMS paper) – poncho Aug 11 '17 at 13:04
  • 6
    ‘In 1997, there was no known attack against RC4.’ RC4 was broken in practice within days of its publication in 1994, by Bob Jenkins, ‘Re: RC4 ?’, sci.crypt post, message-id [email protected], 1994-09-15, which reports a distinguisher that could run on laptops of the era. (That's aside from the generic mistakes of small, quickly repeating nonces and failure to put any cryptographic authenticator on messages.) – Squeamish Ossifrage Aug 11 '17 at 14:57
  • 3
    Also the OP didn't mention cryptographic flaws in RC4, so I'm not sure what part of the original post ‘you are wrong’ responds to. It is reasonable to ask why the designers of WEP didn't ask cryptographers about the protocol, even assuming the stream cipher with which it is instantiated were not broken, since once cryptographers did look at it, the generic flaws were pretty clear, as cited by @poncho. – Squeamish Ossifrage Aug 11 '17 at 15:34
  • @poncho A publication from 2001 postdates the definition in 1997 by 4 years. But maybe I am wrong that the FMS paper was the most notable. – tylo Aug 11 '17 at 16:32
  • @SqueamishOssifrage You're right about the distinguisher for RC4 - and that we consider that broken today. Your source even says "dont use it, if you need less bias than ...". It's unrealistic to look back and ask "Why did they not forsee the research we had in these 20 years now". And it serves no point asking "Why did they not do this or that" - it's highly unlikely that anyone can answer that. Both the question and the comments so far are questioning the decision back then from today's point of view - neglecting that things change. – tylo Aug 11 '17 at 16:39
  • 3
    You called the OP wrong for making a claim they didn't make about RC4, you proceeded to make a demonstrably false claim about when RC4 was first broken, and then you neglected to address the actual question, which was about flaws in the use of RC4 and why there were no cryptographers involved in the protocol design. Maybe the historical anthropology of committees is off-topic here, but falsely accusing the OP of making wrong claims is not the way to address that! – Squeamish Ossifrage Aug 11 '17 at 16:56
  • @SqueamishOssifrage I was just editing the question. And yes, the claim is simply wrong. It is not clear, that it was well known, it was not clear how the bias lead to a practical attack, etc. Expecting decisions to be based on future research is unrealistic. (from the point of view, when the decision was made) – tylo Aug 11 '17 at 17:03
  • 3
    The citation given by the OP shows that in what seems to be the first report from cryptographers who looked at WEP, they found various generic flaws in the protocol that are even worse than the flaws reported by Bob Jenkins in RC4. Likely these generic flaws would have been obvious to any cryptographer, even of the '90s era, who looked at the protocol. That is, RC4 is not really relevant to the OP's question. For the part you quoted, maybe the OP has reason to suspect these generic flaws were known to the designers, although I don't have evidence for this and the OP doesn't cite any. – Squeamish Ossifrage Aug 11 '17 at 18:41
  • 2
    @SqueamishOssifrage That reference has no date itself, but it has references to works in 2001 - meaning it was written later. I fail to understand how this leads to "... were well known from its beginning". That claim has no evidence at all. And if it would have been so obvious to cryptographers, there would be publications in the year 1997 when WEP was published, or maybe the year after. I don't see any so far. – tylo Aug 14 '17 at 12:37