Re: Proper WEP Code



On Wed, 2007-12-12 at 09:28 -0600, Aaron Konstam wrote:
> On Tue, 2007-12-11 at 17:10 -0500, Dan Williams wrote:
> > 
> > WEP ASCII passphrases are standardized, WEP104 passphrases are
> > de-facto
> > standard (some implemented hashing for 40-bit WEP keys, but that's not
> > really standardized at all), and Apple uses a completely different
> > hashing scheme for it's "password".
> > 
> > So no, WEP doesn't have a standardized passphrase->key hashing scheme.
> > That's why you get 3 choices.
> > 
> > WPA fixed this, where there is a standard for hashing a passphrase
> > into
> > a key, _plus_ they made it easy to differentiate a passphrase and a
> > hex
> > key, which is great because you can't do this with WEP, leading to
> > people using what _look_ like hex keys as actual WEP passphrases.
> > 
> > Dan 
> I am sure you think the above explanation is clear but it is not to me.
> >From what I have read the WEP pasphrase is the encryption key.
> and an ASCII passphrase is just a hex passphrase expressed in ASCII
> characters,
> 
> What is the difference between a passphrase and a hex key and where does
> hashing come in for WEP?

The standard WEP "passphrase" is a string up to 64 characters in length.
If less than 64 bytes, it gets repeated into a 64 byte buffer, which
them gets hashed with MD5.  The digest resulting from the MD5 hash is
then used as the actual WEP key that is given to the driver.

user input:    abcdefghijklm

1) repeat 'abcdefghijklm' over and over until 64 bytes are filled
2) hash the 64 bytes using MD5

wep key (hex): f343dcef2a6ea4ce5d63dabc45

A WEP "ASCII passphrase" is a 5 or 13 character ASCII string.  To derive
the actual WEP key, the ASCII values of the string are used directly for
the WEP key like so:

user input:    abcdefghijklm
wep key (hex): 6162636465666768696a6b6c6d

a = 61, b = 62, c = 63, d = 64, etc.

So the problem with ASCII passphrases is that the _range_ of values you
can enter is smaller and limited to the printable ASCII range, which is
roughly 0x20 -> 0x7E.  Note that in the standard WEP passphrase example
above, the passphrase contains the byte 0xF3 at the start, which is not
ASCII and therefore can't be contained in an ASCII passphrase.

The _best_ way to get a secure WEP key (not that WEP is secure _at all_)
is to have a random number generator generate the key for you.  Don't
use passphrases.

Dan




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]