3

I've been reading a lot about WEP recently and why it was bad. To make sure I understand it, I've been writing scripts to show how it works and highlight its vulnerabilities. But I want to have a full understanding from start to finish, and I can't find what I need for the very beginning.

Since WEP can operate on four keys, something needs to be able to generate four keys. My router can do this based off a passphrase. If I put 'badpw' as the passphrase, I get the keys:

1: 02CB778981
2: C27236DFB1
3: C90C104FA2
4: A804571CC0

If I enter the same passphrase on http://www.wepkey.com/, I get the same four keys. So its clear that the same algorithm is used in both cases, but I can't for the life of me find it.

So, what would the psudocode be to derive those four WEP keys from a passphrase?

Nicholas Dechert
  • 115
  • 9

1 Answers1

3

Shamelessly stolen from the client-side JavaScript code of http://www.wepkey.com:

function wepkey64(val)
{
    var pseed  = new Array(4);
        pseed[0] = 0; pseed[1] = 0; pseed[2] = 0; pseed[3] = 0;
    var randNumber;
    var k64 = new Array(4);
        k64[0] = ""; k64[1] = ""; k64[2] = ""; k64[3] = "";
    var i, j, tmp;
    for (i = 0; i < val.length; i++)
    {
        pseed[i%4] ^= val.charCodeAt(i);
    };
    randNumber = pseed[0] | (pseed[1] << 8) | (pseed[2] << 16) | (pseed[3] << 24);
    for (i = 0; i < 4; i++)
    {
        for (j = 0; j < 5; j++)
        {
            randNumber = (randNumber * 0x343fd + 0x269ec3) & 0xffffffff;
            tmp = (randNumber >> 16) & 0xff;
            k64[i] += bin2hex(tmp);
        };
    };
    return k64;
};

// converts one byte to a 2 chars hex string
function bin2hex(val)
{
    var hex = "0123456789ABCDEF";
    var result = "";
    var index;
    index = (val >> 4) & 0x0f;
    result = result + hex.substring(index, index+1);
    index = val & 0x0f;
    result = result + hex.substring(index, index+1);
    return result;
}

Call wepkey64("your key") to calculate the four 64-bit keys. They will be returned as an array.

Pang
  • 185
  • 6
Neil Smithline
  • 14,621
  • 4
  • 38
  • 55