The 802.11 standard for wireless networks includes a Wired Equivalent Privacy (WEP) protocol, used to protect link-layer communications from eavesdropping and other attacks. We have discovered several serious security flaws in the protocol, stemming from misapplication of cryptographic primitives. The flaws lead to a number of practical attacks that demonstrate that WEP fails to achieve its security goals. In this paper, we discuss in detail each of the flaws, the underlying security principle violations, and the ensuing attacks. 1.

This paper covers the issues of using weak, US government-approved security as well as problems with flawed security measures, examines some of the measures necessary to provide an adequate level of security, and then suggests several possible solutions. This paper is targeted at people with a responsibility for computer security as well as those currently considering the extent to which their organisation may wish to become involved in Internet commerce, and includes fairly extensive coverage of past and present Internet commerce related security problems in order to given a general idea of areas to look out for. Although little security knowledge is assumed, some sections are intended for more technically-aware readers and may be skipped if desired. Problems in Internet-Based Electronic Commerce The creation of a global electronic commerce system will provide an extremely powerful magnet for hackers, criminals, disgruntled employees, and hostile (but also "friendly") governments' intelligence agencies. This problem is magnified by the nature of the Internet, which allows attackers to quickly disseminate technical details on performing attacks and software to exploit vulnerabilities. A single skilled attacker willing to share their knowledge can enable hordes of dilettantes around the world to exploit a security hole in an operating system or application software within a matter of hours [Gordon 1994]. One example of how easy these tools make it for neophytes to attack a system involved someone gaining super-user privileges on a Unix system and then trying to execute DOS commands. The Internet also enables an attacker to perform attacks over long distances with little chance of detection and even less chance of apprehension. The ability to carry this out more or less ...