Brute Force Attacks
Another approach to determining the WEP key is to use brute force. The shared secret portion of the WEP key is either 40 bits or 104 bits, depending on which key strength you are using. Security researcher Tim Newsham discovered that the key generators from some vendors are flawed. A brute force attack on a 40-bit key using a weak key generator could take less than a minute to crack.
Key generators enable a user to enter a simple pass phrase to generate the key, instead of entering the key manually with hexadecimal numbers. A 40-bit WEP key shared secret would require 10 hexadecimal numbers; a 104-bit WEP key shared secret would require 26 hexadecimal numbers. As a convenience, some vendors allow you to enter a pass phrase in ASCII that will generate the 10 or 26 hexadecimal numbers for you. The use of a key generator is completely proprietary and not part of any standard. However, note that several different vendors all use the same key generation algorithm.
Tim Newsham discovered that there are a number of problems with the key generators for several vendors. In one example, he noticed that for 40-bit keys, part of the key generation process included a 32-bit seed used in a PRNG. Because the highest bit of each ASCII character is always 0 and the key generator relied on XORing ASCII values, Tim discovered that instead of 00:00:00:00 – ff:ff:ff:ff (32 bits) of possible seeds, only values 00:00:00:00 – 00:7f:7f:7f needed to be considered. This reduced the actual entropy of the PRNG seed to 21 bits. Using a PIII/500 MHz laptop performing 60,000 guesses per second, Newsham was able to crack a 40-bit WEP key from a key generator in 35 seconds.
The moral of the story: Don't use key generators! Enter your WEP key using manual hexadecimal numbers. When done in this manner, a 40-bit WEP key would have taken 210 days to crack (not a terribly difficult task, when attacked by a Linux cluster).
Alternatively, you can implement 104-bit WEP. Tim noted that the key generator used for 104-bit WEP was not flawed. It was based on an MD-5 hash of the pass phrase. He estimated that a brute force of this key would take 1019 years. Clearly, brute forcing a 104-bit key is a much more difficult task then brute forcing a 40-bit key. When using WEP, always deploy the largest key size available.