I'm using wpa_supplicant. How to know that the password is wrong when trying to connect to WEP protected AP?

Question

For WPA/WPA2, wpa_supplicant can give message of wrong-password when the connection fails in the HANDSHAKE procedure.

But when I try the WEP with a wrong password, the wpa_supplicant can get to the COMPLETED state without reporting any error.

I've searched on the internet and the only useful information I got is that someone said that iwconfigcan give the undecrypted packets in the Rx invalid crypt field. But when I using WEP and I type iwconfig, the Rx invalid crypt field is 0.

I'm wondering how do those handsets judge wether the WEP password is wrong...

Answer 1

WEP network can of two types WEP-Open and WEP-Shared. In the 802.11 standard, a device first Authenticates to the AP, and then Associates. The original designers intended that there would be a number of different Authentication methods to control who could use an AP.

In the 1999 version of the standard, 2 Authentication methods are defined: Open and Shared. In Open, any device can Authenticate to the AP. In Shared, only devices with the WEP key can successfully Authenticate.

The problem with Authenticate, is that were it is in the process of establishing connectivity, none of the higher-level protocols, like 802.1X can be run inside of the Authenticate 802.11 frames. So 802.11i does not use it, just uses Open Authenticate.

Shared Authenticate has a serious flaw, in that it is a simple challenge/response protocol. This design is very open to offline dictionary attacks. A WEP key would easily be exposed. Additionally, even in Open Authentication, a device that did not have the WEP key would not be able to communicate via the AP, as the AP would discard all data packets from the device.