9.3 WEP

SSID by itself does not provide enough security for most administrators. To further secure a WLAN, many administrators will enable Wired Equivalent Privacy (WEP). WEP is a form of encapsulation that is part of the 802.11 standard.

WEP uses symmetric key encryption to secure data between an end user and an access point. It cannot be used to secure traffic between end users in a peer-to-peer network. The WEP standard specifies the RC4 (a stream cipher designed by Ronald Rivest) pseudorandom number generator (PRNG) algorithm to encrypt key transmissions between the two devices. The key is stored on both the WLAN network card and the access point, and all data sent between the network card and the access point is encrypted using the key. The 802.11 standard does not have provisions for a key management system, so all keys are managed manually.

The WEP standard does not allow for multiple keys bound to an access point. So, all users have the same key bound to their network card, and each access point only has one key. The WEP key can be used in a manner similar to SSID, allowing administrators to limit which users can gain entrance to the network using certain access points.

WEP uses a 24-bit initialization value to create the key. There are two types of encryption: (1) a 40-bit encryption key and 64-bit encryption and (2) 104-bit encryption key and 128-bit encryption. Obviously, the more encryption the better, but not all manufacturers support 128-bit encryption, and the 802.11 standard requires only a 64-bit key.

WEP encapsulation is known to have severe security flaws. An attacker using a program like AirSnort can sniff enough information to break WEP encapsulation with only 500 MB of data.

In addition to known flaws in the WEP encryption algorithm, another problem associated with WEP security is key management. Different keys can be associated with different access points or groups of access points, but all users who are authorized to use an access point have to have the same key enabled on their WLAN network card.

If an organization has a security policy that requires passwords to be changed within certain periods of time, then WEP keys will have to be changed often enough to comply with the policy. This means not just updating the key on the access point, but all users who use the access point will have to change the key on their WLAN network cards.

Since all users of an access point have the same key on their systems, the new key will need to be communicated to everyone who is supposed to have it. That creates an additional problem for network administrators: The updated keys have to be communicated in a manner that is secure, but practical.

WEP key updates should be communicated to users verbally or through encrypted mail messages. After the new keys have been put in place, communications containing the key should be deleted.

WEP does not provide enough security to serve as a stand-alone method of data protection. WEP encryption used in conjunction with a nonbroadcasted SSID provides a better level of security. However, even the combined protocols do not provide adequate security for an enterprise network. If WEP and SSID protection are to be used on the network, it should be with the understanding that they are simply better than no protection.