76. About 802.11 Security Strategies
When the Ethernet 802.11 standards for WiFi networking were first established by the IEEE (Institute of Electrical and Electronics Engineers), it was readily apparent that security standards had to be established for wireless networking. Because the network medium is radio signals, anyone who cares to "listen" with a WiFi-enabled computer such as a laptop and some additional software for capturing data packets can eavesdrop on a WiFi network.
Obviously, you can turn off your SSID broadcast to help hide your WiFi network (see Turn Off Server Set IDs (SSIDs) Broadcasts), but any committed hacker can still "listen" to radio network traffic on different frequencies and capture data packets. After the packets are captured, they can be deciphered; these packets contain information such as IP addresses, user names, passwords, and all sorts of stuff that the hacker can then use to gain illegal access to your WiFi network.
The first security protocol developed for WiFi networks was WEP (Wired Equivalent Privacy). It was developed to secure the 802.11b WiFi standard. WEP uses two strategies for protecting the data traveling on the WiFi medium (the radio waves): shared key authentication and data encryption.
WEP (Wired Equivalent Privacy) A WiFi security protocol that encrypts data and uses shared keys for the encryption and decryption of data at the sending and receiving ends of the data transfer. WEP was originally created for use with 802.11b networks.
Authentication key A hexadecimal character string used to validate a user or device as the intended connection point or recipient of a data stream.
Shared key authentication means that an authentication key is configured on the WiFi router. The authentication key is hexadecimal number that is either 64 or 128 bits long. The greater the number of bits, the more secure the key, so you will want to use a key that is 128 bits if you use WEP security.
The authentication key can be generated automatically by the router, or you can enter the number yourself (because the authentication key is in hexadecimal, if you don't know how to enter hexadecimal numbers, you might prefer to use the automatic key-generation feature). For a WiFi-enabled computer to join the network hosted by the WiFi router, that computer must be configured with the same authentication key that is configured on the router. If a WiFi-enabled computer attempts to access the WiFi network without the WiFi adapter on the computer being configured with the shared authentication key, the router denies that computer access to the network.
A hexadecimal number is a base-16 number. In everyday life, we use base-10 numbersthat is, we have 10 primary numbers (09) in our numbering system. Base-16 has 16 numbers in its numbering systemthe numbers 09 and then the letters AF. Because the router can generate hexadecimal keys automatically, you don't really need to know how to use the hexadecimal system. The automatically generated hexadecimal keys for WEP or WPA WiFi security are no less secure than a key you would create from scratch using the hexadecimal numbering system. When a 64-bit hexadecimal key is generated, it consists of 10 characters (but is equal to 64 bits). When a 128-bit hexadecimal key is generated, it consists of 26 characters. For example, the 10-digit key 10A8319D9D is an example of a 64-bit hexadecimal key and the 26-digit key 10A8319D9D29DCDCC04C313AC5 is an example of a 128-bit key.
Data encryption is the process of coding data so that it cannot be read until it is decrypted at its final destination. So, when WEP is enabled on the network (meaning on the WiFi adapters for the individual computers and on the WiFi router), the data is encrypted by the sending computer and then decrypted by the receiving computer. WEP encrypts only the data; it does not encrypt the shared authentication keys. Unfortunately, the encryption is only in force when data is sent over the WiFi signal. The data is not encrypted if it moves from the WiFi infrastructure to a wired network. If someone is eavesdropping on your WiFi network (software is available that allows for the capture of data moving on a WiFi network), that person can take a look at the data stream and eventually determine what the authentication keys are. Once the hacker has the authentication key, he can intercept the data and decrypt it as if he were the intended recipient.
WEP also does not have the ability to generate a new authentication key after a specified amount of time. WEP also does not require user authentication when data is received and decrypted. Not authenticating the user at the other end of the data transmission opens up the data transfer to the possibility of being intercepted and decoded by someone other than the intended recipients.
Encryption The translation of a message into a secret code. After a message is encrypted, a key or other identification method (such as a password) is needed to decipher the message.
Now you probably think that with data encryption and shared key authentication, there is no way a hacker can breach your network security. However, WEP uses a static key, meaning that the authentication key is transmitted with each data set (the key is repeated often). So, as more and more data is sent over the network, a hacker might be able to decipher parts of the key because the key doesn't change. So, the more data the hacker captures by monitoring the network (people can monitor the network even if they can't log on), the more information they can piece together over time; eventually, the hacker will have enough information to determine the key and be able to decrypt the data you assumed was secure. In fact, it is estimated that a hacker monitoring a network for less than a day can accumulate enough information about the keys to begin to decode the encrypted messages.
To shore up some of the shortcomings of WEP (which was available when 802.11b WiFi devices became available in 2000), a new WiFi security protocol was rolled out in 2002: WPA (WiFi Protected Access). WPA scrambles the shared authentication keys, generates new keys at a given interval, and also has capabilities for checking whether a key has been tampered with by a computer other than the sending or receiving device. WPA also provides for the encryption of the data being transferred on the WiFi network and uses an encryption algorithm that is stronger than the WEP algorithm. WPA also requires user authentication during the process of sending and receiving data over the network. So, WPA addresses most of the known WEP vulnerabilities.
WPA (WiFi Protected Access) A WiFi security protocol that encrypts data and scrambles shared keys sent over the WiFi network. WPA also requires user authentication, providing greater security than WEP, which did not require user authentication.
You can configure your WiFi router to use WEP or WPA security. Choose one or the otheryou can't run both protocols simultaneously. If you choose WPA, all the WiFi devices on the WiFi network must be configured to use WPA. If you have some older devices that don't support WPA, you might have to go with WEP to accommodate those devices.
If you really want the WiFi network to be truly protected, you will want to use WPA. The configuration of WEP and WPA are similar, so in my mind you should go with WPA. Refer to Configure Wired Equivalent Privacy (WEP) Security and Configure WiFi Protected Access (WPA) Security for instructions on configuring these two security protocols on your network's router.
You might wonder why WiFi routers provide for WEP security, seeing as it isn't that secure. You might have some older 802.11b WiFi adapters on your network that are not compliant with the WPA standards. And because the general thought is that any security is better than no security, you should use WEP if you can't configure all your WiFi adapters and other hardware for WPA. WPA didn't actually become available on WiFi routers until 2002, so it is relatively new, and it is possible that you have some legacy WiFi hardware that isn't WPA-complaint. In fact, some new wireless gaming consoles coming out use only WEP. WPA is an option on nearly all new WiFi routers and WiFi adapters; use WPA if you can.