WEP, WPA, and WPS - Which to Use?

WEP stands for “Wired Equivalent Privacy.” Although WEP is very common and may be the only method that older devices recognize, it is no longer recommended because it has weak security and can be easily “cracked” with free tools downloaded from the Internet.

Some router setup interfaces exacerbate the problem by offering WEP security before offering better security. Some users also run systems using WEP fully knowing about the weaknesses because they have older devices such as handhelds and laptops that can’t use more advanced security. In an effort to “hide” their less than ideal network, these same users may be tempted to hide the broadcast name, or SSID, of the network. This is actually a bad idea, not only because it’s sort of useless – scanner applications can find networks even with SSID turned off – but also because of the way Microsoft Windows Vista (and Windows 7 beta) handle hidden networks.

Windows lets the user enter the details for hidden networks, and then, enticingly, offers to watch for the network and connect automatically when in range. Imagine a wireless network named “Thunder Dome.” Normally, the server sends out a message at a fixed interval saying, “I am Thunder Dome.” Other devices can see the network and recognize it by name. Now let’s turn off the SSID. The router no longer brags about itself, but what does the laptop do? If the user has it set for automatic connections, it says, “Yoo-hoo, Thunder Dome, are you here? Yoo-hoo, Thunder Dome, where are you?”

So if the laptop is going to blab, what’s the use of hiding the network?

WEP was originally designed to use a 40-bit security key. 40 bits is five bytes, and there are 2⁴⁰ (a really large number) possible key combinations. Even though that is a large number, small computers can defeat a 40-bit key by using a “brute force” attack that consists of running through all of the possible combinations until a match is made.

Security, in a sense, is based on time – how long it will take a computer to “crack” the key. At least in theory, all schemes are crack-able, but when the computer time required to crack the key requires years or decades, we can feel pretty secure.

Later WEP went to a 128-bit key. This can usually be recognized because the key will contain 26 characters with a mix of letters and numbers (which are called hexadecimal or base 16 units). A 128-bit key in a WEP network is certainly better than a 40-bit key, but there are other problems that make WEP less desirable than other solutions.

What does a WEP conversation look like? Let’s go back to our imaginary network. For our purposes, the SSID is being broadcast, and the laptop knows the security key.

The router says, “I am Thunder Dome.”

The laptop says, “I want to talk to you.”

The router responds, “Do you really want to talk to me?” and transmits some bully good information in response.

The laptop receives this data, munches on it, considers the security key it already knows, and sends back a combination of the bully good information and the security key in a second request for acknowledgment.

The access point looks at the returned message and compares it to the bully good information it originally sent out. If all’s well, the router sends, “OK, then talk.” If there’s a problem, the router says, “I know thee not.”

Once this conversation has taken place, WEP becomes responsible for maintaining encryption during the extent of the session.

A weakness of WEP is that bad applications can examine the packets being communicated between the access point and the client and eventually figure out the security key. It’s also possible to spoof the system, for example by pretending to be a preexisting client.

In summation, WEP is weak. Only use it if you have no other option.

WPA , or Wi-Fi Protected Access, is the successor to WEP. It comes in two flavors: WPA and WPA2. WPA was originally a patch-in-time for the ailing WEP. WPA2 is the finished product. Quite a bit more is going on during a WPA2 connection, but the main points to take away are that the initiation of the exchange is more secure than WEP, and the encryption is stronger.

In general, the connection starts with a preamble. This preamble is based on EAP, for “Extensible Authentication Protocol.” Then there’s an exchange called the “handshake” that shares important information like the client’s MAC address and the base station’s MAC address and sets up encryption for the connection. This exchange also prepares the connection for broadcast and multicast decoding.

WPA requires a password between 8 and 63 characters long. WPA2, since most home users are not fortunate enough to have a PEAP authentication server running, is intrinsically secure. That said, any network security based on passwords or passphrases is only as strong as the password is difficult to break. This also, of course, depends on how determined your attacker is.

Great passwords or security keys are not warm and cuddly. In fact, they are not even human-friendly. Here’s an example of a decent security key:

=I?w%tb1vaaAUm"k7aQ-Mb=ZAK&/ZhOg"h?rsH3v)wzh};zIl.sr(q/Ew&&Zx!8

That one has 20 characters and was automatically generated at kurtm.net

WPA using a preshared security key is called WPA-PSK. As you can see, strong security keys can be really unwieldy. You wouldn’t, for example, want to enter one in your PDA using a stylus. Emailing one also adds unneeded exposure. Windows Vista likes to ask for a USB FLASH drive to share the security key just because strong keys need to be arcane and complex.

Next: WPA Security Cracked? and Wi-Fi Protected Setup