WEP, WPA, and WPS - Which is Best for a Wireless Home Network? - WEP and WPA Security

Page content

WEP - Wired Equivalent Privacy

WEP stands for “Wired Equivalent Privacy.” Although WEP is very common and may be the only method that older devices recognize, it is no longer recommended because it has weak security and can be easily “cracked” with free tools downloaded from the Internet.

Some router setup interfaces exacerbate the problem by offering WEP security before offering better security. Some users also run systems using WEP fully knowing about the weaknesses because they have older devices such as handhelds and laptops that can’t use more advanced security. In an effort to “hide” their less than ideal network, these same users may be tempted to hide the broadcast name, or SSID, of the network. This is actually a bad idea, not only because it’s sort of useless – scanner applications can find networks even with SSID turned off – but also because of the way Microsoft Windows Vista (and Windows 7 beta) handle hidden networks.

Windows lets the user enter the details for hidden networks, and then, enticingly, offers to watch for the network and connect automatically when in range. Imagine a wireless network named “Thunder Dome.” Normally, the server sends out a message at a fixed interval saying, “I am Thunder Dome.” Other devices can see the network and recognize it by name. Now let’s turn off the SSID. The router no longer brags about itself, but what does the laptop do? If the user has it set for automatic connections, it says, “Yoo-hoo, Thunder Dome, are you here? Yoo-hoo, Thunder Dome, where are you?”

So if the laptop is going to blab, what’s the use of hiding the network?

WEP was originally designed to use a 40-bit security key. 40 bits is five bytes, and there are 240 (a really large number) possible key combinations. Even though that is a large number, small computers can defeat a 40-bit key by using a “brute force” attack that consists of running through all of the possible combinations until a match is made.

Security, in a sense, is based on time – how long it will take a computer to “crack” the key. At least in theory, all schemes are crack-able, but when the computer time required to crack the key requires years or decades, we can feel pretty secure.

Later WEP went to a 128-bit key. This can usually be recognized because the key will contain 26 characters with a mix of letters and numbers (which are called hexadecimal or base 16 units). A 128-bit key in a WEP network is certainly better than a 40-bit key, but there are other problems that make WEP less desirable than other solutions.

What does a WEP conversation look like? Let’s go back to our imaginary network. For our purposes, the SSID is being broadcast, and the laptop knows the security key.

The router says, “I am Thunder Dome.”

The laptop says, “I want to talk to you.”

The router responds, “Do you really want to talk to me?” and transmits some bully good information in response.

The laptop receives this data, munches on it, considers the security key it already knows, and sends back a combination of the bully good information and the security key in a second request for acknowledgment.

The access point looks at the returned message and compares it to the bully good information it originally sent out. If all’s well, the router sends, “OK, then talk.” If there’s a problem, the router says, “I know thee not.”

Once this conversation has taken place, WEP becomes responsible for maintaining encryption during the extent of the session.

A weakness of WEP is that bad applications can examine the packets being communicated between the access point and the client and eventually figure out the security key. It’s also possible to spoof the system, for example by pretending to be a preexisting client.

In summation, WEP is weak. Only use it if you have no other option.

WPA - Wi-Fi Protected Access

WPA , or Wi-Fi Protected Access, is the successor to WEP. It comes in two flavors: WPA and WPA2. WPA was originally a patch-in-time for the ailing WEP. WPA2 is the finished product. Quite a bit more is going on during a WPA2 connection, but the main points to take away are that the initiation of the exchange is more secure than WEP, and the encryption is stronger.

In general, the connection starts with a preamble. This preamble is based on EAP, for “Extensible Authentication Protocol.” Then there’s an exchange called the “handshake” that shares important information like the client’s MAC address and the base station’s MAC address and sets up encryption for the connection. This exchange also prepares the connection for broadcast and multicast decoding.

WPA requires a password between 8 and 63 characters long. WPA2, since most home users are not fortunate enough to have a PEAP authentication server running, is intrinsically secure. That said, any network security based on passwords or passphrases is only as strong as the password is difficult to break. This also, of course, depends on how determined your attacker is.

Great passwords or security keys are not warm and cuddly. In fact, they are not even human-friendly. Here’s an example of a decent security key:


That one has 20 characters and was automatically generated at kurtm.net

WPA using a preshared security key is called WPA-PSK. As you can see, strong security keys can be really unwieldy. You wouldn’t, for example, want to enter one in your PDA using a stylus. Emailing one also adds unneeded exposure. Windows Vista likes to ask for a USB FLASH drive to share the security key just because strong keys need to be arcane and complex.

Next: WPA Security Cracked? and Wi-Fi Protected Setup

WPA Security Cracked?

Last November, news agencies picked up the story that WPA security was broken. This proved to be sensationalistic, as in truth, it turned out that a couple of German technical college graduate students had found a way to break the encryption on small individual packets. This only worked if the access point was using what’s called “Temporal Key Integrity Protocol” or TKIP. Routers made in the last few years actually use a variation of WPA called WPA2. In WPA2 a choice is given for using TKIP or the stronger AES-128 encryption (Advanced Encryption System, which is also known as US Government-level encryption). Newer WPA2 devices, such as the TRENDnet 633GR wireless access point/router, try to use AES-128 before automatically falling back to TKIP and WPA.

There are a couple of other points to keep in mind about this “crack.” Security keys used in TKIP were not broken, and they still aren’t. The crack only demonstrated a way to examine very short packets. Cracking a WPA security code of twenty or more random characters has still not been demonstrated.

WPS - Wi-Fi Protected Setup

WPS, or Wi-Fi Protected Setup is the newest standard. Its goal is to make setting up a wireless home network as painless as possible, making it easy for the non-technical user to have both a protected and a secure network. This is done by automating the procedure, but using WPS will require some modern hardware on both the base station and the individual receivers.

Four types of WPS have been defined. At the simplest level, a PIN, or personal identification number, is placed on a placard or sticker on the router and works as a pre-shared key. In some designs, the key needs to be entered using the router setup. In others and more commonly, it’s preconfigured in the router memory. All home networking Wi-Fi devices made after January, 2007 support this method. Interestingly, the Windows 7 beta asks the user to obtain the PIN number from the sticker on the modem by default, although it also provides a handy link to the dialog for password (security key) entry.

Push-button configuration, or PBC, is another method. This puts a physical WPS button on the router, and simply pressing it while compatible devices are in range takes care of the details of setting up the network. I tried this with a new TRENDnet wireless adapter, which has the push-button, and a laptop with Intel 4695 AGN Wi-Fi, and it did not work. Later I found out that there is actually no requirement for client devices to support PBC.

If, as previously mentioned, you’ve seen Windows Vista offer to write the details for a new wireless network to a USB FLASH memory stick, you’ve seen the third method. There is no requirement in the standard for either client devices or the access point to support this.

The fourth and final method is called “near field communication,” or NFC. In this model, one simply places the client device close to the access point, and the setup details are communicated through the devices. Support for this model in both the access point and client devices is also not required by the standard.

So WPS is not exactly the panacea. If both devices – the access point and the client – support it, it will speed and ease network setup. However, setting up a network manually with WPA2-PSK and a truly difficult to break security key works just as well and is just as secure.


There you have it. WEP security is ubiquitous, but it’s not great security and should be your last choice unless you depend on older devices that only can use WEP. WPA is better, but it has at least one demonstrated vulnerability. WPA2 is the current standard and the best choice, especially when combined with a really strong password and AES-128 encryption. WPS aims to ease setting up small networks, but it requires two compatible devices and this currently may mean that both devices must be from the same manufacturer.

Thank you for reading this, and thank you for visiting Bright Hub!