The Different WiFi Authentication & Encryption Standards

The 40-bit and 64-bit Question:
Wired Equivalent Privacy uses a streaming cipher, which combines the use of a 40-bit WEP Key with a 24-bit random number (known as the Initialization Vector, or IV ) generated by the Router/AP to encrypt the data. You can think of the IV as simply a header for the key. So, for a 64-bit Cipher, the user actually contributes a key length is 40-bits (5 bytes or 10HEX characters), with an additional 24-bits (3 bytes) of system-generated data, for a total of 64-bits (8 bytes) total.

* If you are entering your Key in HEX format, your Key should be 10 HEX characters long.

The 104-bit versus 128-bit confusion:
In 1998, Lucent created a 128-bit WEP standard to extend the WEP key from 40-bit (64-bit) to 104-bit (128-bit) in order to strengthen the security protocol. The standard has the same inherent weaknesses as the 40-bit (64-bit) cipher, it just takes longer to crack. In this Cipher, the user contributes at key length of 104-bits (13 bytes or 26HEX characters) and the system (Router/AP) once again generates an additional 24-bits (3 ASCII Characters) worth of overhead IV (Initialization Vector).

* If you are entering your Key in HEX format, your Key should be 26 HEX characters long.

The 802.11 Working Group and IEEE
In order to address the weaknesses of WEP security, the 802.11 Working Group adopted the 802.1X standard for authentication, authorization, and key management. Concurrently, the IEEE formed their Task Group to develop the 802.11i standard, which has only just recently been ratified.

The WiFi Alliance
Not wanting to wait for these two monolithic standards organizations to create a standard, the WiFi Alliance and the IEEE jointly developed the WiFi Protected Access (WPA) standard. WPA is based on a subset of the 802.11i standards:

  • Implement 802.1X EAP based on authentication to enforce mutual authentication
  • Apply Temporal Key Integrity Protocol (TKIP) on existing RC4 WEP to impose a stronger data encryption.
  • Use Message Integrity Check (MIC, or “Michael”) for message integrity.

One widely used variant of WPA is called WPA-PSK (for WPA Pre Shared Key). WPA-PSK is a simplified but still powerful form of WPA that is entirely suitable for home WiFi networking. To use WPA-PSK, a person sets a static key or “passphrase” as with WEP. But, using an Encryption format called TKIP (Temporal Key Integrity Protocol), the Key is automatically changed (or rotated) at a preset time interval, making it much more difficult for hackers to find and exploit the original Key. TKIP is generally software or firmware based, and is therefore upgradeable in most Routers (should firmware updates be provided by the manufacturer).

WiFi Protected Access Version 2.0 is entirely based on the afore-mentioned 802.11i standard that was developed by the IEEE Task Group, and is the WiFi Alliance’s approved implementation of 802.11i.

  • Certification of different hardware vendors began on September 1st of 2004.
  • WPA2 differs from WPA in that it utilizes a hardware solution called AES (Advanced Encryption Standard) instead of TKIP (a firmware/software solution).
  • All products that are WPA2 certified should be backwardly compatible with WPA.
  • WPA certified products should be upgradeable via a software update to WPA2
  • Some WPA products may require a hardware change due to the computationally intensive nature of WPA’s use of AES encryption.
Bookmark the permalink.

Leave a Reply