11 STANDARD STATES THAT WEP PROVIDES FOR PROTECTION FROM CASUAL EAVESDROPPING

802.11 standard states that WEP provides for protection from casual eavesdropping. Instead,the driving force behind WEP is privacy. In cases that require high degrees of security, othermechanisms should be utilized, such as authentication, access control, password protection,and virtual private networks.Despite its flaws,WEP still offers some level of security, provided that all its features areused properly.This means taking great care in key management, avoiding default options,and ensuring that adequate encryption is enabled at every opportunity.Proposed improvements in the standard should overcome many of the limitations of theoriginal security options and should make WEP more appealing as a security solution.Additionally, as WLAN technology gains popularity and users clamor for functionality, boththe standards committees and the hardware vendors will offer improvements. It is criticallyimportant to keep abreast of vendor-related software fixes and changes that improve theoverall security posture of a wireless LAN.With data security enabled in a closed network, the settings on the client for the SSIDand the encryption keys have to match the AP when you’re attempting to associate withthe network, or the attempt will fail.The next few sections discuss WEP as it relates to thefunctionality of the 802.11 standard, including a standard definition of WEP, the privacycreated, and the authentication.WEP provides some security and privacy in transmissions to prevent curious or casualbrowsers from viewing the contents of the transmissions between the AP and the clients. Inorder to gain access, an intruder must be more sophisticated and needs to have specific intentto gain access. Some of the other benefits of implementing WEP include the following:

■

All messages have a CRC-32 checksum calculated that provides some degree ofintegrity.

■

Privacy is maintained via the RC4 encryption.Without possession of the secretkey, the message cannot be easily decrypted.

■

WEP is extremely easy to implement. All that is required is to set the encryptionkey on the APs and on each client.

■

WEP provides a very basic level of security for WLAN applications.

■

WEP keys are user definable and unlimited.WEP keys can, and should, bechanged often.

Creating Privacy with WEP

WEP provides for several implementations: no encryption, 64-bit encryption, and 128-bitencryption. Clearly, no encryption means no privacy.When WEP is set to no encryption,transmissions are sent in cleartext, and they can be viewed by any wireless sniffing applica-tion that has access to the RF signal propagated in the WLAN (unless some other encryp-tion mechanism, such as IPSec, is used). In the case of the 64- and 128-bit varieties (just aswith password length), the greater the number of characters (bits), the stronger the encryp-tion.The initial configuration of the AP includes the setup of the shared key.This sharedkey can be in the form of either alphanumeric or hexadecimal strings and must be matchedon the client.WEP uses the RC4 encryption algorithm, a stream cipher developed by Ron Rivest ofRSA Security (https://traloihay.net). Both the sender and receiver use the stream cipher tocreate identical pseudorandom strings from a known shared key.The process entails havingthe sender logically XOR the plaintext transmission with the stream cipher to produce theciphertext.The receiver takes the shared key and identical stream and reverses the process togain the plaintext transmission.The Boolean logic involved in the WEP process can become extremely complex and isnot something that most wireless network users, administrators included, will ever get into.The discussion is presented here only for the sake of briefly explaining how WEP func-tions, which helps to understand how it can be cracked with the right tools and the rightamount of time.The steps in the process are as follows: