Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.6  Wireless

Previous Topic/Section
2.6.2  802.11x
Previous Page
Pages in Current Topic/Section
Next Page
2.6.4  Vulnerabilities
Next Topic/Section

2.6.3  WEP/WAP
(Page 1 of 2)


To protect an 802.11b network from unauthorized, use and “snooping”, you can enable packet encryption via WEP. Different cards have different levels of support for WEP. WEP works by using a RC4 encryption scheme, (Refer to encryption for details on RC4) with a key that can be 40, 64 or 128 bits in length. (New models released in the 2nd half of 2002 now offer 256-bit encryption.) The design in 802.11 for RC4 uses a shared key. The access point sends a random number at the registration request. The receiving node assigns the key with a secret key that was pre-shared. The access point checks the results and allows the node to sign on. Data between the devices is encrypted by one of the values listed.

The method described is known as one-way authentication. Stated another way, the access point knows it is from some group of computers that has the pre-shared key and cannot identify a specific computer.

Given this, it is possible for a rogue computer to pretend it is an access point.

When enabling WEP (Wired Equivalent Privacy) on a network, the encryption key must be the same among all the devices, including the wireless base station providing network connectivity.

Another difficulty with WEP is that it is possible to “break” this WEP encryption and gain access to the network.

[spacer]RC4 Issues

Another issue with WEP is RC4 being used in wireless. RC4 was designed for a synchronous stream. The nature of wireless communications is such that the signal can be dropped very easily. The designers address this challenge by changing the key for every packet. This uses up unique keys very rapidly, which forces key reuse. Key reuse breaks a cardinal rule in RC4 design. This is the good part of WEP.

The less than stellar news in the design of 802.11b and WEP is the use of RC4 has as part of the logic a number known as an initialization vector or IV that is not encrypted. Too many product offerings start the IV at the number we call 1 then use 2 for the next IV, followed by 3, etc. So, scoop up about 5 million packets of data and you can figure out the WEP pattern. In a large wireless network with heavy usage the combination of keys is used within hours, as proven by research at the University of Maryland241 and the Berkley campus of the University of California242. A single intruder sending an email to a valid email address on the wireless network further reduces security since the intruder knows what the unencrypted message contained, narrowing the search pattern. If an intruder doesn’t want to work hard they simply use the lazy approach and use a program such as Airsnort 243, wepcrack244 or airtraf245. The moral to the story is change keys often.

Although theoretically Wired Equivalent Privacy is supposed to be as secure as an actual wired network, the reality is that that isn’t the case. As you can see, the challenge with WEP is that for a variety of reasons, is it cannot withstand the attention of compromising attacks. Because of this, if you are deploying a wireless network, you should strongly consider using hardware that allows you to control access to the wireless LAN based on MAC address, or consider a tunneling protocol between wireless devices and access points.

Still, keep in mind that in most situations, WEP is better than no WEP. It will stop some potential attackers, and probably slow down others. Even if you assume that your WEP protection will be subverted, the fact that you attempted to employ that protection is one way to demonstrate that you were not negligently making your wireless network available to the world with no protection whatsoever.


Wired Equivalent Privacy (WEP) uses RC4 encryption.

The same encryption key must be used among all devices, including the wireless base station providing network connectivity.

Although WEP is theoretically as secure as a wired network, practically speaking, WEP has proven vulnerable to attacks in the real world.


In the future, 802.11i will include support for TKIP (Temporal Key Integrity Protocol) security you can add to hardware with a firmware upgrade. TKIP is a temporary improvement to WEP security; eventually, it will be replaced by AES just as TKIP is replacing WEP. To read more about it, see and the Future Tip Better Wireless Security previously mentioned.

Real World Wireless

Does your organization have a wireless network (or two? or more?)? Check to make sure that you’re using the longest WEP key your hardware supports. Also investigate running VPN software over your WLAN connections, to protect your network from unauthorized access.


241. William A. Arbaugh University of Maryland

242. Nikita Borisov, Ian Goldberg, and David Wagner




Previous Topic/Section
2.6.2  802.11x
Previous Page
Pages in Current Topic/Section
Next Page
2.6.4  Vulnerabilities
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.