WEP help

Jacques Caron Jacques.Caron at IPsector.com
Thu Dec 5 11:37:39 EST 2002 

Hi,

The goal of WEP is (in theory) to make sure that only people who have the 
key can decrypt packets sent with that key. In the general case, this means 
you have to use so-called "pre-shared keys", i.e. keys that both ends (the 
client and the AP) know in advance. And since most APs have only a limited 
number of keys they can use, that also means that everybody is using the 
same key, and hence that everybody you give the key to will be able to 
decrypt the trafic from anyone else using the AP.

In the case of a public WLAN, the only way to use WEP is together with 
802.1x. This means:
- the client must support 802.1x, the appropriate EAP method chosen, and 
dynamic keys
- the AP must support 802.1x and dynamic keys
- you must have a RADIUS server with support for EAP and the appropriate 
EAP method chosen and the generation of dynamic keys.

In that case, when a user connects, it authenticates using the relevant EAP 
method, and a dynamic WEP key is generated and used just for that client 
(i.e. the AP handles one WEP key for each client). And no-one but the 
client and the AP can decrypt the trafic sent between them using that key.

Now, depending on what your exact security goals are, there are quite a 
number of alternatives:
- do not use WEP at all, and rely on the users having appropriate VPN 
software and/or SSL/TLS-enabled software (and servers to talk to)
- do not use WEP at all, and provide some other form of encryption for the 
customers (PPPoE, PPTP, L2TP, IPsec)

I would personally recommend using WEP with 802.1x, since:
- 802.1x is built into Windows XP
- there is now a free 802.1x add-on from MS for W2K
- versions for other Windows platforms are coming
- there is a free 802.1x client for Unix systems (open1x aka xsupplicant)
- hostap supports 802.1x
- there are free (freeRADIUS) and commercial (many) RADIUS servers that 
support 802.1x
- this will give you security and accounting
- this scheme is the only one that will enable WLAN roaming in a secure, 
open and transparent fashion

Obviously, you still need a way to allow users with 802.1x or a 
subscription to connect (without WEP) to a limited set of pages to know 
what they need, subscribe, download the necessary software, etc.

Let me know if I can be of any help :-)

Jacques.

At 17:19 05/12/2002, Doug Yeager wrote:

>Im looking for some kind of help guild to explain to me the basic concepts 
>of WEP.
>
>
>
>Right now I have a few wireless nodes serving various coffee shops.  I 
>have not experimented with WEP.
>
>
>
>What I think it does is this:  allow any client to select to use WEP and 
>pick their own key.
>
>Then they can talk w/ the AP using that encryption key that they picked.
>
>
>
>But those who just want to talk w/ the AP w/o WEP can do so also.
>
>
>
>I may be wrong on how WEP is used but that is what I thought it should do.
>
>
>
>Ive experimented w/ setting my AP in open mode w/ some random key using 
>iwconfig util.
>
>
>
>Iwconfig wlan0 s:aircom open
>
>
>
>This doesnt seem to do what I want.  Actually it cuts off communication to 
>my clients.
>
>
>
>
>
>If someone could clear up how wep is used, it may help a bit along with 
>what commands to enable it how it want to use it would be helpful.
>
>Or if a document tells me somewhere, that reference would be great.
>
>
>
>Thx much,
>
>doug


-- Jacques Caron, IP Sector Technologies
    Join the discussion on public WLAN open global roaming:
    http://lists.ipsector.com/listinfo/openroaming

More information about the HostAP mailing list