The IEEE created WEP to provide wireless privacy equivalent to that of traditional wired networks. WEP is designed to deter eavesdroppers and prevent unauthorized connections to wireless LANs. But the standard has a number of limitations. Gemma Paulo, a Cahners In-Stat analyst, notes, "Basically, the WEP standard is pretty lenient. They just wanted to get it out there, and they did not want it to be so complicated that it increased the cost."
Recent research reports from UC Berkeley and the University of Maryland indicate that even if you try to secure your wireless LAN through WEP, dedicated hackers could still compromise the network, most likely due to weak encryption and the reuse of encryption keys.
WEP uses the RC4 encryption algorithm, which uses the same key to scramble and descramble the packets. UC Berkeley researchers claim a diligent hacker could decipher RC4 encrypted text by gathering about five hours' worth of data. In addition, many WEP implementations use the same key.
Also, you should avoid changing your key in a predictable manner. Hackers crack codes by gathering a lot of data encrypted with the same key. If your key management system cycles through the same set of keys in a predictable manner, determined hackers can gather data from your LAN traffic and correlate it with the keys to help decipher the encryption. Their attack techniques work just as well with both 40-bit and 128-bit RC4 encryptions.
The new standard will incorporate two key components for authentication and encryption. For authentication, the task group is likely to adopt 802.1x, a new authentication management system protocol being incorporated into Windows XP and a variety of networking equipment. As a result, you could use unique encryption keys for each session, and the standard provides an infrastructure for key management. 802.1x also supports the use of centralized authentication, identification, and accounting schemes such as Kerberos and RADIUS (Remote Authentication Dial-In User Service). Major vendors such as Microsoft, Cisco, 3Com, and Enterasys are adopting 802.1x.
For encryption, Task Group I is considering using either WEP2 or Advanced Encryption Standard (AES). WEP2--an encryption protocol that may be adopted for 802.11i--would be easier to implement on top of the existing WEP infrastructure, but many experts are concerned that it is not secure enough.
"Even with its enhancements, the inherent weaknesses of RC4 [the underlying encryption algorithm] will still remain," explains Dennis Eaton, vice chair of the Wireless Ethernet Compatibility Alliance. "I think that it is inevitable that we will migrate to AES, regardless of whether WEP2 becomes a standard."
