Tom's Hardware > All Reviews > Special > Miscellaneous > WPA - Wireless Security for the rest of us

Better than WEP

10:00 - Friday 1 November 2002 by THG Reporting Team

Article after article, wardrive after wardrive has documented the fact that most wireless networkers don't enable WEP. In my opinion, this isn't because of WEP's infamous encryption weaknesses, but more due to the fact that there isn't a consistent WEP administration method among WLAN products, including those that carry the Wi-Fi CERTIFIED mark. Some products require Hexadecimal codes, other accept alphanumeric "passphrases"... aaaah, don't get me started! And forget about managing the process of changing WEP keys, even in a home-sized network, let along a corporate one!! Add in the fact that some wireless products suffer a WEP-enabled throughput reduction of up to 50%, and you can see why WEP has such a bad reputation.

To address this part of the WLAN security problem, WPA chose Temporal Key Integrity Protocol (TKIP). TKIP takes a master key (I'll talk about where that comes from shortly) as a starting point then derives its encryption keys mathematically from the master key. TKIP then regularly changes the encryption keys so that the same encryption key is never used twice. This all happens in the background automatically, which is as it should be!

Although it'll still be standard ol' 64 and 128 bit WEP doing the actual encryption, TKIP goes a long way toward making WEP more effective as an encryption mechanism. It remains to be seen, however, whether TKIP will cause a throughput reduction. One of the sources I consulted for this article said that this was one of the issues that had made the 802.11i committee reluctant to release TKIP, and remains a significant obstacle for the real encryption fix, AES.

I've asked a number of vendors whether TKIP will cause a throughput hit, but no one has yet responded. My guess is that the answer will depend on the hardware you have, and more specifically the chipset it uses. If you presently see a throughput reduction when you enable WEP, you'll probably see an additional hit when you upgrade to WPA and TKIP starts doing its thing. Products using older Intersil PRISM or PRISM II, or Lucent / Agere Systems chipsets would be the most likely candidates for an additional throughput trim. What happens to WLAN equipment using newer chipsets (Intersil PRISM 2.5 and above, TI ACX-100, Atheros AR5001X) that presently handle WEP without flinching is anyone's guess.

But hardening WEP is only part of the WPA story. The other half is the authentication mechanism.