Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A quick introduction to WiFi Security Network
Having just battled a bit with a getting a wireless print server to connect to a Wifi network, and finding that the solution hinged on a few details in the WiFi security system, I thought that others might benefit from an overview, so here goes:

There are currently three levels of security (besides none). Here they are, listed in order of increasing security:
  • WEP (Wired Equivalent Privacy) -- 40bit keys
  • WEP 128bit keys
  • WPA (Wi-Fi Protected Access)
WPA2 is also on the way, and should be out sometime next year. Read the rest of the hint for a bit more on each of these protocols...

WEP

WEP is the older standard, and is regarded as something of a joke in the security community, but it is at least a some level of security (better than nothing, if not by much). Almost every WiFi device on the market supports at least the 40bit keys, and most support 128bit keys. To someone with the right knowledge (or the right program) WEP can be broken nearly 100% of the time ... but most people don't have this knowledge.

The passwords for the two different versions are either 40 or 128 bits long, and the standard defines a method for turning a 5 or 13 character password (respectively) into the key. However, the standard did not say anything about turning keys of other lengths into the appropriate length key ... so naturally everyone has their own way of doing it, and they are sometimes incompatible.

This means that if you are using products from different vendors, you should try and make sure that your passwords are the correct length for the security level you have chosen. Many systems also allow you to enter in the hex version of the password, sometimes by typing a '$' before the password (which is always the same), but it is just easier to make sure you have the right length password to begin with.

One last piece of the puzzle that WEP provides is that there are up to four different slots for keys to go into. This was originally included into the specification so that large access point providers could have some room for providing different levels of access, but I have never seen it used. The one reason that this is important to mention is that Apple's implementation only allows you to use the first key slot.

WPA

Support for WPA is still spotty in some areas; in fact, it is not even part of the standard install of WindowsXP (it is a free download). It also was not a part of 10.3, but is a part of the AirPort software available through Software Update (and on the CDs provided with both AirportExtreme and AirportExpress hardware). Support on Linux is more complicated than I am going to get into here. WPA is considered fairly good security, but if you provide it with short or bad passwords, it can be broken (via a dictionary attack).

Having seen the problems in WEP, the WiFI group made a good strides in solving the problems with WPA ... and so far it seems that they have pulled it off. The system for generating passwords now accepts passwords of any length, and it is the same everywhere. So you can make your passwords of any length, but short ones are still guessable.

Other considerations

Many WiFi access points also provide two other security measures: WiFi ID control (also called MAC control), and suppressing the SSID broadcast.

Every WiFi device has a number assigned to it that should be unique, so every card has its own number that is used as an ID number. Routers can use this number to decide who they want to talk to, and who they want to ignore. By making a list of the WiFi devices that are allowed to use an access point, it can then refuse to talk to any that are not on that list.

Some WiFi cards have the ability to lie about their WiFi ID, and so can pretend to be another device. If someone is trying to break into your network, they can simply listen in on the traffic already in the air and pick out a WiFi ID that is authorized, and then try and break the other forms of security that might be on the network. This is another thing that is not too difficult, but it requires that you know how to do it. It also requires that your hardware supports it, and so it's another security hurdle that you can put in the way of a hacker.

The last security hurdle available is to have your access point not broadcast its SSID number. That means that when you go to join a WiFi network, your network would not show up by itself, you would have to type it in manually. Once again, if someone is listening in on your network, they could pick this information out of the air, so in general this is not a great security measure.

As a summary: the best form of security available for WiFi is currently WPA. It is also the easiest to use, if all your devices support it.
    •    
  • Currently 2.50 / 5
  You rated: 3 / 5 (4 votes cast)
 
[28,022 views]  

A quick introduction to WiFi Security | 24 comments | Create New Account
Click here to return to the 'A quick introduction to WiFi Security' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A quick introduction to WiFi Security
Authored by: chris_on_hints on Dec 14, '04 09:52:51AM

WPA with SSID not being broadcast and MAC control is definately the way to go... The tips that i can pass on from my experience with this:

- use software update on your airport laptops to make sure they are all up to date...

- your 'MAC' address is called 'ethernet address' in the network pane of the system preferences. Just click on your airport connection and it will be there as a mixture of numbers and letters (AB.12.CD.... etc)

- when you want to connect to a network that supresses its SSID broadcast, you cant just select it from the airport menu. Just select 'connect to other network' or whatever it says (or the internet connect application) and enter the name of the network and password manually. You can still have your mac connect to this network automatically on log in.

- and finally, make your network name and password long and NOT OBVIOUS. So: dont use your company / house / router / computer name in it, and mix numbers and letters. You wont have to remember it - that's what your keychain is for!! If your network name is hidden, people most likely wont spot it (it wont advertise its presence) and they would have to guess both the network name AND password in order to connect.


PS. you might want to skip the MAC control if you have lots of *TRUSTED* house guests who want access. Then you just need to give them the network name and password, rather than having to tweak your router settings to accomodate each new guest. (or if you have more laptops etc than your router can be told to trust)



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: teledeus on Dec 14, '04 11:05:27AM

If you have airport extreme on all of your machines, you can also choose to broadcast in wireless G mode only. This prevents anyone with wireless B from trying to access or hack your network. It adds yet another layer of security in addition to those hints listed above.



[ Reply to This | # ]
WPA breaks my PostScript printer
Authored by: lrivers on Dec 14, '04 02:44:40PM

One weird thing that I have encountered (both with a Belkin and a Linksys wireless router) is that when I try to print over Airport with WPA enabled, my (admittedly old) PostScript printer (connected via Ethernet to the router) won't print--it gets PS errors. Connecting my laptop to the router via Ethernet works fine, as does WEP encryption.



[ Reply to This | # ]
WPA breaks my PostScript printer
Authored by: schaps on Dec 14, '04 03:18:32PM

I have a Belkin 'G' wireless router and an AsanteTalk adapter for my old Laserwriter Select 360, and it works great in all modes I have tried. I print both from OS X and Classic. I use WPA the most. You might try posting all your config info and see if any of the brains around here can come up with a solution for you.

T



[ Reply to This | # ]
IMHO, network-layer encryption is not worth it
Authored by: Lectrick on Dec 14, '04 11:22:24AM

I've had so much trouble with the various encryption standards and getting all my wireless devices (I have a lot) to use them reliably and correctly that I've simply resorted to using MAC address control on a broadcasted SSID, which works great, with the bonus of having less latency for all your internet apps. If you want encryption, you can always just use an encrypted protocol (https, ssh, etc.) in the application layer, which, IMHO, is the "right" way to do it, anyway.

I hardly use Apple's Mail these days (gmail over https rocks!) so I don't have to worry about broadcasted cleartext email passwords, either. (Perhaps just my AIM screen name, but I have encrypted chat options if I want to go secure with that stuff.)

---
In /dev/null, no one can hear you scream



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: raider on Dec 14, '04 12:04:41PM
Of course, no discussion about WiFi security is complete, without mentioning the tools to crack it. WiFi is not secure. Period. No matter what you do. MAC addresses are easily spoofed. Passkeys are easily cracked. WEP is useless...

Use common sense, good encryption, firewalls, and don't trust WiFi.

KisMac (the best one I have found)
MacStumbler (good, but not as good as KisMac)

Note: To do WiFi cracking you cannot use AirportExtreme cards (or cards that use the same chipset, like Buffalo). I use a 3rd party PCMCIA WiFi card that has the correct chipsets.

All your networks belong to us...

[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: dfbills on Dec 14, '04 12:10:05PM

This is also a great read:


Dispelling the Myth of Wireless Security

http://www.oreillynet.com/pub/a/wireless/excerpt/wirlsshacks_chap1/index.html

---
-d



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: webbix on Dec 14, '04 04:27:26PM

I bought the wireless hacks book from O'Reilly and recommend it. Great information and useful tips. Provides in detail all you will need for home or small business wifii.



[ Reply to This | # ]
WEP is not useless
Authored by: hayne on Dec 14, '04 12:40:15PM

Note that there is a big difference between the WEP in common use a few years ago and that used by up to date software (e.g. any of the relatively recent Airport versions). The commonly held opinion of the weakness of WEP is due to bugs that were in the early implementations.

It is very difficult to crack an up to date WEP network. It would take days if not weeks as compared with the hours mentioned in the (outdated) O'Reilly article referred to in another comment.

Sure, if you have WPA available to you, you should use it in preference to WEP. But WEP provides quite strong protection.



[ Reply to This | # ]
WEP is not useless
Authored by: schaps on Dec 14, '04 12:52:14PM

I have not read that WEP protocol was improved, to the best of my memory. Do you have any links to more info on that?



[ Reply to This | # ]
WEP is not useless
Authored by: raider on Dec 14, '04 04:13:32PM
WEP has not been modified at all. In fact, the last modifications were WEP2, which brought about the 128bit keys. That was like in 2000 or 2001. WEP is just as insecure now as it was then, if not more so.

Now, there has been a standard in the works for a while. 802.11i . Since 802.11i was in the development stages - WiFi alliance took a lot of the 802.11i pieces and implemented what we know as WPA. WPA is essentially a beta version of 802.11i (or a subset).

The 802.11i standard has been finalized, and this is one of the most recent articles I can find (June 2004): 802.11i Security Specification Finalized

But it is worth noting that 802.11i is the finalization (and imporvements) of what was started with WPA - and has nothing to do realistically with WEP.

The other question is when 802.11i will make it into vendors products, and if many of the current products will be firmware updateable. (It seems as though they should be, since WPA is a good chunk of 802.11i).

However, using WPA with a GOOD (like 32 character random) password is reasonably secure. 802.11i will improve on that.

But the simple fact is that if you are using airwaves for your tellecommunication - it can be hacked. The issue is how much effort does it take. If the work level vs. payoff is too high, then the cracker will move on. That is the same with any security, even physical security. Any door can be broken down if you want to bad enough - but what is the effort and risk vs. reward ratio? At my house? Not much. ;)

[ Reply to This | # ]
802.11i needs crypto-acceleration
Authored by: _merlin on Dec 14, '04 04:37:45PM

WPA is a subset of 802.11i that doesn't require hardware acceleration. It was designed so that existing cards could be upgraded from WEP to WPA with a firmware update. Full 802.11i support requires cryptography-accelerated hardware, so unfortunately, it isn't just a firmaware update.



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: schaps on Dec 14, '04 12:47:50PM

Good summary-- I would add that if you can move to WPA, it's worth it. Much more reliable than WEP in my experience, especially with Apple products.

I would also add that if you are limited to WEP, just go with the 40 bit (often called 64 bit on many routers in the Windows world). Why? Because they are technically the same protocol-- so someone with the knowledge to put sample packets through an encryption cracker is going to break your encryption either way-- it's a matter of intent. But in the meantime, for your use, 128 bit encryption overhead takes a lot of processing power and is noticeably slower than 40 bit, especially on file transfers.

The same then goes for MAC restriction/control-- anyone who has just cracked your network encryption can spoof the MAC address in about 2 seconds. It is not worth the hassle of reconfiguring and adding MAC addresses for new users and false security anyway. With absolute certainty, if you don't use any encryption, MAC address filtering is quite worthless as a method of security except to keep casual users out. Unencrypted, your computer's wireless NIC broadcasts its MAC address constantly, easy to pick up with a packet sniffer and spoof.

Hiding your SSID broadcast will definitely improve your security from 'drive-by' hackers. If you are not currently using your wifi network when they pass by scanning, they'll pick nothing up to investigate. An SSID is like a homing beacon. But hiding it leads to other problems if you have close neighbors-- many knowledgeable folks scan for local networks with a Stumbler-type program to set their channel to something different to avoid interference. If you can't see your neighbor's network, however, you might set it the same channel and experience poor performance and range.

If you are limited to 802.11b WEP for compatibility with guests, get a separate access point for use when they are visiting (about $20 or less nowadays)-- just unplug it when it is not needed. You can then restrict your main wireless AP to 802.11g-only with WPA. In addition, you don't have to worry about your guest giving your encryption key to anyone else, and your household users do not have to change encryption keys/passwords when the guest leaves.
A more advanced trick with the above-- if the 'guest' AP has a static IP, you can usually set your primary router to restrict it to internet-only traffic-- keep them out of your network shares. How this is done varies among manufacturers.

One more important point-- most wireless users have very little to fear from hackers/crackers. Even the simplest of "locks" on your door make the next wireless AP which has no encryption look much more enticing. Unless you live in a densely-populated area, there are very few people who actually 'war-drive' looking for networks, and those that are are primarily looking for open networks to scam a free internet connection. A small fraction of those will poke around looking for open network shares. A very small number of those will actually try to crack into computers or shares on the network. Most of those only want to see if they can do it.

The vast majority of geeks who will actually take the time to try to break into a home network that is encrypted would only be doing it to say they could-- they have no malicious intent-- they have better things to do. DON'T get so scared of wireless that you fear using it.

That's all I have-- went to lunch in the meantime, there are probably a bunch of others with the same info who have already posted. I welcome any civil discussion of my points! If I'm wrong, I want to know it!




[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: CMYanko on Dec 14, '04 01:31:24PM

I am struggling with setting up either WEP or WPA between an iBook and a Linksys router. Mostly, I don't see where to make the corresponding changes on the iBook and the AirPort setup utility seems to only work with a AirPort base station.

---
-Curt Yanko



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: lrivers on Dec 14, '04 02:40:44PM

You need to go "Other..." in the Airport menu so you can enter the password. It works once you do that...



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: Gabroil on Dec 14, '04 09:51:35PM

You would probably better off using the Linksis user interface. It is accessed through the web browser. I don't recall the actual IP address, but it should be in the manual or, if you lost it, you can find it online.



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: chris_on_hints on Dec 16, '04 08:16:38AM

1- plug the iBook into the internet (via wires!) and get its software up-to-date. Run software update a couple of times to make sure you get all the airport software updates.

2- my linksys router has the default IP address of 192.168.1.1 - put that into the web browser of a machine connected to it via ethernet and enter 'admin' as the password (username is blank)

3- set up the router as desired (see all the posts above)

4- if you leave SSID broadcast on, then your iBook should spot the network. I turn on the little airport menu in the menu bar for easy access. Enter the password when prompted. Go to system prefs : network : airport and tell it to connect to that network by default (and let it put the password into your keychain).

5- then turn off SSID broadcast. sorted.

6- by the way, change the password on your router to something REALLY hard to guess...



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: ennonymous on Dec 14, '04 04:00:03PM

Even if some may think I'm being pedantic, but there's one small error in the hint that I'd like to correct.

The key lengths in WEP are either 40 bits and 104 bits _or_ 64 bits and 128 bits. This is because the WEP algorithm adds a 24 bit so-called "initialization vector" (IV) to the key and uses this "compound key" to encrypt the data. So the shorter keys are 40 bits in length, adding up to 64 bits with the IV, and the longer ones are 104 bits and 128 bits, respectively.

Of course, all the points Karl made about WEP encryption being insecure and inferior to WPA are all true, whatever the key lengths may be. WEP keys are just too short (and the algorithm open to attack) for today's environments. I just wanted to get the terminology right.



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: raider on Dec 14, '04 05:01:44PM

Which is 38 bits and 102 bits _or_ 62 bits and 126 bits (respectively) more than its worth. [smile]



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: jeremyrh on Dec 15, '04 03:03:44AM

Maybe I can take this opportunity to ask a dumb question:

I use an iMac with Airport card as a "soft" base station. Works fine for connecting with an iBook also with Airport card. But I haven't found how to connect a PC to the network, since I can't find out what is the "network equivalent password" for the Airport network. Apparently if I had a "real" base station there's a way to find this out, but for the "soft" BS I seem to be out of luck.

Seems slightly ironic that there is this big thread about WEP insecurity - and I can't even crack MY OWN network :)



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: schaps on Dec 15, '04 08:16:16AM

There are no dumb questions! Just the ones not asked...

Try this utility:
WEP Key Maker
http://www.versiontracker.com/dyn/moreinfo/macosx/12601

Let us know if that works...



[ Reply to This | # ]
A quick introduction to WiFi Security
Authored by: marook on Dec 15, '04 07:39:27PM
And here is a web version at my company:

WEP key from passphrase generator

Enjoy!

---
/Marook

[ Reply to This | # ]

A quick introduction to WiFi Security
Authored by: raider on Dec 21, '04 11:29:54AM
More info recently, on Slashdot.

[ Reply to This | # ]
Switching the default security
Authored by: MrHen on May 25, '05 11:03:37PM

My roommate has a third-party wireless access point and my AirPort card can see it just fine, but it wants to default the security to WPA. Unfortunately, the way the access point is set up it doesn't take WPA. It uses WEP.

I'd be okay with this except that the usual pop-up box to change this is grayed out.

I can manually connect to the network using the 'Other...' option and then manually select WEP, but it won't remember it or add the password to my keychain. Every other time I try and connect it will reset everything back to WPA.

Does anyone know of a way to avoid this problem? Thanks!



[ Reply to This | # ]