WPA Should Wipe Out Some WEP Worries | eWeek

WPA Should Wipe Out Some WEP Worries

Written By
Francis Chu
Francis Chu
Jan 8, 2003
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

The beginning of the new year brings much-needed new security technology for the Wireless LAN industry. New products and software enhancements using WPA (WiFi Protected Access) will be announced this quarter, which will address the security shortcomings of WEP (Wired Equivalent Privacy).

WEP was developed to make wireless LANs as secure as wired ones. However, it has been plagued with many vulnerabilities and inherent security flaws. WEP also lacks robust user authentication and key management capabilities, making it hardly scalable. Although it was the only security option available for WiFi WLAN products on the market, WEP did not see much implementation in the enterprise space.

Despite these shortcomings, WEP is not completely useless. Having any security is better than having none, and WEP works fairly well for small household WLANs to protect against eavesdroppers. A few enterprises have used WEP with security appliances and VPNs to boost security.

The WiFi alliance and the IEEE drew up the WPA last year in an effort to provide better interoperable security technologies in the WiFi space. WPA certifications are expected to start the first quarter of this year. Intersil last week announced WPA software upgrades for its PRISM-based WLAN clients and access point products.

WPA provides improved data encryption through the TKIP (Temporal Key Integrity Protocol). TKIP addresses all the current WEP vulnerabilities by providing enhancements to the WEP encryption engine. TKIP provides a 48-bit initialization vector (compared to the 24-bit initialization vector used in WEP), per-packet key mixing, a message integrity code named Michael and a key distribution mechanism.

Using a 48-bit initialization vector greatly increases the number of possible shared keys that are dynamically generated. With an extended IV and new sequencing rules, TKIP can better protect against the replay and initialization vector collision attacks to which WEP is vulnerable.

The per-packet key mixing provides stronger, 128-bit based keys and a key hierarchy structure. This feature protects against key recovery attacks using tools like AirSnort, which have been used to crack weak WEP keys. The new Michael checksum algorithm safeguards against forgery attacks.

WPA can provide enterprise-level user authentication capabilities via 802.1x and the Extensible Authentication Protocol.

Although WPA is more than a temporary fix for WEP, it is not the definitive WiFi security solutions: WPA Version 2, which uses the AES-based CCMP protocol, will be introduced at end of 2003 and early 2004.

The bottom line is that WPA will be a blessing for sites beleaguered by WEP vulnerability problems, although WPAs user authentication management features should have been in WEP in the first place. In addition, WPAs enhanced encryption capabilities mean there will be network throughput implications if WPA is used in legacy WiFi products.

What are your thoughts on WPA? Let me know at francis_chu@ziffdavis.com.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.