Do you need four WEP keys per access point?

Q: An option in our access point interface calls for the configuration of four WEP keys. Why would you need four instead of one? Is it in order to share the encryption/decryption load across clients? For example, if you have 20 clients, would you give one different key to five different clients? - Gary, London.

Dan Simone, Trapeze Networks:

The option to configure multiple WEP keys on an access point does not play any role in dispersing the encryption load. It is a rarely used option that lets a client and access point choose a different key to encrypt unicast traffic. The access point still has to encrypt and decrypt the same amount of traffic. Supporting multiple keys simply means the access point could use different encryption keys for different traffic streams. Do not assume that this can be used to isolate users into different private groups or broadcast domains, since broadcasts/multicasts will be seen by all clients unless you have one of the newer WLAN systems.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Q: An option in our access point interface calls for the configuration of four WEP keys. Why would you need four instead of one? Is it in order to share the encryption/decryption load across clients? For example, if you have 20 clients, would you give one different key to five different clients? - Gary, London.

Dan Simone, Trapeze Networks:

The option to configure multiple WEP keys on an access point does not play any role in dispersing the encryption load. It is a rarely used option that lets a client and access point choose a different key to encrypt unicast traffic. The access point still has to encrypt and decrypt the same amount of traffic. Supporting multiple keys simply means the access point could use different encryption keys for different traffic streams. Do not assume that this can be used to isolate users into different private groups or broadcast domains, since broadcasts/multicasts will be seen by all clients unless you have one of the newer WLAN systems.

A larger issue for the business is that the access point in question has this option for four keys because it supports static WEP. The security flaws of static WEP are well documented, the primary drawback being the ease with which a static WEP key can be snooped and learned.

Your business would be much better served by implementing a session-specific, dynamic keying technique such as dynamic WEP, TKIP, or AES encryption combined with 802.1x, the standard authentication protocol that is emerging as the dominant means of ensuring strong mutual authentication and encryption on WLANs. Using 802.1x as the authentication protocol provides a way for the WLAN system to automatically generate session-specific and dynamic encryption keys. It can be used as an effective substitute, or in combination with traditional IPsec VPNs.

Israel Drori, Legra Systems:

The best option is not to use keys at all. They require too much manual configuration on the user side, and that causes errors. If you must use WEP, then use WEP in conjunction with 802.1x. By doing this, you will enable rotating WEP keys, with different WEP keys per client, which greatly increases security over standard WEP. If you have to use standard WEP, then clients must have the same keys programmed into the NIC software in the same order as the access points.

The Wireless Wizards are a full panel of experts from the top wireless vendors. They're at your disposal to help answer your WLAN questions, so send your queries to wireless_wizards@nwfusion.com