How can WPA be more secure than WEP?

Q: I read that a WPA implementation in a SOHO setting doesn’t require an authentication server, instead a mode called “pre-shared key” will be used. How could this be more secure than WEP, since it can also be considered a pre-shared key? – Mohammed, Saudi Arabia

A: While it is true that both Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP) have a pre-shared key as the basis for encryption, they actually use the pre-shared key in very different ways. WEP’s use of the pre-shared key is relatively static, whereby it uses rudimentary variations of the same key to encrypt all packets (transmitted data). These weak encryption keys are based on the underlying RC4 crypto algorithm. This is not very safe, as a large sample of encrypted packets using the same key tends to create an easy key recovery target for hackers. Furthermore, to change a WEP key requires an IT administrator to manually update each client machine. As a result, changing pre-shared keys on a regular basis to safeguard against key recovery is a highly unfeasible task to scale for large deployments.

Comparatively, WPA implementations in SOHO equipment use the pre-shared key to derive a temporal key that is used to encrypt all packets. As WPA generates a unique key for each client-to-AP association, the pre-shared key is rarely used – making it difficult for hackers to lock onto a common key to crack the network. This new encrypting standard is based on RC4, but uses the Temporal Key Integrity Protocol (TKIP), which makes use of new algorithms including extended 48-bit initialization vectors and 2-phase key mixing schemes. Another crucial differentiator of WPA and TKIP is its incorporation of the Message Integrity Check (MIC, also known as ‘Michael’) that identifies if a packet has been tampered with during transmission.

It should be acknowledged that WPA with pre-shared keys can be cracked if IT management unwisely uses straightforward passwords. However, this is not a weakness in WPA security, but rather a potential result of poor password management. Using a good password is always vital in any security solution. On the whole, WPA provides comprehensive security and is much safer than WEP.

It can be installed through a reasonable software upgrade to Wi-Fi certified infrastructure running WEP, provided the client radio cards have the necessary WPA drivers installed. However, WPA will support a mixed environment of client devices using either WPA or WEP. Expect WPA to stick around for a while too, since Advanced Encryption Standard, the successor to WPA to be established under the upcoming 802.11i standard, requires higher performing processors than the equipment in legacy deployments and some recent deployments.