Don's Home Technology Wireless Networks Wi-Fi Security Wireless Encription Contact

Under Construction.

Wired Equivalent Privacy (WEP) Wireless encryption:

There are three levels of WEP Encryption - 40/64, 128 and 256 bit.


The lower level of WEP encryption uses a 40 bit (10 Hex character) "secret key" (set by the user), and a 24 bit "Initialization Vector" (not under user control). Some vendors refer to this level of WEP as 40 bit, others as 64 bit. Either way, they're the same encryption level and can interoperate. Home networking WEP keys can be comprised of ASCII text, although Hex characters are usually used. You need 5 ASCII Characters (e.g. Me4-U) or 10 Hex characters (e.g. E167FF2D45) (You can usually use upper or lower alpha characters (e.g. A or a). Note: Some config software requires use the of "0x" prefix to indicate Hexadecimal (e.g. 0xE167FF2D45). Apple AirPort software requires a $ prefix (e.g. $E167FF2D45)

The higher level of WEP encryption, commonly referred to as 128 bit WEP, actually uses a 104 bit (26 Hex character) "secret key" (set by the user), and a 24 bit "Initialization Vector" (not under user control). 256 bit requires 52 Hex characters.

You can set from 1 to 4 keys.

When you are setting more than one WEP key, the WEP key for transmission (defult) must be assigned to the same WEP key number for all devices that are to recieve the message. The header of the message contains the key number to be used for translating the message.

The 802.11 standard allows for key roll-over where the access point and stations agree on a method of transitioning to a new key and rotating between the 4 keys. This is usually not implemented.

The 802.11 standard allows for mixed systems where some stations do not use WEP. In this case multicasts are not encrypted. The Wi-Fi spec. reduced these possibilities to require that all mobiles use WEP or none use it.

Other Options:

Authentication - Auto/ Shared / Open Open Authentication - communicates the key across the network. If you have the right WEP key, you're in. There is no initial authentication done, but the data IS encrypted.

Using open authentication allows anyone to begin a conversation with the access point, and provides no security whatsoever on who can talk

Shared Authentication - allows communication only with other devices with identical WEP settings. When set to shared key mode the client begins by sending an association request to the AP. The AP then responds with a string of challenge text, which the client then encrypts using the WEP key (see below) and returns. If the text is encrypted correctly, the client is allowed to communicate with the AP. Note: Insecure because someone sniffing traffic would see the unencrypted and encrypted traffic.

Auto - will automatically adjust to the Authentication mode of the wireless client

Preamble - Select Long or Short Preamble. The Preamble defines the length of the CRC block. Note: High network traffic areas should use the shorter preamble type.

The 802.11 standard also defines the possibility for having a unique key per Station, tied to the stations' MAC address. This is usually not implemented.

The user can set these values manually, or to ease the process of setting and remembering these keys, the user can have the computer automatically generate these 40-bit encryption keys by choosing a word or text (for example, "invent") as a passphrase.

Although the term `passphrase' is commonly used among various wireless peripheral vendors, the algorithm to generate the encryption keys may vary from one vendor to another.

The "passphrase" key entry method is not the same as "string" entry. The "passphrase" method allows you to enter an alpha-numeric phrase, but that entry is used to generate a Hexadecimal key of proper length.

"String" entry usually requires that you input a an alpha-numeric character string of the proper length for the level of WEP that your product has. Use the pop-up WEP code summary for reference.

The old passphrase-based WEP generator were generating keys for 64-bit WEP -- reportedly were egregiously vulnerable to cracking in less than a minute. This was not a WEP weakness, but a vulnerability specific to that WEP-key generator.


The same author also demonstrated how WEP encryption keys generated by any passphrase-based method are vulnerable to "dictionary" attacks. This is a weakness inherent in all passphrase-based encryption. In order to avoid dictionary attacks, either:
* Don't use a passphrase-base method. Use something random instead to select hex strings.
* If you must use a passphrase method, pick a very strong (non-mnemonic, unintelligible) passphrase -- upper- and lower-case characters, numbers, and punctation. "Mary had a little lamb" or your mother's maiden name won't cut it.

Encryption may slow down your thruput over you WLAN by 10%, howerver since 802.11b is 11Mbs and an broadband Internet connection is usually between .5 and 2Mbs you won't notice the difference for the internet.

HP Network Support


Setting Key
Airport will prompt you for the WEP Key when you select an encrypted network.

Mac WEP for 3rd party WAPs (Wireless Access Points)
The airport card works with Linksys, Netgear and other 802.11b-compliant WAPs.

Apple Requires the Hex Key preceded by a dollar sign for what it calls password. So if the key is E167FF2D45, you would enter $E167FF2D45.

Key Calculation
There are free utilities to generate hexadecimal keys from passphrases, such as WEP Key Maker. See security warning for Phaa

There is no need to use an third-party key generator with the Linksys WAP. It is done with your web browser. WEP key generation is simple. In the Setup page just select 64bit or 128bit, enter your passphrase click generate and in the text-box below you will have your WEP keys. Just click apply, write down the first key and your are done with the Linksys WAP.

Once you setup the Airport connection on the computer you will have to enter the WEP Key to gain access to the Linksys WAP. You can have it stored in your Keychain or not.


Windows PC connect to AirPort Base station

Run the AirPort Admin Utility, found in the Utilities folder in Mac OS 8 and 9, and in the Applications folder's Utilities folder in OS X.

Connect to your Base Station using the utility, and then select Equivalent Network Password from the Base Station menu. This is the geeky WEP password.

WEP security at

Return to Wi-Fi Security

last updated 14 May 2003