WEP vs. WPA – CompTIA Security+ SY0-401: 6.2

802.11 networks rely on encryption to ensure the security of all wireless traffic. In this video, you’ll learn about WEP and WPA encryption and the dangers of using the wrong encryption on your wireless network.

<< Previous Video: Perfect Forward SecrecyNext: Cryptographic Hash Functions >>


Encryption over wireless technology becomes really important because wireless technology is radio waves. It makes it very easy for anybody to listen in on the right frequency, and really see what’s going on on your network. So the solution has always been, if we’re going to send information over these airwaves, let’s make sure the data that we’re sending back and forth is absolutely encrypted. And we’ll make sure that everybody has the access information they need to be able to unlock, unencrypt, see what’s happening inside of those data streams.

The idea is that only the people who have the password will be able to make any sense about what’s going on. And we’ve applied two different kinds of encryption technologies through the years. One that’s called WEP and the other one that’s called WPA.

W-E-P, or WEP, was the Wired Equivalent Privacy that was introduced when 802.11 networking was introduced. And this technology uses two different levels of encryption, at the time. Depending on where you were in the world you could either have a 64-bit key or a 128-bit key.

Unfortunately, in 2001, some significant cryptography problems were found with the WEP protocol. What we found was that the first bytes of the output key stream are what they call strongly non-random. That means that the information at the beginning of this data that we were sending was something that we could easily tie back to the actual key.

And this would create a problem if somebody collected enough packets and put them through a process they could determine, with a relatively good percentage, what the key was for the wireless network. And they would then be able to access everything going back and forth over that network. In some cases, these days, it takes just a matter of minutes– sometimes even less– to be able to determine what a WEP key might be on a network. And because of that it is of course highly recommended that nobody ever use WEP.

When we found out that WEP was not going to be a good encryption method, we all scrambled to try to find out what we can replace it with. And what we came up with was WPA. That stands for Wi-Fi Protected Access.

This was RC4– which was the cipher we were using with the WEP– but it included a new TKIP, a Temporal Key Integrity Protocol mechanism. And it sent the initialization vector across the network as an encrypted hash, which was something that was not being done before. Every packet that goes across gets a unique encryption key. That was not the case with WEP. And this was, ideally, a short term workaround because we were able to perform WPA on the same hardware, for the most part, that WEP was running on.

Encryption methodologies obviously require overhead. There’s calculations to be done there. This was a little bit of a heavier load on these access points. But it was something that was relatively compatible with the method we were doing previously.

But it was just a short term workaround. What we really needed was a more long term solution. And so, very quickly after WPA came out, we came out with WPA2. This began in 2004 for this certification.

The RC4 component was replaced with Advanced Encryption Standard. And there was something also added– CCMP– Counter Mode with Cipher Block Chaining message authentication code protocol. You can see why we call it CCMP. That particular component replaced TKIP. So we took the whole RC4 and TKIP thing and replaced it was something better and stronger in the way of AES and CCMP.

You may also see, if you’re configuring an access point, something called WPA2 Enterprise. In those cases, what we’re referring to is in an enterprise you may not be giving out a key. What you may be doing is requiring people to authenticate via 802.1X.

So anytime you see the word Enterprise after the encryption type that is referring to something like a RADIUS server that might be in the back end, that that’s providing the type of authentication for you, and applying a lot of those wireless configuration settings for you automatically.