Reference Manual for the NETGEAR 54 Mbps Wireless USB Print Server with 4-Port Switch

B-6

Wireless Networking Basics

202-10083-01

WEP Shared Key Authentication

This process is illustrated in below.

Figure B-2:

802.11 shared key authentication

The following steps occur when two devices use Shared Key Authentication:

1.

The station sends an authentication request to the access point.

2.

The access point sends challenge text to the station.

3.

The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and

sends the encrypted text to the access point.

4.

The access point decrypts the encrypted text using its configured WEP Key that corresponds

to the station’s default key. The access point compares the decrypted text with the original

challenge text. If the decrypted text matches the original challenge text, then the access point

and the station share the same WEP Key and the access point authenticates the station.

5.

The station connects to the network.

If the decrypted text does not match the original challenge text (i.e., the access point and station do

not share the same WEP Key), then the access point will refuse to authenticate the station and the

station will be unable to communicate with either the 802.11 network or Ethernet network.

FVM318

Router with Integrated

Access Point

1) Authentication

request sent to AP

2) AP sends challenge text

3) Client encrypts

challenge text and

sends it back to AP

4) AP decrypts,and if correct,

authenticates client

5) Client connects to network

802.11 Authentication

Shared Key Steps

Cable or

DLS modem

Client

attempting

to connect

Reference Manual for the NETGEAR 54 Mbps Wireless USB Print Server with 4-Port Switch

Wireless Networking Basics

B-7

202-10083-01

Key Size and Configuration

The IEEE 802.11 standard supports two types of WEP encryption: 40-bit and 128-bit.

The 64-bit WEP data encryption method, allows for a five-character (40-bit) input. Additionally,

24 factory-set bits are added to the forty-bit input to generate a 64-bit encryption key. (The 24

factory-set bits are not user-configurable). This encryption key will be used to encrypt/decrypt all

data transmitted via the wireless interface. Some vendors refer to the 64-bit WEP data encryption

as 40-bit WEP data encryption since the user-configurable portion of the encryption key is 40 bits

wide.

The 128-bit WEP data encryption method consists of 104 user-configurable bits. Similar to the

forty-bit WEP data encryption method, the remaining 24 bits are factory set and not user

configurable. Some vendors allow passphrases to be entered instead of the cryptic hexadecimal

characters to ease encryption key entry.

128-bit encryption is stronger than 40-bit encryption, but 128-bit encryption may not be available

outside of the United States due to U.S. export regulations.

When configured for 40-bit encryption, 802.11 products typically support up to four WEP Keys.

Each 40-bit WEP Key is expressed as 5 sets of two hexadecimal digits (0-9 and A-F). For

example, “12 34 56 78 90” is a 40-bit WEP Key.

When configured for 128-bit encryption, 802.11b products typically support four WEP Keys but

some manufacturers support only one 128-bit key. The 128-bit WEP Key is expressed as 13 sets of

two hexadecimal digits (0-9 and A-F). For example, “12 34 56 78 90 AB CD EF 12 34 56 78 90”

is a 128-bit WEP Key.

Typically, 802.11 access points can store up to four 128-bit WEP Keys but some 802.11 client

adapters can only store one. Therefore, make sure that your 802.11 access and client adapters

configurations match.

Whatever keys you enter for an AP, you must also enter the same keys for the client adapter in the

same order. In other words, WEP key 1 on the AP must match WEP key 1 on the client adapter,

WEP key 2 on the AP must match WEP key 2 on the client adapter, etc.

Note:

The AP and the client adapters can have different default WEP Keys as long as the keys are

in the same order. In other words, the AP can use WEP key 2 as its default key to transmit while a

client adapter can use WEP key 3 as its default key to transmit. The two devices will communicate

as long as the AP’s WEP key 2 is the same as the client’s WEP key 2 and the AP’s WEP key 3 is

the same as the client’s WEP key 3.

Reference Manual for the NETGEAR 54 Mbps Wireless USB Print Server with 4-Port Switch

B-8

Wireless Networking Basics

202-10083-01

How to Use WEP Parameters

Wired Equivalent Privacy (WEP) data encryption is used when the wireless devices are configured

to operate in Shared Key authentication mode. There are two shared key methods implemented in

most commercially available products, 64-bit and 128-bit WEP data encryption.

Before enabling WEP on an 802.11 network, you must first consider what type of encryption you

require and the key size you want to use. Typically, there are three WEP Encryption options

available for 802.11 products:

1.

Do Not Use WEP:

The 802.11 network does not encrypt data. For authentication purposes, the

network uses Open System Authentication.

2.

Use WEP for Encryption:

A transmitting 802.11 device encrypts the data portion of every

packet it sends using a configured WEP Key. The receiving 802.11b device decrypts the data using

the same WEP Key. For authentication purposes, the 802.11b network uses Open System

Authentication.

3.

Use WEP for Authentication and Encryption:

A transmitting 802.11 device encrypts the data

portion of every packet it sends using a configured WEP Key. The receiving 802.11 device

decrypts the data using the same WEP Key. For authentication purposes, the 802.11 network uses

Shared Key Authentication.

Note:

Some 802.11 access points also support

Use WEP for Authentication Only

(Shared Key

Authentication without data encryption). However, the WGPS606 does not offer this option.

WPA Wireless Security

Wi-Fi Protected Access (WPA) is a specification of standards-based, interoperable security

enhancements that increase the level of data protection and access control for existing and future

wireless LAN systems.

The IEEE introduced the WEP as an optional security measure to secure 802.11b (Wi-Fi) WLANs.

In response to this situation, the Wi-Fi Alliance announced a new security architecture in October

2002 that remedies the short comings of WEP. This standard, formerly known as Safe Secure

Network (SSN), is designed to work with existing 802.11 products and offers forward

compatibility with 802.11i, the new wireless security architecture being defined in the IEEE.

Wireless vendors have agreed on WPA as an interoperable standard.

WPA offers the following benefits:

Reference Manual for the NETGEAR 54 Mbps Wireless USB Print Server with 4-Port Switch

Wireless Networking Basics

B-9

202-10083-01

•

Enhanced data privacy

•

Robust key management

•

Data origin authentication

•

Data integrity protection

Starting August of 2003, all new Wi-Fi certified products had to support WPA. NETGEAR

implemented WPA on client and access point products and made this available in the second half

of 2003.

How Does WPA Compare to WEP?

WEP is a data encryption method and is not intended as a user authentication mechanism. WPA

user authentication is implemented using 802.1x and the Extensible Authentication Protocol

(EAP). Support for 802.1x authentication is required in WPA. In the 802.11 standard, 802.1x

authentication was optional. For details on EAP specifically, refer to IETF's RFC 2284.

With 802.11 WEP, all access points and client wireless adapters on a particular wireless LAN must

use the same encryption key. A major problem with the 802.11 standard is that the keys are

cumbersome to change. If you don't update the WEP keys often, an unauthorized person with a

sniffing tool can monitor your network for less than a day and decode the encrypted messages.

Products based on the 802.11 standard alone offer system administrators no effective method to

update the keys.

For 802.11, WEP encryption is optional. For WPA, encryption using Temporal Key Integrity

Protocol (TKIP) is required. TKIP replaces WEP with a new encryption algorithm that is stronger

than the WEP algorithm, but that uses the calculation facilities present on existing wireless devices

to perform encryption operations. TKIP provides important data encryption enhancements

including a per-packet key mixing function, a message integrity check (MIC) named Michael, an

extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through

these enhancements, TKIP addresses all of known WEP vulnerabilities.

How Does WPA Compare to IEEE 802.11i?

WPA is forward compatible with the IEEE 802.11i security specification. WPA is a subset of

802.11i and uses certain pieces of the 802.11i were ready to bring to market, such as 802.1x and

TKIP. The main pieces of 802.11i that are not included in WPA are secure IBSS (Ad-Hoc mode),

secure fast handoff (for specialized 802.11 VoIP phones), as well as enhanced encryption protocols

such as AES-CCMP. These features require hardware upgrades and as of January 2005 are now

becoming widely available.

Reference Manual for the NETGEAR 54 Mbps Wireless USB Print Server with 4-Port Switch

B-10

Wireless Networking Basics

202-10083-01

What are the Key Features of WPA Security?

The following security features are included in the WPA standard:

•

WPA Authentication

•

WPA Encryption Key Management

–

Temporal Key Integrity Protocol (TKIP)

–

Michael

message integrity code

(MIC)

–

AES Support

•

Support for a Mixture of WPA and WEP Wireless Clients

These features are discussed below.

WPA addresses most of the known WEP vulnerabilities and is primarily intended for wireless

infrastructure networks as found in the enterprise. This infrastructure includes stations, access

points, and authentication servers (typically RADIUS servers). The RADIUS server holds (or has

access to) user credentials (e.g., user names and passwords) and authenticates wireless users

before they gain access to the network.

The strength WPA comes from an integrated sequence of operations that encompass 802.1X/EAP

authentication and sophisticated key management and encryption techniques. Its major operations

include:

•

Network security capability determination. This occurs at the 802.11 level and is

communicated through WPA information elements in Beacon, Probe Response, and (Re)

Association Requests. Information in these elements includes the authentication method

(802.1X or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES).

The primary information conveyed in the Beacon frames is the authentication method and the

cipher suite. Possible authentication methods include 802.1X and Pre-shared key. Pre-shared

key is an authentication method that uses a statically configured pass phrase on both the

stations and the access point. This obviates the need for an authentication server, which in

many home and small office environments will not be available nor desirable. Possible cipher

suites include: WEP, TKIP, and AES (Advanced Encryption Standard). We’ll talk more TKIP

and AES when addressing data privacy below.

•

Authentication. EAP over 802.1X is used for authentication. Mutual authentication is gained

by choosing an EAP type supporting this feature and is required by WPA. 802.1X port access

control prevents full access to the network until authentication completes. 802.1X

EAPOL-Key packets are used by WPA to distribute per-session keys to those stations

successfully authenticated.