WEP help

Doug Yeager doug
Thu Dec 5 08:59:35 PST 2002 

This is very informative Jacques...hope others can benefit also.


I'm using nocatauth for these nodes.  It would be very easy for me to
allow the user to enter their wep password into their member profile in
the authserver website...this of course would be the same one they enter
for their wifi card setup.  At that point when they login it would be
easy for me to send that password to the ap through the nocat gateway.
At that point would I be able to use a command to let the hostap know to
use that key?

Something like:
Iwconfig wlan0 key s:users_password on
?

if so, what about multiple users on that node?  Will the AP remember the
different keys and associate them to the correct clients?  Also, if
there is an open mode, can those users also be able to communicate?

Thx in advance,
doug

-----Original Message-----
From: Jacques Caron [mailto:Jacques.Caron at IPsector.com] 
Sent: Thursday, December 05, 2002 11:38 AM
To: doug at ycomsystems.com
Cc: hostap at shmoo.com
Subject: Re: WEP help

Hi,

The goal of WEP is (in theory) to make sure that only people who have
the 
key can decrypt packets sent with that key. In the general case, this
means 
you have to use so-called "pre-shared keys", i.e. keys that both ends
(the 
client and the AP) know in advance. And since most APs have only a
limited 
number of keys they can use, that also means that everybody is using the

same key, and hence that everybody you give the key to will be able to 
decrypt the trafic from anyone else using the AP.

In the case of a public WLAN, the only way to use WEP is together with 
802.1x. This means:
- the client must support 802.1x, the appropriate EAP method chosen, and

dynamic keys
- the AP must support 802.1x and dynamic keys
- you must have a RADIUS server with support for EAP and the appropriate

EAP method chosen and the generation of dynamic keys.

In that case, when a user connects, it authenticates using the relevant
EAP 
method, and a dynamic WEP key is generated and used just for that client

(i.e. the AP handles one WEP key for each client). And no-one but the 
client and the AP can decrypt the trafic sent between them using that
key.

Now, depending on what your exact security goals are, there are quite a 
number of alternatives:
- do not use WEP at all, and rely on the users having appropriate VPN 
software and/or SSL/TLS-enabled software (and servers to talk to)
- do not use WEP at all, and provide some other form of encryption for
the 
customers (PPPoE, PPTP, L2TP, IPsec)

I would personally recommend using WEP with 802.1x, since:
- 802.1x is built into Windows XP
- there is now a free 802.1x add-on from MS for W2K
- versions for other Windows platforms are coming
- there is a free 802.1x client for Unix systems (open1x aka
xsupplicant)
- hostap supports 802.1x
- there are free (freeRADIUS) and commercial (many) RADIUS servers that 
support 802.1x
- this will give you security and accounting
- this scheme is the only one that will enable WLAN roaming in a secure,

open and transparent fashion

Obviously, you still need a way to allow users with 802.1x or a 
subscription to connect (without WEP) to a limited set of pages to know 
what they need, subscribe, download the necessary software, etc.

Let me know if I can be of any help :-)

Jacques.

At 17:19 05/12/2002, Doug Yeager wrote:

>Im looking for some kind of help guild to explain to me the basic
concepts 
>of WEP.
>
>
>
>Right now I have a few wireless nodes serving various coffee shops.  I 
>have not experimented with WEP.
>
>
>
>What I think it does is this:  allow any client to select to use WEP
and 
>pick their own key.
>
>Then they can talk w/ the AP using that encryption key that they
picked.
>
>
>
>But those who just want to talk w/ the AP w/o WEP can do so also.
>
>
>
>I may be wrong on how WEP is used but that is what I thought it should
do.
>
>
>
>Ive experimented w/ setting my AP in open mode w/ some random key using

>iwconfig util.
>
>
>
>Iwconfig wlan0 s:aircom open
>
>
>
>This doesnt seem to do what I want.  Actually it cuts off communication
to 
>my clients.
>
>
>
>
>
>If someone could clear up how wep is used, it may help a bit along with

>what commands to enable it how it want to use it would be helpful.
>
>Or if a document tells me somewhere, that reference would be great.
>
>
>
>Thx much,
>
>doug


-- Jacques Caron, IP Sector Technologies
    Join the discussion on public WLAN open global roaming:
    http://lists.ipsector.com/listinfo/openroaming

More information about the Hostap mailing list