| Wireless Security | Purpose | WEP's Weakness | WPA's Solution |
| Authentication | Are the mobile client and/or the wireless network really whom they claim to be? | The same WEP key is installed at every mobile client for
associating with an AP. In other words, every mobile client is using
the same password to authenticate themselves. WEP key management due to staff attrition or lost of mobile clients requires updating the WEP key on each mobile client and AP. This is a network administration nightmare. |
802.1x and Extended Authentication Protocol (EAP) |
| Privacy | Can the wireless data exchanged over the air be easily understood by eavesdroppers? | The Initiation Vector (IV) used in the RC4 cipher in WEP is
sent as plain text and is repeated in a busy WLAN every few hours. By
capturing frames containing the same IV, one can use XOR to deduce the
WEP key and then gain illegal access to the network. There are open source software such as WEPCrack and AirSnort that can monitor WLAN traffic and deduce the WEP key Temporary Key Integrity Protocol (TKIP) automatically. |
Temporary Key Integrity (TKIP) |
| Message integrity | Has the wireless data exchanged over the air been tampered with? | Data integrity is provided by a 4-byte Integrity
Check Value (ICV) that is appended to the 802.11 payload and encrypted
with WEP. Although the ICV is encrypted, one can use cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without being detected by the receiver. |
Message Integrity Code (MIC) |