1 2 3 Previous Next 38 Replies Latest reply: Jun 3, 2011 5:37 AM by Eric A. Nygren RSS

    Encryption Vs. Authentication


        So here is something I have wanted to ask for a very long time. What exactly does WEP and WPA gets classified as?

        I understand that in order to encrypt the session, we use DH to secure the exchange of the session keys.

        I also understand that WEP uses RC4 for encryption whereas WPA uses AES for encryption, other encryption protocols in the IPsec framework include DES and 3DES, right?

        I originally believed that WEP keys are used to encrypt the data transmitted during the session, however, on a second thought, when we join a wireless network, we have to specify the SSID as well as the WEP keys used. Doesn't this makes WEP an authentication mechanism? I thought authentication is defined to submit some credentials in order to gain access, am I wrong?


        So how is WEP categorized? authentication or encryption? And by this, I also refer to WPA and WPA2.





        • 1. Re: Encryption Vs. Authentication

          How about.... a little bit of both?  WEP does provide an authentication mechanism that is called pre-shared key, which turns out isn't that secure.  Then there is open authentication which is not really authenication, but just allowing anyone to authenticate.  They would still need the encrpytion key to associate though, so even that seems to behave like an authentication method.  After a while, people were introducing 802.1x authentication and using WEP encryption.  Now because 802.1x is a different standard, its never been considered a WEP authentication method, but an external method outside of WEP.



          • 2. Re: Encryption Vs. Authentication

            So, is WEP like encompassing all these protocols? Should I start calling it a protocol suite rather than an actual protocol?




            • 3. Re: Encryption Vs. Authentication

              Ah.... don't know about that.  WEP just contained both authentication and encryption functions and is very, very out dated.  I haven't used it in years.  Although, for the CCNA Wireless, you will want to understand the association/authentication process and the open vs preshared authentication methods.

              • 4. Re: Encryption Vs. Authentication

                Thanks for the reply, what about WPA? Does it encompass the encryption and authentication protocols?

                • 5. Re: Encryption Vs. Authentication
                  Pete Nugent

                  Hi Angela


                  you basically have 3 encryption mechanisms WEP, WPA-TKIP and WPA2-AES.


                  Now if you use 802.1x you will have an authentication mechanism such as username and password and then the data is encrypted using one of the above 3 mechanisms.


                  If you do not use 802.1x you will use a preshared key. Now that preshared key is entered and acts as the authentication mechanism.


                  The authentication wether it is preshared key, username and password or certificates acts as the seed for the keys in the handshake that forms the encryption of the data.


                  WEP and WPA are both RC4 while WPA2 is AES or more specifically AES based as it is CCMP.


                  WEP is useless you can pretty much forget about it except for historical reference or maybe hysterical reference. WPA was a precursor to WPA2 which was a standin from the WiFi Alliance and based on a draft of 802.11i.


                  WPA was introduced by the WiFi Alliance in April 2003 based on a draft of the 802.11i standard. In June 2004 802.11i was ratified by the IEEE and in September 2004 the WiFi Alliance introduced WPA2-AES based on all of the mandatory requirements of 802.11i.


                  Hope that helps.

                  • 6. Re: Encryption Vs. Authentication

                    WPA was meant as an interim solution by the WiFi Alliance while 802.11i was being ratified...   Both flavors of WPA, meaning WPA and WPA2, use the encryption protocols as Pete mentioned and use a preshared key for authentication (WPA personal) or 802.1x (EAP) for authentication (WPA2 Enterprise).


                    Angela, how are you liking your wireless studies so far?

                    • 7. Re: Encryption Vs. Authentication

                      Hi Jared and petenugent,


                        Thanks for the answers, one last question though, what kind of protocols should I classify WEP and WPA as?


                        I finished the Brandon Caroll book, a little confused and a lot absorbed; I plan to work on the Sybex book next. My work (on making some new tutorials, visit me at learn.centilin.com and tell me what you think!) is a little busy and requires pretty most of my attentions and energy now. Once it's not so tight, I will start studying again. I haven't been to CLN for a while, but I will try to keep up and finish the tutorials and come back to the party!



                      • 8. Re: Encryption Vs. Authentication
                        Eric A. Nygren

                        WEP can be used in 1 of 4 ways:

                             Preshared key layer 2 authentication without encryption

                             Preshared key layer 2 authentication with static preshared key encryption

                             Open layer 2 authentication with static preshared key encryption

                             Open layer 2 authentication with 802.1x layer 3 authentication and dynamic key encryption


                        WPA is a certification agency who has delevoped 2 seperate certifications:

                             WPA (the certification) dictates that:

                                  either a more enhanced version of WEP (called TKIP) or any version of AES is used as the encryption algorthm.

                                  authentication can be done by way of a strong preshared key or and 802.1x mechanism

                             WPA2 (the certification) dictates a strong adherance to the 802.11i standard, including:

                                  requiring AES-CCMP as an encryption algorthm

                                  authentication can be done by way of a strong preshared or 802.1x mechanism

                                  implementation of pre-authentication key caching


                        Ultimately, the question cannot be answered.  You can classify neither WEP nor WPA as being only an authentication or encryption protocol.


                        -Eric N

                        • 9. Re: Encryption Vs. Authentication

                          Well, Eric, the problem I want to address is that what should I call the class of protocols that encompass WEP and WPA. I'm pretty sure there is a formal name that address them, and I think this is also part about wireless network that confuses so many people, there is no uniform addressing of these protocol functions and exactly what they do that correspond to other sets of protocols. Or, how different protocols interact with each other.




                          • 10. Re: Encryption Vs. Authentication
                            Eric A. Nygren

                            I agree that it is troublesome when things don't fit into nice, neat categories, but those are the cards that were dealt.  The names they have are the names they are, no easy way around it.  If you are just looking for a nice name to put at the top of a web page, try "Wireless Security Procedures".  You can't even say "protocols" because WPA isn't a protocol, it is 1 of 2 ceritification by the WPA organization with verifying conformance of a portion of an IEEE standard.  Life is messy, I'm really sorry about it.


                            -Eric N.

                            • 11. Re: Encryption Vs. Authentication

                              I think that the word Protocol, isn't the right word to use in this context.  How about, standards or framework.  In several wireless books, EAP and its various flavors are described as a framework that all use 802.1x, which is a standard.  WPA isn't an official protocol, but just a marketing term from the Wifi Alliance.  In encorporates TIKP, which is the encryption algorithm used.  WPA2 is the Wifi Alliances term that basically matches up with 802.11i, which is a ratified standard.


                              Understanding various organizations like IEEE and the wifi alliance and their terms for various technologies will really help.  It can get way confusing, but if you break it up by organization (IEEE and Wifi Alliance) it becomes a little more clear.

                              • 12. Re: Encryption Vs. Authentication
                                Pete Nugent

                                Eric you state


                                WEP can be used in 1 of 4 ways:

                                     Preshared key layer 2 authentication without encryption


                                I agree tat a s a PSK its and authentication mechanism however surely the packets are encrypted


                                Secondly just for completeness


                                WPA is a certification agency who has delevoped 2 seperate certifications:


                                Should read


                                WiFi Alliance is a certification agency who has delevoped 2 seperate certifications:


                                Its really confusing as the protocols are


                                WEP which is based on the RC4 cipher

                                TKIP which is based on the RC4 cipher

                                and CCMP which is based on the AES cipher suite.


                                WPA really is just a standard but not in the same way as the IEEE produce standards as WPA is managed as a standard or tool that the WiFi Alliance use to certify interoperability of products. Hence WPA2 could not exist as the target was to meet all the mandatory reqirements of 802.11i, an IEE standard until that standard was ratified.


                                Its a bit like WiMAX now that is not a standard but is based on the 802.16 standard.


                                Why they make wireless so tough I will never know!


                                Eric also interested in you saying 802.1x is layer 3 I have had that conversation and am stilll unsure if its layer 2 or 3 however as its a framework is it both or neither as it depends on the protocols used?


                                God who the **** asked this ? LOL only kidding Angela, there are a few of us on here who have great debates as to what is and isnt in wireless.


                                Jared and Eric are awesome and I am suprised Eric hasnt said "out of scope" yet

                                • 13. Re: Encryption Vs. Authentication

                                  Well, from a different perspective, it's really not out of scope.  Angela is just trying to understand where WEP and WPA fit as far as protocols are concerned.


                                  Boy did we ever have some good wireless debates.  Angela, welcome to the club!  Pete, with you and I and Eric, that is half of the old CCNA Wireless study gang!  Lets get Eric Hines, John and Corne in here and JC and we'd have the old group back!

                                  • 14. Re: Encryption Vs. Authentication
                                    Eric A. Nygren

                                    It's in scope, but Pete is out of order and will be held in contempt of Knowledge Court.


                                    WiFi Alliance, you win.


                                    Rework, 3 options (I always wanna force that 4th one in my head but it is not a valid option):

                                         802.1x with dynamic WEP

                                         WEP PSK Authentication with WEP PSK Encryption

                                         Open Auth with WEP PSK Encyption


                                    WPA is not a standard, I'd take framework as a better term, but it is a certification.

                                    WPA2 is not a standard, it is a certification for conformance against most of 802.11i (there are slight allowable deviations, such as 802.11i dictates 802.1x and not PSK, WPA2 allows PSK).


                                    I missed this, we need more fun.


                                    -Eric N

                                    1 2 3 Previous Next