Encryption is supposed to the bit that foxes most non-experts, and it is fair to say that is used to be hard work. With Windows XP it is fairly straightforward as long as you do things in the right order, and assess the capabilities of the hardware first.

NB: This article follows on from part one, which covered wireless access point security.

The first thing is to make sure you have Windows XP with the SP2 security update installed because this makes support for more advanced encryption an integrated feature – previously it had to be added separately.

Next, work out what type of encryption (see below) the wireless access point/router will support, and whether this is matched by the capabilities of the wireless network interface. Some will support advanced encryption, while others, mostly older hardware, won’t. If one doesn’t support the level of encryption security desired, but the other does, then the lowest common denominator will have to be used if no driver update is to hand.

WEP, WPA, and WPA2
There are two types of encryption format you’ll come up against; basic WEP (wire equivalency privacy), which comes in 64-bit and 128-bit versions, and the much more secure WPA (WiFi protected access). This was subsequently ratified as the 802.11i standard in 2004, and is sometimes referred to as a “third” option called WPA2.

We say, “more secure” with WPA because it’s fair to say that WEP is not really secure at all beyond the poking around of an inexperienced user with no clever tools, though this does depend on how the key is chosen (see below). It’s better than nothing, but that’s not an accepted definition of what security means nowadays.

WPA or WPA2 are a must if it they are supported. In recent years, study after study has shown WEP to be vulnerable to a catalogue of attacks on its static, single-key (ie the same key is used all the time and for all clients) architecture. It is, however, simple to set up and can be used as a good practice run for setting up the more involved WPA.

While any hardware will be able to use WEP, note that turning it on it not enough to secure every link between the access point and potential clients. To do this, encryption must be enforced (see router configuration), so that non-WEP clients cannot connect without using it. Looked at another way, it is not the access point’s job to insist on encryption if not all clients need it or have it enabled. Setting encryption on the client does not mean it cannot connect to access points, such as public WiFi networks, that allow open access. The client will always fall back to what the AP requests.

Basic configuration
The quick-and-dirty way to enable WEP is use Windows to generate a random static key using the Windows WLAN configuration tool (from the Control Panel), and then cut and paste this from the laptop or PC into the router configuration window.

Then enable the router encryption, at which point it will disconnect from the PC, following this by enabling WEP on the client. The two then negotiate security for a couple of minutes, before the WLAN reappears, sometimes requiring a manual re-connection. In case anything goes awry, it is important to have a wired connection to the access point or router if that is possible. A small padlock appears in the WLAN window indicating success.

In XP, the Windows WLAN wizard also supports a Microsoft auto-configuration standard called Windows Connect Now, through which a pre-shared network key can be copied to a USB drive and plugged into every compliant device on the LAN. This will work for other Windows XP SP2 clients, but not many access points yet support it. The manual configuration option of this wizard, mentioned above, is therefore the more likely path.

It’s a subtlety lost on non-cryptologists, but not all WEP keys are equal. If you have to use it, then use the 128-bit version (sometimes referred to as 104-bit for technical reasons not worth going into), equivalent to 13 randomly-chosen ASCII characters. Better still, use base-16 Hexadecimal notation, which means 26 digits derived from using characters 0–9, A–, or a-f. Note, some configuration tools on the access points allow up to 4 keys to be generated. It is recommended to use only one on the AP and client, regardless of what the configuration interface on that device appears to suggest.

Getting harder
WPA is also straightforward to set up, as long as it is actually supported as mentioned before, but it more complex in its inner workings and this sometimes gives rise to confusion. The same WLAN configuration wizard can be used as was used for WEP, but this time check the WPA box. A passphrase will be required from which WPA generates what is known as an initial pre-shared key, a simple mechanism of authenticating the client. This is not the same as a WEP key – it is only used for authentication, leaving the actual encryption keys to be generated transparently.

Home or small business users will be using the version of WPA called WPA-PSK, for “pre-shared key” (make sure that this is enabled on the AP). Larger corporate installations use full-blown client authentication using RADIUS servers, but we’ll assume the less complicated small-business PSK version is sufficient.

The key to WPA’s superior security is an element called TKIP (temporal key integrity protocol), through which keys are constantly cycled automatically at a speed no hack could ever break using current technology – remember WEP only has one of these keys at any point in time. WPA also supports a much enhanced checksum system called “Michael”, and, in the case of WPA2, uses the highly secure AES encryption algorithm. The latter makes it less likely to be used in mainstream environments as AES adds processor overhead, and for live communications really needs to be used with hardware acceleration. If the AP configuration offers AES, simply ignore.

In part three of this article: authentication services for SMEs, public networks and evil twins.