Forum

Hi Fmedina:

Warning: Some of the following is right from the standard, some from authors I trust, and some from my imagination.

IEEE 802.11 (as amended) WEP encryption keys are installed by means outside the standard. When humans are employed the result is called "static WEP". When vendor proprietary mechanisms are employed the result is called "dynamic WEP". These terms are conventional and not found in the standard.

It is good of you to mention both WEP-40 and WEP-104. IEEE 802.11 (as amended) define these as separate cipher suites, allows them both to be called simply WEP, and urges us to use WEP only as a transition to RSNA security mechanisms -- TKIP, CCMP, 802.1X/EAP, and the 4-way handshake.

WEP may use two types of encryption keys: optional key-mapping keys and required default keys. Any one station may be configured with up to four default keys identified by Key IDs 0, 1, 2, and 3. The four default keys support having two sets of unicast/multicast key pairs installed at a time. One pair could be operational while the other pair could be undergoing a tedious station by station key change procedure using "means outside the standard" -- people. Once all the changes are in place the Key IDs to use can be changed from say 0 for unicast and 1 for multicast to 2 and 3 respectively in each and every device (phew). Then its time to go change all the keys 0 and 1 so we can start over again.

Apparently few if any vendors ever implemented key-mapping keys and some pre-RSNA vendors implemented only one default key with ID 0. In this last case all stations in the BSS use the same secret key for unicast and multicast frames, all identified with Key ID 0. Changing this one key breaks the WLAN until all stations had been visited with the new key. This is a common practice in small WLANs, even where multiple default key support is found.

TKIP mungs its pairwise temporal key and other information into the functional equivalent of a WEP IV and a WEP default key complete with one of the four Key ID values. In an implementation where the only available Key ID is zero, a station cannot support both a TKIP pairwise key and a WEP key for multicast frames.

A station crippled with single default key syndrome can signal its inability with the No Pairwise subfield in the RSN Capabilities field. If an AP is configured to use WEP default key 0 as a WEP key and a ?¡é?€??No Pairwise?¡é?€?? STA associates, the AP shall not set the Install bit in the 4-Way Handshake. In other words, the STA will not install a pairwise temporal key and instead will use WEP default key 0 for all traffic. The behavior of ?¡é?€??No Pairwise?¡é?€?? STAs is only intended to support the migration of WEP to RSNA.

I hope this helps. Thanks. /criss