• All,

    I have seen dynamic WEP mentioned in a few places but I am confused about the difference between WEP, Dynamic WEP and WPA(WPA-PSK). Can anyone offer a clear explanation on Dynamic WEP and how it relates to the others.


  • Hi Moe of Birmingham:

    Before the 802.11i amendment in 2004 there was only one IEEE 802.11 cipher suite - WEP. Its key management was static. The standard practice was to manually enter a ten character hexadecimal WEP key string (40 bits) in each device.

    Vendor proprietary alternatives included longer WEP keys, entering a variable length pass phrase in place of the WEP key, and automatically entering the WEP key from a key management service. This later method is what is commonly called dynamic WEP.

    Since the 802.11i amendment there are four standard IEEE 802.11 cipher suites, WEP-40, WEP-104, TKIP, and CCMP. WEP-40 is the new name for the original WEP. WEP-104 is the new standard way of doing longer WEP keys (26 hex chars). All four support static key management. TKIP and CCMP also support automatic key management. WEP-40 and WEP-104 do not.

    The IEEE strongly discourages the continued use of WEP-40 and WEP-104.

    The TKIP and CCMP static key management is called Pre-Shared Key (PSK). The standard practice is to manually enter in each device a pass phrase of up to 64 alphanumeric characters from which is derived the 64 character hexadecimal PSK. Optionally the 64 hex character PSK may be entered directly, but this is not supported by all vendors.

    The TKIP and CCMP automatic key management use IEEE 802.1X and EAP.

    The Wi-Fi Alliance has introduced four new brands since the adoption of the 802.11i amendment. These are WPA-PSK, WPA-Enterprise, WPA2-PSK, and WPA2-Enterprise.

    Devices with any of the four brands support WEP-40 (static). WPA-PSK branded devices include TKIP and static key management. WPA-Enterprise branded devices include that plus automatic key management for TKIP. WPA2 branded devices include TKIP and CCMP, and static key management. WPA2-Enterprise branded devices include that plus automatic key management for TKIP and CCMP.

    Vendors have taken to using these brand names as shorthand for configuration choices. In this context the name means not which features are included in the device but rather which feature subset is to be enabled.

    I hope this helps. Thanks. /criss

  • It does help and I appreciate the time you spent to answer me. If I could I would like to ask a couple of more questions:

    You said "Vendor proprietary alternatives included..automatically entering the WEP key from a key management service." Does this mean a preshared key is used to authenticate and establish an encrypted tunnel and then an initial WEP key is exchanged over the tunnel and then the key is changed periodically? And is the WEP key a true WEP key (i.e RC4 algorithm and 40 or 104 bits with a 24 bit IV) or is the phrase "dynamic WEP" used in a more generic sense in that other encryption algorithms can be used?

    Thanks again for your time.

  • Hi Moe:

    "Dynamic WEP" is vendor proprietary and not part of the IEEE 802.11 standard either before or after the 802.11i amendment. Some vendors use 802.1X and EAP.

    Once the WEP key is installed by dynamic WEP, and until the key is changed, the key is used in the standard way with the same number of bits, same IV, same RC4 algorithm, and same WEP weaknesses -- except the key changes as often as the dynamic WEP service is configured to change it.

    I hope this helps. Thanks. /criss

  • Yes. That clarifies it for me. I also read Cisco's explanation of their dynamic WEP and it all fits together. Thanks again.

Page 1 of 1
  • 1