The 802.11b specification outlines a form of encryption called wired equivalency privacy, or WEP. By encrypting packets at the MAC layer, only clients who know the "secret key" can associate with an access point or peer-to- peer group. Anyone without the key may be able to see network traffic, but every packet is encrypted.
The specification employs a 40-bit, shared-key RC4 PRNG algorithm from RSA Data Security. Most cards that talk 802.11b support this encryption standard.
It could be worse, but entropy takes time. Although hardware encryption sounds like a good idea, the implementation in 802.11b is far from perfect. First of all, the encryption happens at the link layer, not at the application layer. This means your communications are protected up to the gateway, but no further. Once it hits the wire, your packets are sent in the clear. Worse than that, every other legitimate wireless client who has the key can read your packets with impunity, since the key is shared across all clients.
Some manufacturers have implemented their own proprietary extensions to WEP, including 128-bit keys and dynamic key management. Unfortunately, because they are not defined by the 802.11b standard, there is no guarantee that cards from different manufacturers that use these extensions will interoperate (and, generally speaking, they don't).
To throw more kerosene on the burning WEP tire mound, a weaknesses is identified in the way WEP is implemented, effectively making the strength of encryption irrelevant.
With all of these problems, why is WEP still supported by manufacturers? And what good is it for building public access networks?
WEP was not designed to be the ultimate "killer" security tool (nor can anything seriously claim to be). Its acronym makes the intention clear: wired equivalency privacy. In other words, the aim behind WEP was to provide no greater protection than you would have when you physically plug into your Ethernet network. (Keep in mind that in a wired Ethernet setting, there is no encryption provided by the protocol at all. That is what application layer security is for.
What WEP does provide is an easy, generally effective, interoperable deterrent to unauthorized access. While it is technically feasible for a determined intruder to gain access, it is not only beyond the ability of most users, but usually not worth the time and effort, particularly if you are already giving away public network access!
One area where WEP is particularly useful is at either end of a long point-to-point backbone link. In this application, unwanted clients could potentially degrade network performance for a large group of people, and WEP can help not only discourage would-be link thieves, but also encourage them to set up more public access gateways.


