If you use Wi-Fi for wireless networking at home or in your business or workplace, how do you know that the data you exchange with the internet is secure? Unsecured wireless local area networks (WLANs) are vulnerable to snooping, hacking, and other attacks. Thankfully, most Wi-Fi networks are secured with one of two leading technologies, WEP and WPA. The creators of Wi-Fi have developed WEP and WPA to ensure that your wireless network stays private and secure, but there are significant differences between these technologies that make one more secure than the other. In this article, we share five key differences between WEP and WPA to help you select the best security technology for your Wi-Fi network.
WEP vs. WPA: Side-by-Side Comparison
|Name||Wired Equivalent Privacy||Wi-Fi Protected Access|
|What it is||Security algorithm for wireless networks||Security certification standard for wireless networks|
|Versions||WEP2, WEP plus, Dynamic WEP||WPA 1, WPA 2, WPA 3|
|Primary use||Protecting a Wi-Fi (802.11) network||Protecting a Wi-Fi (802.11) network|
|Influential developers||The Institute of Electrical and Electronic Engineers (IEEE), The Wi-Fi Alliance||The Institute of Electrical and Electronic Engineers (IEEE), The Wi-Fi Alliance|
|Technologies used||64, 128-bit Encryption, stream cipher RC4, CRC-32 checksum, open System authentication, shared Key authentication.||Temporal Key Integrity Protocol (TKIP), 64-bit 128-bit or 256-bit encryption key, Message Integrity Check, cyclic redundancy check (CRC), CCMP|
|Compatible versions of Wi-Fi||Wi-Fi 1 (802.11b), Wi-Fi 2 (802.11a)||Wi-Fi 1 (802.11b), Wi-Fi 2 (802.11a), Wi-Fi 3 (802.11g), Wi-Fi 4 (802.11n), Wi-Fi 5 (802.11ac), Wi-Fi 6 (802.11ax)|
|Hardware support||Wi-Fi 1 and 2 routers and compatible devices||Wi-Fi 1 to 6 routers and compatible devices|
WEP vs. WPA: 5 Differences to Know
Both network security protocols have been used to protect consumer and business Wi-Fi networks, but their differences mean that only one is suitable for ongoing use. Here are 5 fundamental differences between WEP and WPA:
1. WPA is Newer Technology
The crucial difference between these two Wi-Fi security technologies is that WEP is older than WPA. Things move quickly in technology, so it is no surprise that as a 23-plus-year-old security protocol, WEP is pretty much obsolete nowadays.
2. WEP Is Only Compatible With Wi-Fi 1 and 2
The IEEE/Wi-Fi Alliance released WEP when Wi-Fi first started (1999) and it was the default network security protocol on Wi-Fi 1 and 2 (802.11 b/a) devices, but it WPA superseded it by the time Wi-Fi 3 (802.11g) came out.
3. The Level of Encryption
WPA has far more robust encryption. It features the Advanced Encryption Standard (AES) with a 256-bit encryption key vs. the 64-bit and 128-bit encryption keys of WEP and WEP2. Though both technologies use the RC4 stream cipher, WPA uses key mixing and the automatic generation of new keys for each data packet to conceal the key more reliably.
4. Network Authentication
WPA has far more robust device authentication standards than WEP’s open authentication and shared key authentication. This includes the implementation of group keys and four-way handshakes to ensure that there are only legitimate network participants at all times. WPA 3 has the most advanced, yet easy-to-use authentication that includes QR-code authentication for devices that do not have a keyboard.
5. Protection of Data Packets
WPA has far more robust protection of data packets, with message integrity checks to ensure that no one has tampered with the received data packets. WEP was almost entirely reliant on its relatively weak encryption and cyclic redundancy checks, meaning that transmitted data packets could have potentially been intercepted, altered and re-sent without detection.
What is WEP?
Wired Equivalent Privacy (WEP) is a legacy Wi-Fi security algorithm that was implemented when the first 802.11 Wi-Fi standard appeared in the late 1990s. Its name refers to the intention that the WEP protocol would provide a level of network security that is equivalent to a wired (Ethernet) network.
WEP was end-user-facing and available as part of the security setup of Wi-Fi routers and other network equipment. It secured data exchanged across the networks by encryption with the earliest forms of WEP using a 64-bit encryption key. It is the only in-built encryption protocol in the earliest versions of Wi-Fi, Wi-Fi 1 (802.11b) and Wi-Fi 2 (802.11a).
Development of WEP
One of the key challenges in developing WEP was its relatively lax security. This was not because of negligence but because at the time the Wi-Fi Alliance developed WEP, the U.S. government had restricted the use of cryptographic technologies, limiting the complexity of the encryption key that WEP could use.
Once WEP became the official security standard for Wi-Fi in 1999, its weaknesses became apparent through the following widely publicized attacks:
- Fluhrer, Mantin and Shamir attack, a stream cipher attack that targeted the RC4 stream cipher used by WEP to encrypt data bit by bit. The team targeted and recovered the encryption key from RC4 encrypted messages.
- The Caffe Latte attack, a remote attack using the Windows wireless stack to obtain the WEP from a client device by flooding the Wi-Fi network with encrypted ARP requests.
When the U.S. government lifted the restrictions on cryptographic technologies, the Wi-Fi Alliance moved quickly to update WEP with a stronger 128-bit encryption key and later a 256-bit key. However, in 2003, the IEEE and the W-Fi Alliance introduced Wi-Fi Protected Access (WPA), which succeeded WEP. By 2004, when they introduced WPA2, WEP became a legacy technology.
Technologies Used by WEP
WEP uses the following technologies:
- Rivest Cipher 4 (RC4/ARC4) a symmetric key cipher that encrypts the plain text digits of a data stream with a pseudo-random keystream one bit at a time. This technology keeps data transferred over the network private. WEP originally used a 64-bit encryption key, but WEP 2 uses a 128-bit key.
- CRC-32, a checksum variant of cyclic redundancy checks to check errors in the data that is transferred over a Wi-Fi network and that ensures that data packets are correctly received.
- Open System Authentication is a process by which devices access a WEP protocol-secured wireless network. It provides simple access that is ideal for guest devices. Once a client device is authenticated, it can send and receive un-encrypted data across the network.
- Shared Key Authentication requires the exchange of a WEP key to access and exchange encrypted data on a Wi-Fi network.
What is WPA?
Wi-Fi Protected Access (WPA), also known as Robust Security (IEEE 802.11i), is the network security technology that has superseded WEP and we routinely implement it in Wi-Fi networks. It was first released in 2003 by the IEEE/ Wi-Fi Alliance in response to notable weaknesses in the WEP protocol, strengthening security with extremely robust device authentication and encryption protocols. It is currently in its third generation. The available WPA security certification standards are:
- The original Wi-Fi Protected Access (WPA) released in 2003
- Wi-Fi Protected Access 2 (WPA2) released in 2004
- Wi-Fi Protected Access 3 (WPA3) released in 2018
All three WPA protocols are available in personal (e.g. WPA2-Personal) and enterprise (e.g. WPA2-Enterprise) versions developed for consumer and commercial use. They use AES data encryption and require a network name and password for network access.
The network security features of WPA ensure robust protection of network access and the data that is transferred across Wi-Fi networks. WPA 3 supersedes WPA2 and WPA, with modern Wi-Fi networks using at least WPA2, and WP3 being routinely available for Wi-Fi 5 and 6 routers and devices. Key features and technologies of WPA include:
Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP): This is an enhanced encryption protocol based on the Advanced Encryption Standard (AES) that was specifically developed for Wi-Fi.
Advanced Encryption Standard (AES): This is a well-known U.S. Government-developed encryption standard that can use 128, 192, and 256-bit encryption keys.
Temporal Key Integrity Protocol (TKIP): WPA2 previously used this encryption protocol, but other technologies have superseded it. It keeps the root key concealed by using a key mixing function, while using RC4 to encrypt and decrypt data.
Message Integrity Check (MIC): This feature protects encrypted messages from common interception attacks. For example, “bit-flip” attacks, where hackers send slightly altered spoofed messages to network receivers in an attempt to penetrate the network.
Four-way handshake: WPA uses the four-way handshake for authentication. It is extremely robust, requiring the exchange of four messages between the network’s access point and a device that wants to join.
Group key handshake (GTK): This is another authentication tool that supplies a time-limited group transient key to all participant client devices in the network.
Forward secrecy (FS): This feature randomly changes encryption keys between transmitted data packets so that if an attacker gets an encryption key, the data they can decrypt is minimal.
WPA has also had security issues, which they have largely addressed by the widespread implementation of WPA3. Security issues have included:
- Weak passwords with vulnerability to password cracking.
- Absent forward security, allowing a captured encryption key to be used to decode all data packets.
- Spoofed data packets to attempt to recover TKIP encryption keys.
- Wi-Fi Protected Setup (WPS) PIN recovery which uses a captured PIN code from a router’s WPS to recover WPA/WPA2 passwords.
WEP vs. WPA: Six Must-Know Facts
- The Wi-Fi Alliance initially intended WPA to be an interim measure for resolving the security weaknesses of WEP prior to the development of a fully updated standard.
- The Wi-Fi Alliance released the original WPA version as a firmware update for Wi-Fi 1 and 2 wireless network cards. It was not possible to make pre-2003 access points WPA-compatible.
- The Group Temporal Key (GTK) used by WPA2 also has a security vulnerability known as Hole196. An attacker can exploit the group authentication with man-in-the-middle or denial-of-service attacks to get themselves authenticated on the targeted network.
- Since the 1st of July 2020, WPA3 has been mandatory for official Wi-Fi-certified devices. In addition, it is part of the testing for the certification of new devices. At present, WPA2 does not have to be upgraded and works competently with WPA3 as it is backward compatible.
- WPA3 replaces the pre-shared key exchange of WPA2 with a more robust feature called Simultaneous Authentication of Equals (SAE) for the exchange of 128-bit encryption keys between authenticated devices.
- Only devices that the Wi-Fi Alliance has certified can carry the official Wi-Fi logo.
WEP vs. WPA: Which is Better?
As a legacy technology, WEP has multiple vulnerabilities. It is already over 20 years old. Therefore, unable to protect a network from the sophisticated attacks that are prevalent these days. Attackers would quickly target a device that uses legacy versions of Wi-Fi like WEP and WEP2 because of its well-known weaknesses.
The Wi-Fi Alliance developed WPA to protect Wi-Fi networks better. The first version, WPA, addressed the weakness of WEP. Subsequent versions have strengthened wireless network security to keep up with contemporary challenges. In short, the best security standard for Wi-Fi right now is WPA3. It has been routinely implemented on all routers and Wi-Fi devices that have been released since 2020.