WEP:
Wired Equivalent Privacy. Originally intended to give you the same or similar level of security as on a wired network, but it didn’t quite work out that way.
In basic layman’s terms, WEP works by using secret keys, or codes to encrypt data. The Access Point and the client must know the codes in order for it to function. It uses either 64 bit or 128 bit keys, though the added security from the larger number isn’t as much as you would think.
The actual user keys (codes) are 40 bits and 104 bits, with the extra 24 bits used by something called the Intialization Vector (IV).
The encryption is created by taking the IV and randomizing it for each packet, while keeping the secret code the same. The AP and the client decrypt and retrieve the message/data and all is right in the world, in theory.
Problems:
There is no limit on using the same IV value more than once. This makes the encryption vulnerable to collision-based attacks.
Because the IV is only 24 bits, there are only ~16.7 million possible variations. Sounds like a lot, but it’s quite small in the cryptography world.
Master keys are used directly, when they should instead be used to generate other temporary keys.
Users don’t change their keys very often on most networks, giving attackers ample time to try various techniques.
If you have nothing else, WEP is better than nothing of course, but I wouldn’t trust extremely sensitive data with it.
WPA:
Wifi Protected Access. It bridges the gap between WEP and the upcoming 802.11i standard, and is implementable via firmware upgrades in older hardware. WPA uses Temporal Key Integrity Protocol (or TKIP), which is designed to alow WEP to be upgraded through corrective measures that address the existing security problems.
Advantages over WEP:
IV length has increased to 48 bits from 24 bits, which allows WPA to achieve over 500 trillion possible key combinations.
IVs are now better protected through the use of the TSC, or TKIP sequence counter, helping to prevent the re-use of IV keys.
Master keys are never directly used.
Better key management
Impressive message integrity checking
I have not gone into the Enterprise level of WPA, which is actually intended to be used with something called a RADIUS server for access control. Most home users use what is called WPA-PSK, which is for use on smaller networks that need good security without the extra cost and configuration. WPA and WPA-PSK use the same encryption methods, however.
-Christopher