From: Jouni Malinen (jkmaline_at_cc.hut.fi)
Date: 2002-04-05 20:48:06 UTC
On Fri, Apr 05, 2002 at 02:45:06PM +0100, ben_at_netservers.co.uk wrote:
> The difficultly may come with encrypting and decrypting broadcast and
> multicast frames unless all nodes on the network run your driver. At the
> very least, clients will be unable able to make sense of broadcasts from
> other clients unless they are using a common key.
Yes, that's true. Unicast frames can be encrypted with different keys for each station. In addition, broadcast and multicast frames from stations to AP (i.e., the frame that has ToDS flag and is only sent to the AP) can be encrypted with the station-specific key. When AP re-sends these broad/multicast frames to associated stations, it would need to use common key or send these separately to each station. Since there are four possible WEP keys, it would be possible to use key1 as the station-specific key and key2 as the common key for broad/multicast frames from AP to stations.
Anyway, it's questionable whether WEP could bring much security even with different keys.. The keys would at least need to be changed quite often and that would require changes to the client side drivers. Still, attacker could replay and inject packets into the network even though packet sniffing might get a bit more difficult. In most cases, using a security gateway and IPSec between wired and wireless network would be a much better solution.
-- Jouni Malinen PGP id EFC895FA