Welcome to Gaia! ::

WEP is an encryption standard. Specifically, it's the RC4 encryption algorithm with a 40-bit encryption key. For comparison, it's like having some text and substituting random letters, and then giving your friend the list of letter substitutions so they can reconstruct the text.

RC4 was generally considered a "good" encryption cypher when it was chosen for WEP, but it has several weaknesses that allow an attacker to force the exposure of secrets. Worse, the relatively small 40-bit key is very easy to guess, and on modern computers can take less than 30 seconds to find the key. Once you have the matching key, any cipher, no matter how strong, can be "unlocked" (to extend the analogy).

For that reason, WEP is considered by security experts to be broken. It uses a relatively weak cipher combined with an absurdly weak key selection protocol, and as if to add insult to injury, WEP also doesn't use additional security measures that make RC4 more resilient to attack.

Newer versions of the WEP standard use a larger key size now, because until 2000, US export restrictions classified cryptography as a munitions technology, and restricted key sizes to a maximum of 52 bits; when the restriction was lifted, WEP key sizes jumped to 104, then to 128 and 232 bits for systems that supported it. RC4 is still pitifully weak, though, making it easy to discover even those large keys.

So, the name of WEP - Wired-Equivalent Privacy - is true but not for the reason the name was chosen: Like wired connections, it still leaks secrets.

So, yes, WEP conceals data, but does it so poorly that it may as well not even try.

Without WEP, a router sends data "in the clear." That is to say, it's not encrypted, and anyone with a radio tuned to about 2.4GHz can hear the exact data that gets sent. WEP only adds RC4 encryption, and does so in a way that is merely a "speed bump" for anyone trying to break it.

Enter WPA:

WPA uses a much more secure encryption standard called AES. This algorithm is not (yet) known to have any security flaws, and so is still considered "secure." It's used in a 128-bit mode, which would take current computers more than 100 years to crack a single chunk of data. Combined with TKIP (which changes the encryption key with every packet of data), that makes WPA much, much more secure.

WPA had some flaws, though, due to the limitations of old wireless cards, and so anything that uses the WiFi logo that was also made after 2006 also supports WPA2 (a requirement of using the logo), which fixes those problems.

So long as your passphrase is strong (long and random), WPA2 is considered "unbreakable."

But, some people don't like typing long passwords. So they came up with WPS, which uses a PIN# and a button press to enable the connection. Within a week of that being on the market, it was broken, and it's possible to recover the PIN# and get connected to a WPS-enabled router almost instantly. You should never enable WPS.

I'd like to correct a bit on this. You don't actually combine TKIP and AES, you choose one or the other.

The flaws in WPA, and even WPA2 are in the use of TKIP. TKIP is RC4 based, and use of TKIP in either WPA or WPA2 are considered weak wireless encryption at this point.

The only considered-secure configuration currently is the use of CCMP under WPA2 (otherwise known as AES-CCMP or just AES usually in a wireless security configurations page).

So basically Use WPA2 AES/CCMP if possible. Any moderately decent wireless router made in the past 4-5~ years should generally support WPA2 under AES/CCMP.

Funfact too; Technically speaking 802.11n spec states that you shouldn't even exceed 54Mbit or enable the 20/40Hz mode unless you run your wireless WPA2 in AES/CCMP mode, but sadly most ignore this.

I feel like you literally read the reaver-wps readme to write all that.

With that said though you are accurate to some general extents, though it's pretty rare to come across residential wireless routers that enforce the 5 minute WPS suspension in my experience, though a lot do now enforce a roughly 10 second delay between each attempt (and a 5-10 second delay was the 'fix' amusingly for most to the WPS brute weakness where they usually had no delay at all previously).

But you factor with many having at most a 10 second delay, even 11k attempts over 10 second gaps can be done in just over a days time. Now factor the ones which do a 5 minute 'halt' of WPS over suspicious attempts, you still can usually fit in a fair number of attempts between each halt, so you're still likely going to get in in far less than 'months'.

This is mostly why a lot of routers now use WPS in a manner of "Press this button for 60s WPS opening".

Well keep in mind what I said, a lot of them nowadays especially have the push-to-WPS mode basically, where it'll run WPS for like 60 seconds.

With that said, I've noticed for some really goofy a** reason though some routers broadcast WPS support (my WNDR4500 surprisingly included) even though it requires a button push first to even activate, which can leave a person basically attempting to breach WPS when it's not really running (note this is why things like reaver actually have a way for you to test just a random pin and see the response to see if it is actually responding to WPS attempts before you attempt to broadly brute-force it).