How to get 128-bit encryption from your Airport base station
Want 128-bit encryption on your wireless Airport network? Well, you need
two things (neither of which you have by default): hardware and software.
To have 128-bit encryption, your network hardware must support it. Unfortunately,
the Airport base station only supports 64-bit encryption out-of-the-box. This
is because its wireless transmission is handled by a Lucent Orinoco (formerly
Wavelan) Silver card - there's a bone-stock Lucent card right inside the
unit. The Silver card handles at most 64-bit encryption; Lucent also sells
the Orinoco Gold card (for about $20 more than the Silver), which can do
128-bit encryption. So if you want 128-bit encryption, you need to crack
open the base station and replace the Silver card with a Gold card. Detailed
instructions, with pictures, can be found on the
Mad Science Research Labs web page
. (Oh, doing this will almost certainly void your warranty - but you probably
In addition to making your base station 128-bit capable, you also need
to use 128-bit capable cards on all of your wireless hosts.
You also need a version of the configurator that can handle the longer encryption
key. The "standard" version uses a 5-byte (or 10 hex character) key; to get
128-bit encryption, you need to enter a 13-byte (or 26 hex character) key.
There's also an internal switch that needs to be set differently (from "05"
to "13"). I planned to just give instructions on the changes needed in the
source code (only 4 charaters need to be changed!), and let folks compile
their own "enhanced encryption" versions; however, this requires having the
whole Java Development Kit from Sun (you only need the Java Runtime to run
the configurator), and might be a stretch for some folks. Thus, I'm posting
here 128-bit encryption versions of the configurator:
But please note the following:
- Windows/Unix/Mac OSX
- Mac (classic)
Why not just include a "switch" in the configurator specifying whether standard
(64-bit) or enhanced (128-bit) should be used? Well, since a significant modification
to the hardware is needed in order for the enhanced encryption to be useful
- and enabling it without performing the modification will likely result
in a non-functioning base station - it seemed unwise to make this an easily-selected
option. Well, anyway, that's my story, and I'm sticking to it!
- if you don't do the hardware upgrades discussed above, this version
of the configurator will not handle encryption correctly. In fact, if
encryption is enabled using this version of the configurator without changing
the base station's card to a Gold card, I have no idea what might happen....
Hey, if it's 128-bit encryption, why is the encryption key 13 bytes
long instead of 16 bytes long?
(128 bits divided by 8 bits per byte = 16 bytes.) The same holds
for the standard encryption: if it's 64-bit encryption, why is the key 5
bytes instead of 8 bytes? It's because the first 3 bytes of the key are supplied
with each packet of information, at the beginning of the data. This 3-byte
"initialization vector" is combined with the "too short" key you've configured
into the base station (and your wireless card) to get a key of the correct
length. Why is this done? Since the initialization vector is sent along with
each packet, it can be changed frequently - in fact, a different initialization
vector can be supplied with each packet. With this approach, a different
encryption key is used to encrypt each packet, making it very difficult for
a malicious listener to decrypt messages (even given that she knows the 3-byte
initialization vector, which is sent unencrypted). A great paper discussing
the 802.11 security specification can be found at:
For those who like to compile their own stuff, and/or are interested in
how simple it is to switch from 64-bit to 128-bit encryption, here's the
recipe for the source-code mods.
Only two mods are needed:
That's it! Basically, it just changes the length of the encryption key field
from 5 bytes to 13 bytes, and the value of the field that specifies the length
of the encryption key from 5 to 13 (0D in hex). Can't wait for 1024-bit encryption.....