Skip to Content
Skip to Table of Contents

← Previous Article Next Article →

ATPM 8.04
April 2002

Columns

Segments

Networking

How To

Extras

Reviews

Download ATPM 8.04

Choose a format:

How To: Wireless Network Encryption

by Lee Bennett, lbennett@atpm.com

Setting Up Wireless Network Encryption Between a Macintosh and a Non-Apple Transmitter

So, you’ve decided (as I did last month) to dive into wireless networking, frequently referred to as wireless fidelity or Wi-Fi. I confess, hearing about half-price Apple AirPort cards on sale at a few (and I do mean a few) Circuit City stores was the clincher for me. My initial plan was not to spend money on a transmitter to go wireless at home, but rather to make use of my office’s Wi-Fi network when I occasionally brought my laptop with me. It didn’t take more than a few times of doing this before I just had to have a transmitter of my own!

AirPort Base Station or Non-Apple Transmitter?

I could spend a couple of paragraphs arguing the pros and cons of buying and using a third-party transmitter instead of the Apple Base Station, but this article is about the encryption, so I’ll be brief. A third-party transmitter with a built-in multi-port switched router will usually suit your current and future needs better than the Apple Base Station, and cost half as much. Read more about this in Macworld’s April 2002 Base Station review. Also, be sure to choose a device that is configured via a local Web interface and not by Wintel software. Linksys is one such brand, and happens to be the brand I bought.

Important Note: At first, you’ll have to physically connect an Ethernet cable from your computer to the transmitter in order to access its setup screens. This is one of the few drawbacks of using a third-party device; the Base Station software supplied with all new Macs will immediately communicate with a Base Station, meaning you can configure it to access the Internet without ever physically connecting your computer.

Providing Free Broadband Without Even Trying

At this point, we’ll assume you’re happily (and wirelessly) surfing the Net. I bet you weren’t surfing quite so happily however when you stumbled upon the knowledge from the New York Times that there are people out there who run around sniffing out unencrypted Wi-Fi networks and posting their existence to Wi-Fi databases so that they, or anyone else, can camp within range of those transmitters. Voilà! Free wireless broadband! If you want to comment on the ethics and legalities of this, be my guest. I’m not touching that one, but I do want to prevent people from using my bandwidth. As fodder for such a debate, here’s a quote from the aforementioned Times article:

Those who use cable theft as an analogy point to federal law, which prohibits anyone from receiving communications offered over a cable system unless authorized by the cable operator.

But how the law will apply to Wi-Fi technology has not yet been tested. Some legal experts say using stray Wi-Fi signals is like trespassing. Others say the burden of securing the network may lie with its owner, as it does with satellite broadcasters. It is not a crime to tune in to unscrambled satellite programs, but it is illegal to crack the encryption of scrambled broadcasts.

Encryption: AirPort Base Station vs. Other Devices

With Apple’s Base Station, encryption is easily accomplished by setting a passphrase and using that phrase each time your computer’s AirPort card goes to work (or letting your Keychain handle the passphrase for you). An algorithm converts the passphrase into a series of hexadecimal digits to make up a key.

wifi1

Assigning an Apple Base Station Password

The process is essentially the same for non-Apple computers and transmitters where a protocol known as Wired Equivalent Privacy (WEP) is used. Technically, Apple’s process is also called WEP, although Apple doesn’t seem to use the term as freely as others. Regardless of what you call it, Apple’s algorithm for generating a key from the passphrase is different from the algorithm used by most other transmitters. Consequently, if you use “The quick brown fox jumps over the lazy dog” as a passphrase on a non-Apple transmitter, using the exact same phrase on your Mac will not get you connected. To solve this, you must use an actual key to decrypt the connection instead of a passphrase. There are free utilities to generate hexadecimal keys from passphrases, such as WEP Key Maker. This allows you to memorize a phrase instead of a long hexadecimal key.

At this point, I find myself asking, “Why use a utility? Why not simply type a passphrase in the transmitter’s WEP configuration screen, let it generate the key, then copy that key to use on the Macintosh?” By way of a response, when I experimented with the exact same passphrase typed into WEP Key Maker and my Linksys transmitter, they generated different keys. So much for that theory.

So now I’m asking myself, “Why not just make up a random 10-digit (for 64-bit) or 26-digit (for 128-bit) hexadecimal code, type it into the transmitter’s key field, then also type it in as the password (and save it to the Keychain) when AirPort attempts to connect?” My answer quickly spawned from the unsuccessful experiment from the first question. If it were that easy, someone probably wouldn’t have bothered to write the WEP utility, and since I finally got my encrypted wireless connection running, I’m not going to mess around with it! If you know something about this, by all means, tell us about it.

Encryption Steps

So, unless someone identifies a way to decrypt the connection without using the utility, here’s what you need to do. First, launch the WEP utility and type a passphrase into the space provided. Choose between 64-bit or 128-bit encryption, then click the Make Key button. Highlight and copy the Hex Key, and you’re done with the WEP utility.

wifi2

Generating a Hex Key with WEP Key Maker

Open the configuration screen of your transmitter and go to the WEP settings. Remember, you’ll have to be physically connected with an Ethernet cable for this step, or using another computer that is physically connected. Ignore the field where you would type a passphrase. Select the same level of encryption that you chose in the WEP utility and paste the key into the WEP Key field. If you see multiple key fields, use the first one and make sure it’s selected. Confirm that encrypted connections are enabled, then save/apply your settings. You’re now done with the transmitter configuration page.

Finally (assuming your network settings are correct—probably simply set for DHCP), turn on your Mac’s AirPort connection and select the name of the network you want to use. This name is defined in your transmitter’s setup screens and is probably labeled ESSID. You should then be asked for a password, where there’ll be an option to add the password to your Keychain. Use the same hex key for the password, except prefixed by a $ symbol. The dollar sign apparently tells your Mac to not generate a key from what you type since you’re manually entering the key itself. Note that you will not likely be able to paste the hex key from your clipboard into the password field. If not, just paste it into a text window where you can see both it and the AirPort password field, and type it in manually.

wifi3

Remember to precede the WEP key with a dollar sign, and consider using your Keychain so you won’t have to type this in again.

One Last Consideration

As a postscript to all of this, allow me to share one other tidbit that I learned while gathering information for this article. I was informed that using encryption will cut the bandwidth of your wireless connection by roughly half. At first, I thought, “That’s impossible. I’m using encryption and I get the same speeds as when I still ran an Ethernet cable.” But then I realized that broadband bandwidth (generally between 512 Kbps and 2 Mbps) is vastly slower than the throughput Wi-Fi transmitters are capable of (usually around 11 Mbps under ideal conditions). So, if you’re only using Wi-Fi for Internet access, this slowdown won’t affect you in the least. However, if you intend to transfer large chunks of data between local computers over a Wi-Fi network, you may want to consider an alternate form of security.

Also in This Series

Reader Comments (72)

Brian Schell · September 8, 2002 - 15:34 EST #1
Hey!

Thanks for the article. I just picked up an AirPort card for my iBook and an SMC base. I had no idea how to get the WEP encryption working between them.

Your page was the only simple step-by-step how-to I could find.

Very nice!
Lee Bennett (ATPM Staff) · September 9, 2002 - 12:09 EST #2
Thanks, Brian.

By the way, today I decided (for reasons that have nothing to do with this article) to make some adjustments to my router's settings, which included disabling DHCP access. I set up my two computers with manual/static TCP settings. My dialog with colleagues indicates that 1) not having to handle DHCP networking may allow for more efficient communication within the LAN, and 2) not freely handing out LAN IPs just adds another level (albeit a thin level) of security. That level is bolstered, somewhat, if you set up the router to not use the common 192.168.1.x IP set and use 192.something.else.x instead. So, here at home, I'm obviously not in a situation where there are tons of computers needing LAN access that I'd have to manage IPs for (DHCP automates this) and, in the rare case when I get a visitor with a Wi-Fi-equipped laptop, it takes all of 15 seconds, usually, to tell him/her my LAN network settings rather than just saying "use DHCP." Big whup.

Anyhow, the point I really wanted to make was ... while making the configuration changes, it occurred to me that my note, above, that stated you would, at first, need to have your computer physically connected to the wireless router to set it up may not be a requirement after all. Generally, wireless routers, out of the box, are factory-configured with WEP disabled and with DHCP enabled. It seems to me, now, that I should be able to obtain a brand new router, plug it into a power outlet, turn on AirPort on my laptop, select the network which will not be encrypted at this point, connect to the configuration pages with my laptop by opening http://192.168.1.1/, make adjustments (if needed—often, none are needed) to set up the router to use your incoming WAN (usually broadband) connection, and voila ... you're surfing!

Granted, if you choose to tinker with the LAN address settings, you may experience various drops of Wi-Fi signal and/or WAN connectivity, but if you don't mind reconnecting to the Wi-Fi signal once or more and/or reloading a web page or two, I think you should still be able to get everything set up without plugging an ethernet cable into your computer.

If someone can confirm/deny this in a comment here, please enlighten us all!
Mike Jarko · October 19, 2002 - 17:17 EST #3
Regarding your comment on: "Why not just type a random hex key into the router's config field and the same key as the AirPort password?"

Not knowing any better when setting up my home network, this is exactly what I did. I have D-Link 614+ Wi-Fi router, and it worked fine on my PowerBook G3 Firewire. However, it does not work on my PowerBook G4, which will only connect to the D-Link if WEP is disabled. I have no idea why this is, as I have identical system software installed on both (OS 9.2.2 at this point), and have checked and rechecked to make sure that I'm using the same password 50 times. Any help would be very much appreciated. Thanks.
Eric Pfleckl · October 23, 2002 - 13:07 EST #4
I've been able to successfully enable 128-bit WEP on my Linksys WAP and connect with my iBook using the method of entering the WEP key preceeded by a dollar sign in the password field. Great! But I don't want to enter this every time I connect, so I clicked "Add to keychain." :)

HOWEVER, the next time I reboot, I am prompted to enter the password to connect. :|

To test: I typed in the $HEX and added to my keychain, I could see the entry in the Keychain Acess utility. But as soon as I tried to connect again (after a reboot), I watched as the keychain entry disappeared! I was then prompted for my password. :(

Any ideas?
Lee Bennett (ATPM Staff) · October 23, 2002 - 13:49 EST #5
Eric - I apologize for not being a Keychain expert. All I know for sure is that mine doesn't ask me for the password every time.

I checked my Keychain and I'll share how mine is set up so you can try to match it and see if it works.

There are 2 items related to the Wi-Fi connection. The first is named "AirPort Network Password" and the kind is "application password." It's attributes show the "Account" field as being my wireless router's name (the ESSID I mentioned in my article). The Access Control tab (actually to my suprise) is set for "Confirm before allowing access" but in the list of "always allow" apps, there are three (weird, huh?) listings for /System/Library/CoreServices/SystemUIServer and a fourth listing that is /Applications/Utilities/Keychain Access

The second item in my Keychain list is the same name as my router's ESSID, and the kind is "AirPort network password." Its attributes also show "Account" as my ESSID. The Access Control tab is set for "Always allow access to this item."

One other thing ... here's something I did recently that solved another problem I had with recurring password requests, though I've never had the problem with my wireless connection. In the Keychain Access app, go to the Edit menu and select "..user.." settings (where "..user.." is your short login name). Mine had been set to lock after 1 minute of inactivity. If your computer is pretty secure you can turn that off or, as I did, set it a little higher, like 10 minutes.

Check all that out, and if you still have trouble, e-mail me directly and I'll see if any other ATPM staff have some ideas.
Wm. Cerniuk · November 3, 2002 - 16:51 EST #6
It took me almost a full hour to find the little gold trinket of information that this article provided...that a "$" is how to tell the Mac to differentiate between a text password and a WEP key. You would think that would be in the Mac OS X help system. Arrrrrrggggg. Thanks for the assistance and the reference to this tool!
Lee Bennett (ATPM Staff) · November 3, 2002 - 19:09 EST #7
William - fortunately, I didn't have to search as long because fairly early on in my encryption research (after I bought my Linksys) I was directed to WEP Key Maker, and this utility does talk about the "$" character.

While it would be nice if Apple had information about using the dollar sign character, I can sort of understand why they don't. Naturally, Apple is going to hope you'll use their products. If you do so, using the dollar sign character is irrelevant. What motivation do they have for explaining something that is only helpful for a competitor's product?
Lee Bennett (ATPM Staff) · November 9, 2002 - 13:06 EST #8
Here's some new information now that I've seen where you enter the AirPort passphrase under Jaguar (OS X 10.2). If you use Jaguar, you no longer have to use the "$" character in front of the hex key in the box where you enter the AirPort passphrase. Under Jaguar, this box now has a pull-down menu with four options: 64-bit ASCII, 128-bit hex, 64-bit ASCII, and 128-bit hex.
Michael C. · November 18, 2002 - 03:57 EST #9
Hi Lee.

I read your article on WAP keys for Apple and non-Apple systems. For a second, I thought I might have solved my problem. Alas, I did not.

Here is the problem: I am using a Linksys wireless access point router with 4-port switch (BEFW11S4 V2) on a Windows 98 V2 network. My wife just purchased a spiffy new G4 PowerBook with an AirPort card preinstalled directly by Apple. I can get her to connect to the wireless access point if WEP is DISABLED on the Linksys box. There's no way can I get her to connect with WEP ENABLED on the Linksys box.

I have made certain that all updates/upgrades/patches have been done to both the Linksys box and the PowerBook.

I have entered HEX key data with the $ sign preceding the key data. I have even downloaded the key maker application from Chally that you mentioned and generated the key on the PowerBook, then hand keyed the same key into the Linksys.

Still no go! Could you point me in the right direction? I feel like I have tried everything and know that I must be doing something wrong as the folks at Apple swear that the Linksys box works with their PowerBook and that it was a better choice, given the Windows stuff already here at home. Thanks very much.

Michael
Lee Bennett (ATPM Staff) · November 18, 2002 - 22:54 EST #10
Michael - tell your wife "congratulations" on the PowerBook purchase. I know the equipment you are using will work together because not only do I have the same Linksys wireless router, I also have (as of yesterday) one of the "spiffy new G4 PowerBooks with an AirPort card preinstalled."

Here is exactly how I would set up a Linksys and Mac OS X if I were doing it from scratch:

  1. Load the router config page by typing it's IP address into your web browser. You might have to use an ethernet cable for this step if you aren't seeing the wireless signal. Since you say you already have the connection working properly on your PC, I'm going to take for granted that you have most of the settings already done. I'm also going to assume you're using DHCP for your local machines.

  2. Make up an ESSID (or use the default if you really want to) then click the 'Mandatory' button next to where it says WEP, then click the Key Setting button.

  3. Load the WEP Key Maker and type a passphrase. Click the '104' button for Key Length then click the Make Key button.

  4. Back in the router's WEP Key Setting window, select 128Bit from the pulldown menu and type the hex key that WEP Key Maker generated into the 'Key' line. Ignore the 'Passphrase' line in this window. Apply your settings and close your web browser.

  5. Open your Network System Preference pane, create a new location if you want to, or just use Default, select Show: AirPort, and click the TCP/IP tab. Set the Configure menu to DHCP. Type in one or more DNS Servers that your ISP should have provided to you. Click the AirPort tab and decide which type of reconnect you desire. If the PowerBook stays at home most of the time and/or your Linksys is the only wireless connection it generally uses, you'll probably want 'Join a specific network' then select the ESSID and type the hex key in the password line, with the $ character in front. If the TiBook is on the move a lot, you can choose one of the other two options. It's a good idea to turn on the menu bar AirPort status icon so you can easily select/switch WAP connections.


That should take care of it. You should be able to copy the hex key out of the Linksys web configuration pages, and use that on your PC boxes as well, if they are using a wireless connection.
David C. · November 19, 2002 - 23:23 EST #11
I have spent many hours troubleshooting Apple AirPort cards interoperating with other vendor's WAP products, notably 3Com and Linksys. I learned one other tidbit that is relevant to mixed Wi-Fi environments.

Most vendors' WEP implementations support 4 encryption keys. The Wi-Fi software (either on the WAP or the PC Card driver) lets you specify 4 different keys. Plus, you have to select which of the 4 keys is used for encrypting the transmitted (outbound) traffic. In order to establish a secure connection, each end (WAP and MS) must share each other's keys that are being used.

So, if the WAP is using key #1 for transmitting, the mobile station must have the same key loaded as key #1. If the mobile station is using key #3 to transmit, the WAP must have the same key loaded as its key #3. It is not required that all mobile stations associated with an AP use the same key # for transmitting, but if the AP is going to be able to decode the packets, it must be configured with the same encryption keys in each of the 4 slots that are being used.

The WEP standard stipulates that each transmitted packet carries with it the key # that was used to encrypt the packet. At the receiving end, the driver looks at the key # (which is transmitted in cleartext as 1,2,3, or 4). Then, it grabs the corresponding encryption key from the designated slot and uses it to decrypt the packet. So, if the mobile station is using key #2 to encrypt the transmitted packets, the AP needs to have the same key loaded in slot #2.

Thus, it is quite possible that two different key strings are being used for encrypting the upstream and downstream transmission. Each end gets to independently specify which key # is used for encrypting its outbound traffic. Each end tells the other which key # is being used, and the receiving end then has to have shared knowledge of the 40-bit or 106-bit key for decryption.

There is a good article in Acrobat format that explains the rationale behind this 4-key architecture and how is is intended to be used for key rotation.

The problem with Apple's AirPort implementation is that Steve et al chose to implement only key #1. Thus, the AP must explicitly use key #1 for transmission. If the AP is not using key #1, AirPort users are out of luck.

If an AirPort user happens to walk into a Wi-Fi environment that is using a 3rd party base station set to encrypt its transmitted traffic with keys 2,3 or 4, the AirPort can't decrypt it, even if it knows the full hex encryption key.

This constraint/limitation pertains to OS 9 AirPort software. I have not had the pleasure of using OS X and do not know if Apple fixed their AirPort driver to accommodate multiple keys.
Plobastus · December 1, 2002 - 21:38 EST #12
He's right. I had to select key number one on my 3Com access point in order to get it to work with my Apple AirPort client machine. If I select keys 2, 3, or 4, the Apple won't connect. Why doesn't Apple let you configure the four keys on the client like every other manufacturer does? Sheesh.

I also verified that you have to use a "$" when entering the key under Mac OS 9, but no "$" when running Mac OS X 10.2.2.
Lee Bennett (ATPM Staff) · December 2, 2002 - 01:27 EST #13
Plobastus - probably for the same reason Apple's algorithm for generating a key from a passphrase isn't the same as every other manufacturer—as I mentioned in the article. I'm not agreeing with Apple on this point. This is only an observation. But to play devil's advocate, if you were part of Apple, wouldn't you make it a little challenging to use a competitor's wireless hardware instead of the Base Station?

And yes, as I mentioned in a comment above, with Jaguar, you no longer need the "$" character since there is now a pull down menu to choose 64-bit ASCII, 128-bit hex, 64-bit ASCII, or 128-bit hex. Naturally, you'd use one of the "hex" selections, depending on the level of encryption.
Lee Bennett (ATPM Staff) · December 11, 2002 - 01:34 EST #14
While this Knowledge Base document was posted March 28, 2001, Apple updated it a few days ago, and might be useful to some readers.
Matthew Wiener · December 30, 2002 - 14:45 EST #15
I'm using a D-link 714+ along with an AirPort card in my Pismo PowerBook. I'm not able to connect, whether I use a "$" before the hex key or not. It doesn't matter whether I'm using 64- or 128-bit encryption. I'm told that my password is incorrect.

I can attach fine without encryption.

Does anyone have any ideas on how I could connect, or am I stuck in the situation described by David C.?
Doug Strout · January 19, 2003 - 13:26 EST #16
I have a Linksys model BEFW11S4 Cable/DSL Router hooked up to a PC and I needed wireless access to the router from both a PC laptop and an eMac running OS X v.10.2.3. This solution worked just fine for me. I'm glad that someone figured this out after I spent a lot of time on the phone with both Apple and Linksys (who can put you on hold for a very long time). Apple and Linksys each pointed their fingers at each other leaving me with no direction or help. Apple does have some tech docs referencing using a "$" before the hex key or quotations around alphanumeric passwords. As mentioned previously, this is unnecessary with Jaguar and does not even address the differences in algorithm techniques. To me, recognizing the algorithm differences lead to a very logical work-around solution.

One thing that did not work out the way I had anticipated was the setting under System Preferences/Network where you can set the AirPort settings for finding the network after restart or wake from sleep. If I tried to identify the specific network and input the password as had worked elsewhere, this adversely affected accessing the network after cold bootup. Instead, if I identify "Join most recent available network" and place a check in the box to "remember network password," it works fine under all conditions. I don't know why the former approach doesn't work, but since there is only one network here at home, it is OK for me.
Andrew · February 15, 2003 - 21:53 EST #17
I think I am trying to do just the opposite. I am using my iMac as a software base station with 128-bit encryption and am trying to connect my Wi-Fi enabled laptop using AirPort (to share the internet connection). I want to use a short password on the Mac, but I do not care about the PC's password. I was wondering if it would be possible to use a short password instead of the hex key made by the WEP Key Maker software. Thanks.

Andrew
Lee Bennett (ATPM Staff) · February 16, 2003 - 00:50 EST #18
Andrew - short answer: no.

It doesn't matter which direction you're going, the fact that different algorithms are used for the passphrase/hex key conversion still applies.

But as I indicated in an earlier comment, you don't have to use the WEP Key Maker if you don't want to. You can just invent your own hex key. The only benefit I now see for using the utility is so you can have a passphrase to remember instead of the hex key. The WEP Key Maker converts the passphrase into hex for you and is consistent.
Cenevols · February 20, 2003 - 02:09 EST #19
I still connect connect to the server with an iBook running OS X 10.2.4 through a Linksys BEFW11S4. If I book up in OS 9.2.2, Internet Explorer works just fine. I also tried three other browsers in OS X including Opera, Sahara, and Netscape, with no avail. There is a good signal with the Linksys. All addresses come up in the Network preference panel under DHCP, but when the browser tries to connect, it says the server cannot be found. Any help would be greatly appreciated.
Tom · September 7, 2003 - 23:37 EST #20
I also have a Mac G4 PowerBook with an AirPort Extreme card and a Linksys BEFW11S4 wireless router. I cannot get the AirPort to communicate with network nor access internet via AirPort wireless. I can access network and internet via a Cat-5 cable connected to one of the wired ports on the Linksys router, but not wireless. :-(

I tried your method of turning on WEP with no success at all. The menu icon on desktop changed from active to an arrow pointing upwards and no activity was indicated at all.

I'm still confused and somewhat disappointed that the Mac didn't hook up to my existing network. I know the wireless part works since I am able to access network wirelessly with a Dell Inspiron 3800 using a Linksys wireless USB adapter--a WUSB11.

Any help would be appreciated.

Tom
Rob Anderson · December 28, 2003 - 05:34 EST #21
The $-before-the-key trick isn't working for me, unfortunately. I've just spent the entire day trying to figure out why every time I try to connect to my Linksys router using my iBook with an AirPort card, I get an "Error joining Airport network" message. I've tried everything: using WEP Key Maker, using random hex strings, using ASCII strings, etc. I'm using Panther, which allows you to select whether you want to transmit 64/128-bit hex, or 64/128-bit ASCII. Having said that, I've also tried
selecting 'password' and using the $, but that doesn't help either. Michael, Matthew, Tom--I didn't see any response from you indicating whether your issues were resolved. Did you eventually find anything else out? Can anyone else suggest anything else to try?
Sylvester Roque (ATPM Staff) · December 28, 2003 - 17:21 EST #22
This may be a silly question but could the security settings on the router be affecting things. I wasn't thinking about encryption as the issue though, Could the router be set to only accept input from wireless machines with certain MAC ((ethernet ID) numbers. My current router/WAP allows me to do this, The setting is usually in either security or Wireless access,
Sylvester Roque (ATPM Staff) · December 28, 2003 - 21:08 EST #23
Fellow ATPM staffer Chris Lawson was wondering if the router's firmware needs to be updated. I was on the Linksys site a few moments ago and unless I looked up the wrong model number the current firmware seems to be 1.45. It has a February 2003 revision date.
Eva Kaplan-Leiserson · January 22, 2004 - 21:18 EST #24
I'm trying to add a PC laptop with a wireless card to the wireless high-speed network I set up on an AirPort network with my brand new Powerbook.

The password I set up on the AirPort is working fine with my PowerBook, but not with the Dell PC.

It's either a simple problem the PC is having with the password or something more complicated with the encryption. I'm afraid most of the info on this page is a bit above my head. Is there anyone who could walk me through diagnosing the problem in simple language?

I'd really appreciate it!

Thanks.
Mike Fish · March 18, 2004 - 23:21 EST #25
128-bit hexadecimal encryption ---

Preceding a hexadecimal string of characters sent to an Apple device, you may have to use the dollar sign: $

Preceding a hexadecimal string of characters sent to a non-Apple device, you may have to use a zero with a small x, like this: 0x [instead of the dollar sign].

Example; to an Apple device [no spaces, but I include them here, in order to make it easier to read the string]: $ 34 6e 53 73 4e 3b 94 49 1d 0c 11 2b 44

Example; to a non-Apple device [no spaces, but I include them here, in order to make it easier to read the string]: 0x 34 6e 53 73 4e 3b 94 49 1d 0c 11 2b 44
Keith Seckel · May 16, 2004 - 14:39 EST #26
I'm using a Linksys BEFW11S4 v4 (firmware update 1.50.10, Jan 16 2004). It is connected to my cable modem (RCN) and hard-wired to my iMac 17" and my Xbox. All that works great. My iBook 14" with AE card pre-installed connects without a problem with WEP disabled. I configured the router's MAC filtering so only my iBook will be allowed in. But I wanted to play around with WEP also.

I'm running 10.3.3 with all the latest updates as of this writing.

In the router config screen, under the Wireless Security tab, I've selected WEP and 128 bits 26 hex digits. I typed a simple passphrase (meatball) and clicked the "generate" button. Presto, a 26 digit hex key was created.

On my iBook, I tried to join my SSID network and no matter what I tried typing in, it would not accept it "there was an error connecting to..." I found this web site and tried a few things, none of them successful. E.g. in the Airport dialog box on my iBook, if I choose the 128 bit 26 hex option, it does not allow me to type a $. Just boops at me. But if I type in the full 26 bit hex key (case insensitive) it accepts it and logs me in without a hitch!

I did *NOT* select the "add to keychain" option -- but after sleeping the iBook, it re-found the network right away! It was only after restarting the machine that I had to re-enter the hex key. But then I changed the passphrase, got a new key, tried it all again, and this time (again, without checking the "remember password" box) it remembered and connected fine after both a sleep and a restart!

I'm not sure why that is happening. Hmph.

I'm also interested in WAP. But here are a couple basic security assumptions. Please tell me if I am off base.

(1) If I set up the MAC address filter, no one can access my WiFi. They may be able to sniff it, but they can't hijack my WiFi and surf, etc.

(2) If I disable SSID broadcasting, that makes their sniffing a bit more difficult, since it is only the serious sniffers who would be able to find it?

(3) With the above two in place, but without using WEP (WAP, etc) then -- even if they can't hijack my WiFi and surf -- someone can sniff my WiFi transmissions between iBook and router and steal my info?

(4) From what I've read, WAP is better than WEP (better = easier and more secure) but I have not been able to find info on configuring WAP. Any help?

~ Keith
Lee Bennett (ATPM Staff) · May 16, 2004 - 23:12 EST #27
Keith - this article was written prior to Apple's enhancement to the Wi-Fi connection box. You no longer need to type the preceding $ character. Just select 128-bit hexadecimal, as you have done.

I'll have to let someone else possibly chime in about remembering the password. I wouldn't have thought the key would be remembered after a restart. Perhaps Networking remembers it so long as you don't select a different type of network.

Regarding MAC address filters, it's still good to use encryption as well as address filtering. I haven't a clue how to do it, but I know it is possible to spoof a MAC address. If they sit out and packet sniff your Wi-Fi network long enough, the MAC address of a machine that is using the network can be learned and they are able to trick your wireless router into thinking their machine has a valid MAC address.

Re: disabling SSID, that would prevent casual drive-bys from seeing it, but it wouldn't deter anyone serious about finding networks.

For #3, if you read the previous two paragraphs, you now have the answer to this question.

And for #4, you mean WPA, not WAP. WAP stands for wireless access point, and your wireless router is a WAP.

WPA, however, stands for Wi-Fi protected access and it is, indeed, better then WEP. The problem is, the older Linksys routers don't support it. I have the same wireless router as you (except mine is a v2) and I've not found any firmware updates that add WPA to it. You will probably have to purchase a newer router to get WPA encryption. The newer routers will be 802.11g and will let you take full advantage of AirPort Extreme's faster speed. It won't increase your internet speed, but it will make networking between your home computers faster when transferring to or from your laptop.

If you do manage to start using WPA, don't get terribly complacent about its security. It probably can be cracked, as well, but may require many days or weeks worth of someone sitting in range of your router and sniffing packets before they'd be able to crack it. You simply have to be pro-active about securing a wireless network. This means using a complicated keyword to generate a hex key, changing your key often, setting up MAC filtering, and even things like disabling DHCP and hard-assigning IP addresses to all your computers. I even changed my default IP range so it's not using Linksys' common set of 192.168.65.x.
Keith Seckel · May 17, 2004 - 21:18 EST #28
Thanks Lee!, WPA, or WAP (WAPs head in frustration at all the acronyms) =O)

My router Admin page does allow me to choose WPA. My "Security Mode" choices are:

WPA Pre-Shared Key
WPA RADIUS
RADIUS
WEP

If I choose WPA Pre-Shared Key (since I have no separate RADIUS server to run authentication stuff), my choices change to suit. Now I can select:

WPA Algorithms (TKIP is my only choice, but from what I've read, it is what I would want to choose anyway)

WPA Shared Key (only accepts entries over a certain number of characters)

Group Key Renewal (default is 3600) seconds.

When I choose this method, and select a key (of acceptable length) and then choose "save" -- then try to re-access my WiFi, the WPA key is not allowed -- I get the dreaded "there was an error connecting to the network iMajor's WiFi"... whether I use a preceding $ or a preceding 0x or put it in quotes, etc.

What do you think?

I have posts on Apple's Discussion forums as well, as of today -- we'll see what I find out from there!

Another quick note--I fooled around a bit more with the "remember this password" box. I selected it and then looked in keychain access -- no entry there!

Maybe Internet Connect's .plist file keeps the WEP and WPA passwords somehow? I dunno.

Just in case, I've saved a small StickyBrain note file with the 26 hex WEP key. And I'll probably put it in my Palm too.

~ Keith
Lee Bennett (ATPM Staff) · May 17, 2004 - 21:36 EST #29
Keith - I hope you find some answers on Apple's forum. Judging from what you've typed in your last comment, you officially know more about WPA than I do. :-) Neither of the wireless routers I own support WPA, thus I've had no opportunity to try it.
Keith Seckel · May 18, 2004 - 09:30 EST #30
I gleaned this link -- who would have thought up such a counter intuitive domain name? Sheesh!!! ;)

http://www.wi-fi.com

And specifically:

http://www.wi-fi.com/OpenSection/protected_access.asp

Thanks for all your help Lee!

~ Keith
Jean Baptiste Muslin · August 19, 2004 - 07:50 EST #31
i have an802.11g wireless desktop network card.I would like connect it to a network but i need a wep key of a net work name.I think that you can help me for that.Thank you.
Lee Bennett (ATPM Staff) · August 19, 2004 - 21:21 EST #32
Jean - If the network is using an Apple Base Station, you simply need to obtain the WEP key from the network administrator. If it's another kind of wireless router, the administrator will need to provide you the hexadecimal key equivalent and you'll enter that into your settings when you connect with your AirPort card. Either way, the network administrator has to provide the key. We can't really help with acquiring the WEP key to a closed network that you want to connect to.
dennis abundo · June 16, 2005 - 22:14 EST #33
The problem with wi-fi using mac address,is that;when your trying to put other mac address in the network, it will cut the line for a couple of seconds.
Scott Chreist · September 19, 2005 - 18:22 EST #34
Okay perhaps this is a challenge... Netgear wg311t wireless router. Installed and setup via my PC using the Netgear utility. Installe airport card in my Macintosh, turn it on - enter wireless network no problems.

Go back to PC turn on WEP - set it up, enter password and keys. apply now - woot everything works dandy.

GO back to Mac select network to join, hit ok.... it joins.. I shows a connection. BUT it isnt connected. Safari "you are not connected to the internet"

I look at the airport and it shows me a connection.. hmm so I try to change the connection to secure because I assume somehow it has connected but its not secure. Turn on WEP for the airport card. No nothing on the mac will connect. It says I have used a wrong password. And yes, I did enter the $

Confused...
Lee Bennett (ATPM Staff) · September 19, 2005 - 18:58 EST #35
Scott - Apple has changed it's wireless setup process since I wrote this article. You no longer need the $ character. Moreover, I believe they changed their algorithm to match what most third-party routers use, so you can now simply use the WEP passphrase originally used in the router instead of acquiring the hexadecimal key. If you're using Panther (OS X 10.3), you should try it this way.

But if AirPort is showing that you have a connection, but Safari isn't loading any pages, I'm a little stumped. Can you do other internet activity such as checking e-mail or using an instant message client. If so, I'm wondering if you need to plug in DNS addresses in your Networking preference pane...whichever addresses your internet provider advises you to use.
Rachel B · September 19, 2005 - 23:32 EST #36
Any ideas on how to connect to a wireless network already set up by a PC to use WEP? I dont' have a wep utility on my G4, and when I type in the password the PC users use, it's not recognized?
Lee Bennett (ATPM Staff) · September 19, 2005 - 23:45 EST #37
Rachel - are you sure the network is using WEP and not WPA?

Also, which operating system version are you using?
A. Slater · September 21, 2005 - 21:44 EST #38
We have a wireless network via a Linksys router, WRV54G. We use a cable modem connected to a Dell Desktop and have another dell desktop connected with the wireless router. Now, my daughter has a new iBook G4 laptop from school and her laptop recognizes our WEP network, but does not allow her access to the internet. I have selected the 40-bit hex and typed in the WEP key, but still cannot get to the internet. Any thoughts?
Lee Bennett (ATPM Staff) · September 21, 2005 - 22:44 EST #39
Slater - Mac OS X 10.3 and later no longer require the hexadecimal key. Try using the passphrase, instead.
A. Slater · September 22, 2005 - 10:31 EST #40
When my husband set up the network, he did not create a pass phrase. Do we have to reconfigure the router with a passphrase or just create one for the iBook? If so, how do I create the passphrase? Thanks!
Lee Bennett (ATPM Staff) · September 22, 2005 - 12:52 EST #41
Slater - if no passphrase was used and you're sticking to the hex key, it should still be able to connect. Are you certain that the router is also using 40-bit? Remember this: 40-bit and 64-bit are the same protocol, while 104-bit and 128-bit are the same. I know it's strange, but stay with me on this one. :-) Obviously, the 104/128 encryption is better and I'm suspecting is the type that your router is using. If not, it should be. Remember than in OS X 10.3 and 10.4, you also do not need the preceding $ character. This character used to tell OS X that you're using the hex key instead of the passphrase, but in 10.3 and 10.4, you indicate it with that dropdown menu.

40/64 bit keys use 10 hexadecimal characters and 104/128 bit keys use 26 characters. That info may also help you identify which type of encryption your router is using. Enter the key with no spaces between any part of the key and, naturally, make triple certain you're typing in the exact same key.
A. Slater · September 22, 2005 - 16:23 EST #42
Lee- Thanks for the reply. It is 40/64 bit and I know the key works as it works with my IBM Thinkpad that is also connected via the wireless router. I have entered the WEP key without $ and have entered it many, many times. The iBook recognizes our network and shows a strong signal. But, it just does not connect to the internet. I have spoken to Linksys and we walked through it even though they do not support Apple products. I am stumped!
Lee Bennett (ATPM Staff) · September 22, 2005 - 16:28 EST #43
Slater - ah, that's new information. I missed before that you actually do get connected.

Check and see if other applications besides web browsing will work. If so, your problem is DNS issues. To solve this, you'll need to identify the DNS addresses that your internet provider advises customers to use and enter those into your iBook's Networking preferences. Usually, this information is supposed to automatically come down via DHCP, but sometimes you have to enter it manually.
Mark · November 10, 2005 - 23:44 EST #44
I just got a new PB G4, OS 10.4. The built in Airport card could talk to the wireless modem only when the modems WEP encryption was turned off. I had the encryption key on the modem set to use WEP Key #2. Apparently, OS 10.4 will only work with WEP encryption enabled on a modem that is set to use its WEP Key #1 (see message from David C., November 19, 2002 above). When I switched the modem to use its WEP Key #1, I was able to connect without trouble.

This seems to be a bit of cheap engineering on the part of Apple OSX team.
ATPM Staff · November 11, 2005 - 09:22 EST #45
Mark - I don't see it as cheap engineering. It's just a function that Apple never chose to support. Besides, that rotating key function—as I understand it—was problematic on so many other levels anyway.
Maria · November 11, 2005 - 21:29 EST #46
I have a Linksys wireless-g 2.4 ghz Broadband router 54mbps connected to my pc (Windows XP) I setup the router perfectly. I just purchased an iBook G4 with airport already in it.

Can someone walk me on how to get the internet on my ibook?

Thanks :-)
ATPM Staff · November 12, 2005 - 20:42 EST #47
Maria - we have to make an assumption that your router is providing connection information automatically via DHCP. This is the normal/default behavior. With this assumption, first confirm that your network settings are correct by opening the Network section of your System Preferences, accessible via the Apple menu in the upper left corner. It will probably already be set for automatic (DHCP). Next, you need to turn on your AirPort card and connect to your router. There should be a pie-wedge-shaped icon in your menu bar. If not, launch the Internet Connect application and select the AirPort tab, then click the checkbox to show its icon in your menu bar. From that menu bar icon, you can select the router by whatever ID name it is using. If you enabled encryption on the router, your computer will then ask you to enter the passphrase. At the point, you should be online.
Steve · November 21, 2005 - 10:34 EST #48
I have a Linksys wireless-G router. I would like to connect my 2 Gig Power PC G5 MAC to my PC Dell laptop.

Can someone walk me on how to connect the 2?
Lee Bennett (ATPM Staff) · November 21, 2005 - 13:30 EST #49
Steve - the instructions that came with your router will describe how to connect your computers to the numbered switch ports on the router, and then connect the incoming internet line to the WAN port. You can then enable file sharing on one computer (e.g. FTP or Windows Sharing) so that the PC can connect to the Mac or vice versa.
Jse Luis Spahr C. · January 26, 2006 - 23:32 EST #50
Hello there, I have an PowerBook G4 and I'm using an airport base station. With the airport base station I'm using a WPA encryption method for the network security. I have 2 roommates and they both have a windows computer, and one of them is able to get on line but the other one is not. The message that appears is this "the network password has to be 40 bits or 104 bits depending on you network settings. This can be entered as 5 or 13 ascii characters or 10 or 26 hexadecimal characters ".

I don't know what to do with this, cause I already tried to use the WEP encryption method but it didn't work with that one either. Now in his computer the only method encryption that the computer supports is WEP. Is it a problem with the wireless network card his is using or with the drivers for it????
Lee Bennett (ATPM Staff) · January 27, 2006 - 00:24 EST #51
Luis - The fact that your Macs are doing fine and one of the Windows machines is doing fine leaves a 99.99999% assured conclusion that it's the second Windows machine that is loused up.

Having said that, ATPM focuses on Macintosh subjects and support so there's very little our staff can do to assist.

Judging from your comments, you answered your own question. If the Base Station is using WPA and the Windows machine's card only supports WEP, you're out of luck. You'll have to either upgrade the card to one that supports WPA encryption (unless a simple driver update will do that), or run your Base Station in the less-secure WEP mode. Any further help on the Windows machine is unavailable on this forum.
Ron Buschgens · February 1, 2006 - 17:31 EST #52
Lee,

I am trying to get my iBook running OS X 10.1 to connect securely (using WEP 128-bit option)to a DLink DI-524 wireless router. Connecting unsecured is no problem. I have tried using the key maker procedure with prefix "$", but no luck. It still doesn't accept the hexadecimal code provided. I have skimmed thru the above threads, but don't think there are any other tips other than using "0x" prefix, which also didn't work. Have I missed something... ? Any other tips or advise much appreciated.
Lee Bennett (ATPM Staff) · February 1, 2006 - 21:15 EST #53
Ron - before I answer, some advice. Get off of 10.1. I realize an iBook may struggle with Tiger, but at least find a copy of Jaguar (10.2). You'll be much happier.

Having said that, there were two different versions of the original AirPort card prior to the 802.11g-enabled AirPort Extreme. The first version did not support 128-bit WEP—only 40-bit. If you have such a card, you're out of luck unless you take your DLink down to 40-bit as well.

Otherwise, if you can find one (eBay), you could get the 128-bit AirPort card and swap it out in your iBook.
Ron Buschgens · February 14, 2006 - 01:45 EST #54
Thanks. I'll look into upgrading my OSX. I tried changing the settings on the DLink router down to "64" (40-bit supposedly), but that didn't work either. Not sure why? Now on the look out for a 128-bit card.
Lee Bennett (ATPM Staff) · February 14, 2006 - 09:41 EST #55
Ron - one of our ATPM staffers, Tom, posted a somewhat blurry shot of the two different cards, but you should still be able to see the difference.
Matt · February 21, 2006 - 01:52 EST #56
Thanks a bunch for a great site .. helped a lot, easy to follow, just what I needed ..
hank · March 8, 2006 - 14:49 EST #57
Anyone know if a Powerbook G3 "Pismo" will accept an Airport Extreme card? (I gather that AE is still considered slightly secure these days -- I'm looking at upgrading because I've realized my original Airport is no longer secure at all, as easy as it has become to crack WEP).
Lee Bennett (ATPM Staff) · March 8, 2006 - 17:48 EST #58
Hank - no, only an 802.11b-compatible original AirPort card (one of the two seen in the pictures I linked to just above) can be used in a Pismo. The AP Extreme is a completely different shape of a card and slot.

As for security, it has nothing to do with which card you have. There were two strengths of WEP encryption but both are not spectacularly secure. The newer, stronger encryption is known as WPA and can be used on both the original 802.11b AirPort and the 802.11g AirPort Extreme. You simply need later versions of Mac OS X and updated AirPort firmware to support WPA—as well as a wireless router that is WPA-compatible. I'm pretty sure that Panther (OS X 10.3.x) supports WPA, just not sure how high a version for "x' is required.
Penguin Boy · March 29, 2006 - 23:42 EST #59
I'm having problems with a Linksys router at my inlaw's (Windoze) house. Using his passphrase in the 64-bit WEP mode, I can't connect. Using his passphrase to generate a hexidecimal number allows me to connect to the in-house network, but I get no router address and no internet connection.

Using his passphrase to generate a hexidecimal number in 128-bit WEP mode, I was able to log in and everything worked fine, internet included. And then the next day it stopped working and I could only log onto the network, with no router address and no internet connection. Odd.

As for the Mac saving the passwords, as some had questions about above: there are two places the password can be saved. The first is in the keychain and the second is in the Network Preference Pane. If you click on "configure," you'll note that there is probably a list of previously-connected networks, which are automatically saved each time you connect to a network. If you want to turn this feature off, click on "Options" and uncheck the correct option.

Anyone have any suggestions about how to type connect to the internet on this darned Linksys? I've had no problems with my own router at home (Netgear), or at work, either.
Coolmatt · September 8, 2006 - 00:26 EST #60
Awesome! Just what I needed to know! Thanks!
marklar182 · September 20, 2006 - 23:13 EST #61
Great information! Solved my wireless connection issue to my Linksys box.
Christopher · January 18, 2007 - 18:57 EST #62
IT WORKED!!!! THANK YOU!!!!

I've been trying to set the WEP on my Linksys BEFW11S4 for over a year! Every time I hunted the web for help tips, I just ended up being too frustrated and quit.

Thanks again for posting this article...

-Christopher
Nate McNally · May 7, 2007 - 16:58 EST #63
This is WAY more work than connecting to a WEP network requires on any other computer. Apple needs to get their act together before they completely lose all of their microcomputer share. I'm telling my customer their iBook is INCOMPATIBLE with standard WEP encryption.
Lee Bennett (ATPM Staff) · May 7, 2007 - 17:18 EST #64
Nate - you're right. It is. Or, more accurately, it was. I agree—it was a neverending source of frustration that I always used to have to obtain the hex key to connect to a wi-fi network.

But, our frustration is over. Apple did get their act together. A firmware update to the wireless software (as well as being automatically included in OS X 10.3) updated the algorithm for WEP key generation. You can now use the standard WEP passphrase. Consequently, the above article that I wrote five years ago is now obsolete—as is the WEP Key Maker software.
anonymous · September 30, 2007 - 20:20 EST #65
Having setup 128 WEP I generated a key using a passpgrase with both a 3com AP and later another linksys wirless router, however the passphrase was too short thus the powerbook g4 would not connect unless I manually entered the hex key (I have seen this with WinXP as well). After connection was made it always connected there after.

I was under the impression that at least at that time, Apple did not support WPA with 10.3, if this has changed I would like to bolster my security setings just for the hell of it.

Does the updated 10.3 support all higher levels of WPA that linksys router has?
Lee Bennett (ATPM Staff) · September 30, 2007 - 22:10 EST #66
If your AirPort software is up to date, WPA2 is supported. I found this link which offers AirPort software 4.2 for OS X 10.3.3 through 10.3.9. I'm not 100% positive if this was the last update for 10.3.x or not, but it at least confirms that you can, in fact, use WPA on 10.3.

These updates, however, should have appeared in the standard round of Software Updates, so be sure to check there. If you are caught up on all updates (and you definitely should be up to 10.3.9 if you can't go to 10.4.x), then you probably already have WPA support.
Andrew Black · November 15, 2007 - 06:13 EST #67
The $ sign was all i needed thanks a terabyte. I messed with it for a week, just about to post on ebay when i came across this. You guys are great!

Thanks, Andy
Etienne · November 22, 2007 - 17:58 EST #68
Hi

I've got an iMac Core2Duo under MacOS X 10.4.9, and I do try to share my ethernet DSL connexion with a an IBM Thinkpad laptop PC, using the in-board airport connexion of the mac.

So, after having turned aiport on I go to the "sharing" control panel, set up the airport options and start internet sharing.

If I leave the network I've just created "open", everything works fine.
But if I want to activate the encryption the Mac does only know WEP-40 and WEP-128.
Whatever the one I choose, then the PC always says it can't connect.
I've tried ascii password. I even tried to set up the airport password as stated in Apple documents (Example of 40-bit: $1234abcdef
Example of 128-bit: $12345678901234567890abcdef) while checking the "hex" choice on the IBM.

Also, I took care of specifying key 1 on the IBM side, but alas, it still doesn't want to connect.

Does Anybody have got an idea ?

btw, some config infos :
- the PC is a Thinkpad T41 under Windows XP Pro, centrino platform in 802.11b
- all the configuration process I describe worked perfectly with my old G4 (802.11b airport card) under 10.4.9 or 10.4.10. Why it doesn't work on an intel iMac, well I don't know...heeeelp !
Lee Bennett (ATPM Staff) · November 23, 2007 - 00:16 EST #69
Etienne - this article is out of date. The $ character in the hex key no longer is needed in OS X 10.4 (or 10.3 for that matter). If you select "hex" in the menu, you'd just enter the hex code without the $ symbol.

But the passphrase should be working. As I've said in earlier comments on this page, Apple wisely changed to use the same algorithm for generating keys as everyone else, so a passphrase that is set up for a router should work fine on the Mac.
Etienne · November 23, 2007 - 09:06 EST #70
Lee,

Thanks for your answer.

But, even with Tiger there is no "hex" poplist when you want to share your DSL internet connection using your Mac's internal aiport card. There's only WEP encryption, it's a a shame. You have only a checkbox (crypted or not), and a poplist to choose between 40-bit or 128-bit (ironically, not "40 and 104", nor "64 and 128" ! :-)

The "$" technique still works, as I have tested on a Tiger G4.

btw, before sending I had read all the articles (and had noticed the article was out of date :-)
David Johnson · November 30, 2008 - 15:23 EST #71
I have an old IMAC with OS9 and want to wireless enable with my home PC which uses a Belkin wireless network.

Any ideas are welcomed.
Lee Bennett (ATPM Staff) · November 30, 2008 - 17:17 EST #72
David - to connect an older iMac to a wireless network, you'll either need to get your hands on an original style AirPort card (not AirPort Extreme) which is somewhat difficult (try eBay), or use an ethernet to wireless bridge.

Add A Comment





 E-mail me new comments on this article