I rarely (read: never) post technical information on this blog. I never meant it to be a fountain of geek information. However, a technical issue so confounded me today that I feel compelled to relate it here. Since I found little or nothing about this in my own web searches, perhaps someone else will find it helpful and won’t waste as much time as I did.

I’ve been configuring a wireless (Wi-Fi) network. In setting up such networks, it makes sense to use security of some sort. Unsecured wireless access points tend to become public Wi-Fi hotspots, and such open connections also leave any unsecured computers on the internal wired network subject to attack.

There are several levels of security available, beginning at disabling SSID broadcasts and going on through 64- and 128-bit WEP into WPA and WPA-Enterprise and selective MAC address filtering. Disabling SSID broadcasts is little more than a form of “security through obscurity” and isn’t sufficient for most needs. MAC address filtering is fairly secure but requires that any computer accessing the network be pre-authorized. I don’t want to have to go bumbling through my router’s configuration menus every time someone visits and needs access. WPA, while extremely secure, isn’t supported by some older (“legacy”) Wi-Fi hardware, and there’s still one computer around that uses such an old Linksys WUSB11 v2.6, 802.11b interface. So, while my router supports all of the above, the best option seems to be WEP.

WEP is trivial to break. 64-bit is less secure than 128-bit, but even the longer-key version is breakable. It would take a couple of weeks of constant traffic analysis to do it, though, and if someone parks their car outside with a Pringles can on the roof for two weeks straight, I’m likely to notice. Therefore, 128-bit WEP represents a comfortable level of security.

Now to the problem. One computer running Windows 2000 connected just fine. So did my laptop, also running W2K. Another laptop running Windows XP, though, seemed to have a real problem. It would connect, but would not renew its IP address. It looked exactly as though the DHCP server was unavailable. It was, of course, available, and listed the laptop in question in its DHCP client list. It had granted the address, but the laptop never got it. Weird.

I tried again, this time disabling WEP on the router and laptop. BOOM … I connected instantly and got a valid address. I re-enabled WEP and re-typed the 13-character key generation strings at both ends, hoping I’d just made a typo. Nope. “Cannot renew IP address.” “Limited or no connectivity.” Frustrating!

I did some web searches, looking for an answer. I searched for ‘”Cannot renew IP” WEP’ and got loads of hits. Most of them, unfortunately, were arrogant replies from supposed experts telling me that I should make sure my wireless card’s drivers were installed properly, make sure I had WEP enabled at both ends, and had DHCP enabled. Obvious stuff. Several people were obviously experiencing exactly the same problem I was, but no one seemed to have the right answer. In fact, no one seemed to believe this was a problem and not incompetence on the part of those reporting it. I hoped I’d never blasted anyone that way.

I eventually found the answer myself, and I believe it’s a fairly serious lossage in Microsoft Windows XP’s handling of wireless connections. A bit of background will make this less impenetrable.

WEP keys are, essentially, strings of byte values. They’re generally represented as hexadecimal numbers for convenience, but in this case convenience is a relative thing. Most people are terrible at remembering hex values. The Wi-Fi industry, recognizing this, standardized on a method for deriving WEP keys from a string of five (for 64-bit WEP) or thirteen (for 128-bit WEP) ASCII characters. Thus, I can type “BOZOS” into my router, and it will generate a 64-bit key from those characters using a pre-determined algorithm.

Linksys, Netgear, ZyXEL, Belkin, and almost all other wireless networking equipment manufacturers have standardized and are using the same algorithm. They’re completely interoperable. There is, of course, one odd duck. Microsoft.

Upon probing the WEP key in the registry of the laptop in question, it was clear that Windows XP was generating an entirely different key from the characters I entered. It wasn’t even close. The solution was to simply enter the entire generated hex key, all 26 hexadecimal digits of it, into the key field of the Windows wireless security dialog. The adaptor then connected properly, obtained an address, and continues to work.

Once again, we have Bill Gates to thank for marching to his own drummer. I send a big raspberry in the general direction of Redmond, Washington.