How to get 128-bit encryption from your Airport base station

Want 128-bit encryption on your wireless Airport network? Well, you need two things (neither of which you have by default): hardware and software.


To have 128-bit encryption, your network hardware must support it. Unfortunately, the Airport base station only supports 64-bit encryption out-of-the-box. This is because its wireless transmission is handled by a Lucent Orinoco (formerly Wavelan) Silver card - there's a bone-stock Lucent card right inside the unit. The Silver card handles at most 64-bit encryption; Lucent also sells the Orinoco Gold card (for about $20 more than the Silver), which can do 128-bit encryption. So if you want 128-bit encryption, you need to crack open the base station and replace the Silver card with a Gold card. Detailed instructions, with pictures, can be found on the Mad Science Research Labs web page . (Oh, doing this will almost certainly void your warranty - but you probably guessed that...)

In addition to making your base station 128-bit capable, you also need to use 128-bit capable cards on all of your wireless hosts.


You also need a version of the configurator that can handle the longer encryption key. The "standard" version uses a 5-byte (or 10 hex character) key; to get 128-bit encryption, you need to enter a 13-byte (or 26 hex character) key. There's also an internal switch that needs to be set differently (from "05" to "13"). I planned to just give instructions on the changes needed in the source code (only 4 charaters need to be changed!), and let folks compile their own "enhanced encryption" versions; however, this requires having the whole Java Development Kit from Sun (you only need the Java Runtime to run the configurator), and might be a stretch for some folks. Thus, I'm posting here 128-bit encryption versions of the configurator: But please note the following: Why not just include a "switch" in the configurator specifying whether standard (64-bit) or enhanced (128-bit) should be used? Well, since a significant modification to the hardware is needed in order for the enhanced encryption to be useful - and enabling it without performing the modification will likely result in a non-functioning base station - it seemed unwise to make this an easily-selected option. Well, anyway, that's my story, and I'm sticking to it!

Hey, if it's 128-bit encryption, why is the encryption key 13 bytes long instead of 16 bytes long?

(128 bits divided by 8 bits per byte  =  16 bytes.) The same holds for the standard encryption: if it's 64-bit encryption, why is the key 5 bytes instead of 8 bytes? It's because the first 3 bytes of the key are supplied with each packet of information, at the beginning of the data. This 3-byte "initialization vector" is combined with the "too short" key you've configured into the base station (and your wireless card) to get a key of the correct length. Why is this done? Since the initialization vector is sent along with each packet, it can be changed frequently - in fact, a different initialization vector can be supplied with each packet. With this approach, a different encryption key is used to encrypt each packet, making it very difficult for a malicious listener to decrypt messages (even given that she knows the 3-byte initialization vector, which is sent unencrypted).  A great paper discussing the 802.11 security specification can be found at:

For those who like to compile their own stuff, and/or are interested in how simple it is to switch from 64-bit to 128-bit encryption, here's the recipe for the source-code mods.

Only two mods are needed:

That's it! Basically, it just changes the length of the encryption key field from 5 bytes to 13 bytes, and the value of the field that specifies the length of the encryption key from 5 to 13 (0D in hex). Can't wait for 1024-bit encryption.....