Wi-Fi Protected Access

Previous page
Table of content
Next page

Wi-Fi Protected Access

Although 802.1X addresses many of the security issues of the original 802.11 standard, issues still exist with regard to weaknesses in the WEP encryption and data integrity methods. The long-term solution to these problems is the IEEE 802.11i standard, which is an upcoming standard that specifies improvements to wireless LAN networking security. The 802.11i standard is currently in draft form, with ratification expected by the end of the first quarter of 2004.

While the new IEEE 802.11i standard is being ratified, wireless vendors have agreed on an interoperable interim standard known as Wi-Fi Protected Access (WPA). The goals of WPA are the following:

  • To require secure wireless networking.

    WPA requires secure wireless networking by requiring 802.1X authentication, encryption, and unicast and global encryption key management.

  • To address the issues with WEP through a software upgrade.

    The implementation of the RC4 stream cipher within WEP is vulnerable to known plaintext attacks. Additionally, the data integrity provided with WEP is relatively weak. WPA solves all the remaining security issues with WEP, yet only requires firmware updates in wireless equipment and an update for wireless clients. Existing wireless equipment is not expected to require replacement.

  • To provide a secure wireless networking solution for SOHO wireless users.

    For the SOHO, there is no RADIUS server to provide 802.1X authentication with an EAP type. SOHO wireless clients must use either shared key authentication (highly discouraged) or open system authentication (recommended) with a single static WEP key for both unicast and multicast traffic. WPA provides a pre-shared key option intended for SOHO configurations. The pre-shared key is configured on the wireless AP and each wireless client. The initial unicast encryption key is derived from the authentication process, which verifies that both the wireless client and the wireless AP have the pre-shared key.

  • To be forward-compatible with the upcoming IEEE 802.11i standard.

    WPA is a subset of the security features in the proposed IEEE 802.11i standard. All the features of WPA are described in the current draft of the 802.11i standard.

  • To be available today.

    WPA upgrades to wireless equipment and for wireless clients were available beginning in February 2003.

WPA Security Features

WPA contains enhancements or replacements for the following security features:

  • Authentication

  • Encryption

  • Data integrity

Authentication

With 802.11, 802.1X authentication is optional; with WPA, 802.1X authentication is required. Authentication with WPA is a combination of open system and 802.1X authentication, which uses the following phases:

  • The first phase uses open system authentication to indicate to the wireless client that it can send frames to the wireless AP.

  • The second phase uses 802.1X to perform a user-level authentication.

For environments without a RADIUS infrastructure, WPA supports the use of a pre-shared key; for environments with a RADIUS infrastructure, WPA supports EAP and RADIUS.

Encryption

With 802.1X, rekeying of unicast encryption keys is optional. Additionally, 802.11 and 802.1X provide no mechanism to change the global encryption key that is used for multicast and broadcast traffic. With WPA, rekeying of both unicast and global encryption keys is required. The Temporal Key Integrity Protocol (TKIP) changes the unicast encryption key for every frame, and each change is synchronized between the wireless client and the wireless AP. For the multicast/global encryption key, WPA includes a facility for the wireless AP to advertise changes to the connected wireless clients.

TKIP

For 802.11, WEP encryption is optional. For WPA, encryption using TKIP is required. TKIP replaces WEP with a new encryption algorithm that is stronger than the WEP algorithm, yet can be performed using the calculation facilities present on existing wireless hardware.

TKIP also provides for the following:

  • The verification of the security configuration after the encryption keys are determined.

  • The synchronized changing of the unicast encryption key for each frame.

  • The determination of a unique starting unicast encryption key for each pre-shared key authentication.

AES

WPA defines the use of the Advanced Encryption Standard (AES) as an optional replacement for WEP encryption. Because adding AES support through a firmware update might not be possible for existing wireless equipment, support for AES on wireless network adapters and wireless APs is not required.

Data Integrity

With 802.11 and WEP, data integrity is provided by a 32-bit ICV that is appended to the 802.11 payload and encrypted with WEP. Although the ICV is encrypted, it is possible through cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without being detected by the receiver.

With WPA, a new method known as Michael specifies a new algorithm that calculates an 8-byte message integrity code (MIC) with the calculation facilities available on existing wireless hardware. The MIC is placed between the data portion of the 802.11 frame and the 4-byte ICV. The MIC field is encrypted along with the frame data and the ICV.

Michael also provides replay protection through the use of a new frame counter field in the 802.11 MAC header.

Required Software Changes for WPA Support

WPA requires software changes to the following:

  • Wireless APs

  • Wireless network adapters

  • Wireless client software

Wireless Access Points

Wireless APs must have their firmware updated to support the following:

  • New WPA information element

    Information elements are included in the 802.11 beacon frames to advertise the wireless APs capabilities, such as supported bit rates and security options. To advertise their capability to perform WPA, wireless APs send beacon frames with a new 802.11 WPA information element that contains the wireless AP s WPA capabilities.

  • WPA two-phase authentication: Open system followed by 802.1X (EAP with RADIUS or WPA pre-shared key)

  • TKIP

  • Michael

  • AES (optional)

To upgrade your wireless APs to support WPA, obtain a WPA firmware update from your wireless AP vendor and upload it to your wireless APs.

Wireless Network Adapters

Wireless network adapters must have their firmware updated to support the following:

  • New WPA information element

    Wireless clients must be able to process the WPA information element in beacon frames and respond with a specific security configuration.

  • WPA two-phase authentication: Open system followed by 802.1X (EAP or WPA pre-shared key)

  • TKIP

  • Michael

  • AES (optional)

To upgrade your wireless network adapters to support WPA, you might have to upload a WPA firmware update to your wireless network adapter.

For Windows wireless clients, you must obtain an updated network adapter driver that supports WPA. For wireless network adapter drivers that are compatible with Windows XP (SP1 and later) and Windows Server 2003, the updated network adapter driver must be able to pass the adapter s WPA capabilities and security configuration to the Wireless Zero Configuration (WZC) service.

Microsoft has worked with many wireless vendors to embed the WPA firmware update within the updated wireless adapter driver. Because of this, updating your Windows wireless client consists of simply obtaining the new WPA-compatible driver and installing it. The firmware is automatically updated when the wireless network adapter driver is loaded into Windows.

Wireless Clients

Wireless client software must be updated to allow for the configuration of WPA authentication (including pre-shared key) and the new WPA encryption algorithms (TKIP and AES).

You must obtain and install a new WPA-compliant configuration tool from your wireless network adapter vendor for wireless clients running the following:

  • Windows 2000

  • Windows XP (SP1 and later) and Windows Server 2003, and using a wireless network adapter that does not support the WZC service

For wireless clients running Windows XP (SP1 and later) and Windows Server 2003, and using a wireless network adapter that supports the WZC service, you must install the WPA Wireless Security Update in Windows XP a free download from Microsoft. The WPA Wireless Security Update in Windows XP enhances the wireless network configuration dialog boxes to support new WPA options. To download the WPA Wireless Security Update in Windows XP, go to http://support.microsoft.com /?kbid=815485.

More Info
For additional information about how to configure WPA encryption and authentication options for a Windows wireless client, see Chapter 3, Windows Wireless Client Support.

Supporting a Mixed Environment

To support the gradual transition of a WEP-based wireless network to WPA, it is possible for a wireless AP to support both WEP and WPA clients at the same time. During the association, the wireless AP determines which clients are using WEP and which are using WPA. The disadvantage of supporting a mixture of WEP and WPA clients is that the multicast/global encryption key is not dynamic. All other security enhancements for WPA clients are preserved.


Previous page
Table of content
Next page
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies
BUY ON AMAZON
Qshell for iSeries
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
The Java Tutorial: A Short Course on the Basics, 4th Edition
Information Dashboard Design: The Effective Visual Communication of Data
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy