Wireless LAN – WLAN
42
3.2
Development of WLAN security
BAT54-Rail/F..
Release
7.54
06/08
U Negotiating the encryption method
Since the original WEP definition specified a fixed key length of 40 bits,
the registration of a client at an access point only had to communicate wheth-
er encryption should be used or not. Key lengths exceeding 40 bits require
that the key length is announced. WPA provides a mechanism with which cli-
ent and access point can agree on the encryption and authentication proce-
dures to be used. The following information is made available:
D The encryption method to be used for broadcasts in this network (also the
type of group key). Each client wanting to register in a WPA-WLAN must
support this procedure. Here, besides TKIP, WEP is also still allowed, in
order to support mixed WEP/WPA networks—in a pure WPA network,
TKIP will be selected.
D A list of encryption methods which the access point provides for the pair-
wise key—here, WEP is explicitly disallowed.
D A list of authentication methods a client may use to show itself to the
WLAN as authorized for access—possible methods are currently EAP/
802.1x or PSK.
As mentioned, the original WPA standard specifies only TKIP/Michael as an
improved encryption method. With the further development of the 802.11i
standard, the AES/CCM method described below was added. In a WPA net-
work it is now possible for some clients to communicate with the access point
using TKIP, while other clients use AES.
3.2.6 AES and 802.11i
In mid-2004 the IEEE approved the long-awaited 802.11i standard that plac-
es the entire security concept of WLAN on a new basis. As mentioned in the
last section, WPA has already implemented a whole series of concepts from
802.11i—so in this section we will only describe the components which are
new compared to WPA.
U AES
The most obvious extension is the introduction of a new encryption process,
namely AES-CCM. As the name already hints, this encryption scheme is
based on DES's successor AES, in contrast to WEP and TKIP, which are
both based on RC4. Since only the newest generation of WLAN chips contain
AES hardware, 802.11i continues to define TKIP, but with the opposite pre-
requisites: any 802.11i-compliant hardware must support AES, while TKIP is
optional—in WPA that was exactly the other way around.
To Next Page
Loading...
Need help?
General
