Wireless LAN – WLAN
BAT54-Rail/F..
Release
7.54
06/08
3.2
Development of WLAN security
41
U The key handshake
In the discussion of 802.1x it was already noted that EAP/802.1x provides a
possibility to inform the client at the outset of a session of the key valid for it.
WPA now places that on a standardized basis, and considers the session-
key option offered by modern access points that, in addition to the four 'glo-
bal' keys, assigns each registered client with a session key that is used ex-
clusively with data packets to or from that client. The key handshake under
WPA involves first of all the exchange of the pairwise keys and then the
group keys.
After a successful group key handshake, the access point can release the cli-
ent for normal data transfer. The access point is free to perform a rekeying
again during the session using the same type of packets. In principle, the cli-
ent may also request rekeying from the access point.
WPA also takes the case of older WLAN hardware into account, in which the
access point does not support pairwise keys, but only group keys. The first
phase of the handshake in this case proceeds exactly as before, but doesn't
result in the installation of a pairwise key—the group key handshake simply
proceeds in clear text, but an encryption in the EAP packets themselves pre-
vents an attacker from simply reading the keys.
U WPA with passphrase
The handshake described in the previous section runs strictly under WPA,
i.e. the user will never have to define any TKIP or Michael keys. In environ-
ments in which no RADIUS server is available to provide master secrets (for
instance in smaller companies or home networks), WPA therefore provides
the PSK method besides authentication using a RADIUS server; here, the
user must enter a passphrase of 8 to 32 characters on the access point and
on all stations, from which the master secret is calculated along with the SSID
used using a hash procedure. The master secret is therefore constant in such
a PSK network, although different TKIP keys still result.
In a PSK network—similar to classical WEP—both access security and con-
fidentiality depend on the passphrase not being divulged to unauthorized
people. As long as this is the case, WPA-PSK provides significantly improved
security against break-ins and eavesdropping over any WEP variant. For
larger installations in which such a passphrase would have to be made
known to too large a user community for it to be kept secret, EAP/802.11i is
used in combination with the key handshake described here.
To Next Page
Loading...
Need help?
General
