E-DOC-CTC-20060609-0001 v2.0
Chapter 3
Security
31
3.4 Wi-Fi Protected Access (WPA)
WPA
In response to the weaknesses described in the previous section, Wi-Fi Protected Access (WPA) was
developed. It was intended as an intermediate measure to take the place of WEP while 802.11i was
elaborated. WPA is designed to work with all wireless network interface cards, but not necessarily with first
generation wireless access points.
WPA is designed for use with an 802.1x authentication server, which distributes different keys to each user.
However, it can also be used in a less secure “pre-shared key” (PSK) mode, where every user is given the
same passphrase. The Wi-Fi Alliance calls the pre-shared key version WPA-Personal and the 802.1x
authentication version WPA-Enterprise.
WPA comprises following three elements:
> 802.1x: the 802.1x standard was adopted for authentication, authorization and key management.
> Temporal Key Integrity Protocol (TKIP): TKIP is responsible for generating the encryption key, encrypting
the message and verifying its integrity.
> Advanced Encryption Standard (AES): AES is optional in WPA.
Improvements versus WEP
Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV). One
major improvement in WPA regarding WEP is the Temporal Key Integrity Protocol (TKIP), which dynamically
changes keys as the system is used. When combined with the much larger IV, this defeats the well-known key
recovery attacks on WEP.
In addition to authentication and encryption, WPA also provides vastly improved payload integrity. The cyclic
redundancy check (CRC) used in WEP is inherently insecure. It is possible to alter the payload and update the
message CRC without knowing the WEP key. A more secure message authentication code or Message
Integrity Code (MIC) is used in WPA, an algorithm named “Michael”. The MIC used in WPA includes a frame
counter, which prevents replay attacks being executed, another weakness in WEP.
802.1x
IEEE 802.1x is an IEEE standard for port-based Network Access Control and is part of the IEEE 802 (802.1)
group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point
connection or preventing access from that port if authentication fails.
To solve the user-authentication problem, the 802.11 working group adopted the 802.1x standard, which
provides "per-port user authentication." It was designed to require user authentication before granting
network access and is used for both wired and wireless networks.
Mind that 802.1x itself does not provide any authentication. All it does is giving the access point the capability
to forward the wireless station’s credentials to a RADIUS server and to forward the reply back to the wireless
station.
802.1x components
The 802.1x authentication model comprises three types of roles assigned to 802.1x-enabled devices:
> A supplicant is a wireless station that is requesting access to network resources. The wireless station
must have 802.1x capable software installed.
> An authenticator or Network Access Server (NAS) is an 802.1x capable access point.
> An authentication server, which is typically a RADIUS server.
To Next Page
Loading...
