E-DOC-CTC-20060609-0001 v2.0
Chapter 3
Security
35
3.5 WPA2
WPA2
As mentioned before, WPA is a subset of the new security standard 802.11i or WPA2, meaning that 802.11i
includes all WPA capabilities features and more security features. The main difference between WPA and
802.11i is the fact that WPA leaves AES optional, while 802.11i mandates both TKIP and AES capability. The
AES algorithm is the encryption standard used by the U.S. government. A disadvantage of using AES
encryption is that WEP-only capable wireless network interfaces cannot be software-upgraded to support
AES. A wireless network that wants to use the 802.11i standard full capabilities may require the replacement
of the wireless network devices.
AES-CCMP
WPA2 can use the AES block cipher to encrypt the data packets, which replaces the WEP’s RC4 stream cipher.
The AES encryption algorithm is a block cipher, which encrypts the data in blocks of fixed length. For 802.11i,
the block size as well as the per-packet key size is 128-bit.
Block ciphers have several modes of operation for splitting data into the fixed size blocks for encrypting and
protecting the data. The mode of operation selected by 802.11i is Counter mode with Cipher Block Chaining
Message Authentication Code (Counter mode CBC MAC protocol or CCMP). This mode of operation offers
counter mode for protecting privacy while Cipher Block Chaining Message Authentication Code is used for
protecting the data integrity.
In counter mode, each fixed size data block is not encrypted directly. Instead, an arbitrary value is encrypted
and then combined with a logical XOR with a data block. For each successive data block, the arbitrary value is
increased by one. The CBC MAC creates a MIC encrypted data block. Then a logical XOR is performed with
the result of the previous MIC. The result is then encrypted with AES. The process is repeated until all the
blocks for a message are processed. In this way, the data of all the blocks is combined in a single 128-bit
block.
Pre-Shared Key (PSK)
Like WPA, 802.11i has a pre-shared key mode (PSK, also known as personal mode), designed for home and
small office networks that cannot afford the cost and complexity of an 802.1x authentication server. Each user
must enter a passphrase to access the network. The passphrase is typically stored on the user's computer, so
it need only be entered once. The weak passphrases that users typically employ create a major vulnerability
to password cracking attacks. Passphrases are recommended to be at least 8 characters long and contain
numbers and special characters. The IEEE 802.11i standard allows strong PSKs to be entered as 64 character
hexadecimal numbers. Passphrases should be changed whenever an individual with access is no longer
authorized to use the network or when a device configured to use the network is lost or compromised.
To configure your Thomson Gateway with WPA2-PSK see “ Enabling WPA-PSK” on page 59 for residential
devices or “ WPA-PSK” on page 73 for business devices.
How to configure WPA2 with RADIUS authentication?
To enable WPA2 with RADIUS Authentication on your Thomson Gateway see “ WPA” on page 75.
i
Configuring your Thomson Gateway with WPA2 with RADIUS authentication is only possible with
residential devices.
To Next Page
Loading...
