As we’ve discussed in a previous tutorial, 802.11 Wired Equivalent
Privacy (WEP) doesn’t provide enough security for most enterprise wireless
LAN applications. Because of static key usage, it’s fairly easy to crack WEP
with off-the-shelf tools. This motivates IT managers to use stronger dynamic
forms of WEP.
The problem to date, however, is that these enhanced security mechanisms are
proprietary, making it difficult to support multi-vendor client devices. The
802.11i standard will eventually solve the issues, but it’s not clear when the
802.11 Working Group will ratify the 802.11i standard.
As a result, the Wi-Fi Alliance has taken a bold step forward to expedite the
availability of effective standardized wireless LAN security by defining Wi-Fi
Protected Access (WPA) while promoting interoperability. With WPA, an environment
having many different types of 802.11 radio NICs, such as public hotspots,
can benefit from enhanced forms of encryption.
WPA is actually a snapshot of the current version of 802.11i, which includes
Temporal Key Integrity Protocol (TKIP) and 802.1x
mechanisms. The combination of these two mechanisms provides dynamic key encryption
and mutual authentication, something much needed in WLANs.
As with WEP, TKIP uses the RC4 stream cipher
provided by RSA Security to encrypt
the frame body and CRC
of each 802.11
frame before transmission. The issues with WEP don’t really have much to
do with the RC4 encryption algorithm. Instead, the problems primarily relate
to key generation and how encryption is implemented.
TKIP adds the following strengths to WEP:
- 48-bit initialization vectors. WEP produces what’s referred to as
a "keyschedule" by concatenating a shared secret key with a randomly-generated
24-bit initialization vector (IV). WEP inputs the resulting keyschedule into
a pseudo-random number generator that produces a keystream equal to the length
of the 802.11 frame’s payload. With a 24 bit IV, though, WEP eventually uses
the same IV for different data packets. In fact, the reoccurrence of IVs with
WEP can happen within an hour or so in busy networks. This results in the
transmission of frames having encrypted frames that are similar enough for
a hacker to collect frames based on the same IV and determine their shared
values, leading to the decryption of the 802.11 frames. WPA with TKIP, however,
uses 48-bit IVs that significantly reduce IV reuse and the possibility that
a hacker will collect a sufficient number of 802.11 frames to crack the encryption.
- Per-packet key construction and distribution. WPA automatically generates
a new unique encryption key periodically for each client. In fact, WPA uses
a unique key for each 802.11 frame. This avoids the same key staying in use
for weeks or months as they do with WEP. This is similar to changing the locks
on a house each time you leave, making it impossible for someone who happened
to make a copy of your key to get in.
- Message integrity code. WPA implements the message integrity code
(MIC), often referred to as "Michael," to guard against forgery
attacks. WEP appends a 4-byte integrity check value (ICV) to the 802.11 payload.
The receiver will calculate the ICV upon reception of the frame to determine
whether it matches the one in the frame. If they match, then there is some
assurance that there was no tampering. Although WEP encrypts the ICV, a hacker
can change bits in the encrypted payload and update the encrypted ICV without
being detected by the receiver. WPA solves this problem by calculating an
8-byte MIC that resides just before the ICV.
For authentication, WPA uses a combination of open system and 802.1x authentication.
Initially, the wireless client authenticates with the access points, which authorizes
the client to send frames to the access point. Next, WPA performs user-level
authentication with 802.1x. WPA Interfaces to an authentication server, such
as RADIUS or LDAP, in an enterprise
environment. WPA is also capable of operating in what’s known as "pre-shared
key mode" if no external authentication server is available, such as in
homes and small offices.
An issue that WPA does not fix yet is potential denial of service (DoS) attacks.
If someone, such as a hacker or disgruntled employee, sends at least two packets
each second using an incorrect encryption key, then the access point will kill
all user connections for one minute. This is a defense mechanism meant to thwart
unauthorized access to the protected side of the network.
You will be able to upgrade existing Wi-Fi-compliant components to use WPA
through relatively simple firmware upgrades. As a result, WPA is a good solution
for providing enhanced security for the existing installed base of WLAN hardware.
The eventual 802.11i standard will be backward compatible with WPA; however,
802.11i will also include an optional Advanced Encryption Standard
(AES) encryption. AES requires coprocessors not found in most access points
today, which makes AES more suitable for new WLAN installations.
Jim Geier provides independent consulting services to companies
developing and deploying wireless network solutions. He is the author of the
book, Wireless LANs
and offers workshops
on deploying wireless LANs.
Join Jim for discussions as he answers questions in the 802.11 Planet Forums.