WPA: New Protection for 802.11

The non-profit Wi-Fi Alliance, the consortium
behind interoperability standards and testing for 802-11based networks, has
announced an official replacement for the much derided Wired Equivalent Privacy
(WEP) encryption. The new solution, called Wi-Fi Protected
Access (WPA), is a subset of the still unfinished IEEE
802.11i security specification and will be usable by both home and enterprise
wireless networks.

Why not wait for 802.11i? According to Dennis Eaton, the chairman of the Wi-Fi
Alliance, "[IEEE] Task Group I doing 802.11i is still on a path to be complete
about this time next year with a fully ratified standard, but that’s a little
too long. We had to do something sooner."

That something sooner is WPA, which, according to Eaton, will work with the
majority of 802.11-based products out today once they’ve gone through a firmware/software
upgrade. WPA is forward compatible with 802.11i. By the time 11i is ratified
around September of next year, expect to see a WPA version 2.0 with full 802.11i
support. Eventually, the Alliance expects to require Wi-Fi products to shop
with WPA turned on as a default.

The way WPA will work in the enterprise is similar
to the setup of any 802.1X authentication system. The clients and access points
must have WPA enabled for encryption to and from an 802.1X with Extensible Authentication
Protocol (EAP) authentication server of some sort, such as a RADIUS server,
with centralized access management.

"The server provides the scalability for the
design, user credentials, authorization as users request access, and generates
the keys for Temporal Key Integrity Protocol (TKIP) encryption…TKIP is part
WPA," says Eaton. Once the server authenticates the user, the access point
will let that user on to the wired network — up to that point, the client only
talked to the server.

Home network users usually won’t have an authentication
server, but the WPA solution still uses 802.1X. They won’t get the upper layer
authentication, but can take advantage of Pre-shared Key mode.

"Pre-shared Key is used much like WEP — you key in a pass phrase [called
the master key] in both the client and access point," says Eaton. In the
association process, if the password matches, then the access point allows access
to the Internet or wired network. You still get the advantage of 802.1X, so
my key is different from my wife’s key on the same access point, but our key’s
are refreshed every time we connect. The pass phrase is the same, but the key
is generated."

WEP, on the other hand, uses a static key that is seldom changed by users.
This cryptographic weakness is responsible for many of the known security issues
in WLANs today — any patient criminal hacker can eventually figure out the
encryption key and get on the network.

WPA takes advantage of the 802.11i specifications
requirements for things like 802.1X and TKIP, but leaves out things that require
a hardware upgrade or aren’t ready, such as secure fast handoff, secure de-authentication
and disassociation, and AES-CCMP enhanced encryption.

The Wi-Fi Alliance is only requiring products going forward to have WPA built
in if they expect to get the Wi-Fi Certification stamp — older and current
WLAN products don’t have to get a WPA upgrade. However, Eaton expects that upgrades
to WPA will start appearing from vendors in the next several months. Whether
vendors provide the upgrade for individual products or not depends upon their
stance and whether they get support for it from the core technology providers
such as the chipset makers. Already announcing support for WPA with future upgrades
are major 802.11 vendors (and Wi-Fi Alliance members) such as Agere,
Atheros, Atmel,
Colubris,
Funk Software, Intersil, Proxim, Resonext, and Texas Instruments.

"We’re fully behind it," says Bill Carney, Director of Marketing
and Business Development at Texas Instruments. "It’s important security.
Security is the biggest roadblock to adoption."

Companies are free to resubmit older products with WPA implemented to the Alliance
for testing. Interoperability testing such products will begin in February 2003.

Eric Griffith is the managing editor of 802.11
Planet
.

Got
a comment or question? Discuss it in the 802.11 Planet Forums

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web