Protecting Your 80211 Network with WPA

After suffering with Wired Equivalent
(WEP) for what seems like ages, we finally have a
wireless security protocol, Wi-Fi Protected
(WPA) that gives us reasonable, albeit not perfect, protection. But,
now the question is: how do you actually use it?

The theory of how WPA works is simple enough. WEP’s main problems are that
its security keys are very breakable and that they’re no easy way to way reset
keys on a regular basis to avoid someone breaking messages encrypted with an
overused key.

WPA addresses these concerns, not by replacing the weak RSA Security’s RC4
encryption, but by improving how RC4 is implemented and adding automatic key
resetting. Specifically, WPA first increases the initialization vector (IV)
from 24-bits to 48-bits. This makes a WPA protected message orders of magnitude
harder to crack.

Next, WPA changes the key with every 802.11 packet using the Temporal Key Integrity
Protocol (TKIP). This is a mixed blessing. While it does make packets harder
to break, it comes at the cost of PC and Network Interface Card (NIC) performance.

Finally, WPA uses that ancient message security technique of a checksum (define). In WPA, this is done by checking the validity of an 8-bit message
integrity code (MIC), also known as "Michael,"
within the frame and by testing the 802.11’s frame 4-byte integrity check value

In addition, WPA includes some of 802.1X server-based authentication tricks
with support for Extensible Authentication Protocol (EAP) using Remote Authentication
Dial-In User Service (RADIUS) (define) or a pre-shared key. Although
this doesn’t help security directly, server-based authentication can go a long
way toward stopping and tracking security breaches for larger Wi-Fi installations.

The end result of these technology improvements is that Wi-Fi will be far safer.
How much safer? Enough to make the safety distance between a top of the line
Saab and a ‘fire in the back!" Pinto look minute.


Before you charge out and start implementing WPA, you should know that WPA
is a stopgap security measure. It’s really just a snapshot of the IEEE 802.11i
standard (rumor has it the Wi-Fi Alliance
might want to brand 802.11i as WPA2 for just that reason). Unfortunately, 802.11i
is still a ways out from being done and since ever faster computers made hacking
WEP ever easier, the Wi-Fi Alliance decided to put out a temporary standard,
WPA, until 802.11i is finalized.

One headache you shouldn’t have though, which many of us have faced with pre-standard
802.11g equipment, is compatibility. The Wi-Fi Alliance has set down the ground-rules
for WPA and is making sure that all vendors stick to the letter of the WPA law.

The idea also is that any WPA devices or software you buy soon will be backwards
compatible with 802.11i. Well, except that 802.11i will also introduce an optional
replacement for RC4 called Advanced Encryption Standard (AES) (define).
Given RC4’s track record in WEP, many vendors and users will want AES and many
current WPA implementations won’t be able to support it since to run in real-time,
this encryption protocol currently requires a dedicated encryption/decryption
chip. But if AES hardware is present, WPA will use it in place of TKIP.

Some WPA cards will be able to support 802.11i. For example, take Texas Instrument’s
TNETW1130 chip, which supports 802.11a, b and g, and has built in hardware accelerators
for AES. If you buy any access point or NIC with that chip, you will be able
to use them with WPA and also after 802.11i finally arrives.

The moral of the story is if you’re looking to upgrade your wireless infrastructure
only once within the next year or two, your best bet is to look for equipment
with 802.11i-capable chipsets.

Ready to Replace Everything?

Next, if you’re going to seriously use WPA, you can’t just replace/upgrade
an access point here and a radio-based NIC there. You need to replace and upgrade
all your Wi-Fi equipment.

Why? Because while WPA equipment will work with WEP hardware, it does so by
down-shifting to WEP. A security chain is only as strong as its weakest link,
so if you try mixing old WEP hardware with WPA, you’re likely to end up with
a false sense of security followed by a criminal hacker in your network.

In theory, you can upgrade your existing WEP equipment to WPA with a firmware
(define) upgrade. While these products are slowly becoming available,
you may want to hold up for a while. Upgrading firmware
can be difficult
in its own right and 1.0 versions of anything tend to be
the versions with problems.

In any cases, you simply can’t upgrade the cards. For example, there was a
rumor at the beginning of the year that Apple’s AirPort Card could be firmware
upgraded to take advantage of WPA. It isn’t.

Indeed, it may well be that before WPA solid firmware upgrades become available,
802.11i equipment will be arriving on the scene. Therefore, if you need better
wireless security today, your best move may to bite the bullet and replace your
equipment with WPA-capable hardware today.

If you simply can’t afford that but need additional security right sooner than
later, vendors like Atheros recommend
using a Virtual Private Network (VPN) (define) for your non-WPA equipment
and forcing non-WPA-capable routers to use a Virtual LAN (VLAN) to connect with
a VPN gateway. This way, all your non-WPA traffic must run with a VPN before
entering the better secured division of your network.

OS Considerations

Don’t think, by the way, that if you’re running Windows XP as your operating
system (OS) (define), you can avoid these problems. While it’s true
that Microsoft supports WPA in XP, that doesn’t mean it enables XP to run WPA
in the operating system thus avoiding the need for new WPA-capable equipment
or a firmware update. As Microsoft spells out in its WPA document: "Wireless
network adapters must have their firmware updated" to make use of WPA’s
functionality. Indeed, when you get right down to it, the only thing Microsoft
does to support WPA is to enable "clients that are running Windows XP service
pack 1 (SP1) and later or Windows Server 2003 and that are using a wireless
network adapter that supports the Wireless Zero Configuration (WZC) service."
That’s it.

Microsoft will also not be giving support to those few WZC users running on
earlier versions of their operating system. The Redmond giant has, however,
promised to support 802.11i and 802.1X across their product line, including
the almost outmoded Windows 98 Second Edition.

On most operating systems, such as Linux and MacOS, you won’t have to make
any operating system changes. Of course, your client software and driver will
need to be upgraded to work with WPA, but that’s true of any significant NIC

For the most part, though, changing over to WPA will simply be a matter of
plugging in the new hardware, upgrading your software and logging on to the
network. It should take only seconds longer than installing WEP-empowered NICs
or access points today.

If you’re using a RADIUS server for authenticaiton, you will of course have
to work the WPA hardware into your RADIUS setup using your vendor’s directions.
If you have a small business or a home Wi-Fi network, you’ll want to use a pre-shared
key and set it on each workstation and access point. This shouldn’t cause you
any grief. It’s less trouble than doing WEP right in the first place and provides
much better protection.

Bottom Line

The real question is: "Is WPA worth it with 802.11i on the horizon?"
There’s no good answer. If the IEEE standardization process goes extremely well,
802.11i might be available as early as the end of this year. In that case, your
new WPA hardware might only be state of the security art for as little as six

In the worse case scenario, though, we could still be sitting here in May of
2004 and still not have either standard finalized. In that case, buying WPA
makes much more sense.

So ask yourself is how important is Wi-Fi security for you today? If it’s mission-critical,
go ahead and buy WPA-capable access points and NICs. But, if it’s not, maybe
you should stick to doing what you can with WEP and a VPN, and gamble that 802.11i
will arrive by the end of this year instead of next year.

Want to learn more about WPA and its implementation? Join us at the 802.11 Planet Conference
& Expo
, June 25-27, 2003 at the World Trade Center Boston in Boston. Sam Ho and Ajay Rane of Intel’s Wireless Networking Group are presenting a workshop on “End-to-End Enterprise WLAN Security Implementation Using CCx and WPA” on June 25. On June 26, a panel of security experts will discuss “Does WPA Close The Wi-Fi Security Gap?”

News Around the Web