Wi-Fi Protected Access

Paladion
By Paladion

May 24, 2007

Wired Equivalent Privacy (WEP), the previous security mechanism for wireless LANs can today be broken in about 2 minutes. So wireless equipment vendors provided improved security mechanisms in their products. But these enhanced security mechanisms were proprietary and did not work with one another. So the Wi-Fi Alliance introduced Wi-Fi Protected Access – it has become an effective standard implemented across multi-vendor devices.

Wired Equivalent Privacy (WEP), the previous security mechanism for wireless LANs can today be broken in about 2 minutes. So wireless equipment vendors provided improved security mechanisms in their products. But these enhanced security mechanisms were proprietary and did not work with one another. So the Wi-Fi Alliance introduced Wi-Fi Protected Access – it has become an effective standard implemented across multi-vendor devices.

Modes of Operation

Wi-Fi Protected Access supports two modes of operation, namely WPA Personal or Pre-Shared Key (PSK) mode and WPA Enterprise Mode. While the PSK mode uses a shared secret for authentication and a device specific management of user credentials, the enterprise mode uses RADIUS protocol for authentication and key distribution. Due to the difficulty with key distribution and the risk of susceptibility to dictionary attacks, WPA Enterprise mode is more secure than the WPA PSK mode. The WPA PSK mode is more suited to home users and small businesses, and the WPA Enterprise mode is preferred for medium and large enterprises. This article describes WPA in Enterprise mode.

Security enhancements in WPA

The major security enhancements in Wi-Fi Protected Access over WEP include

  • Authentication using IEEE 802.1x
  • Encryption using Temporal Key Integrity Protocol (TKIP)
  • Data integrity check using Message Integrity Code (MIC) and Integrity Check Value (ICV)
  • Frame counter to defend against replay attacks

How WPA Authentication works

WPA primarily uses IEEE 802.1x authentication. The WPA authentication occurs in two phases. In the first phase, the wireless client initiates a connection to the access point. Once a connection has been established, the access point blocks the client from communicating further. Then WPA requests for user authentication with an authentication server such as RADIUS or LDAP based on IEEE 802.1x/EAP framework. With Extensible Authentication Protocol (EAP), both the client and the server mutually authenticate each other through the access point. The three common EAP types supported are EAP-TLS, EAP-TTLS and PEAP.

During the second phase, after user authentication succeeds, the wireless client joins the Wireless LAN and both the authentication server and the client simultaneously generate a Pairwise Master Key (PMK). Then a 4-way handshake completes the process of authenticating the access point with the client, establishing and installing the TKIP encryption keys. Further communication between the wireless client and the access point is encrypted.

WPA Encryption with TKIP

Some of the salient features introduced by the use of TKIP in WPA include 48-bit initialization vectors, per-packet key generation and distribution, and a message integrity code (also known as 'Michael').

In busy networks attackers can decrypt WEP frames qickly because the 24-bit IVs used in WEP are repeated more often. This is more difficult in WPA because WPA uses 48-bit IVs and it takes longer to reuse the same IV. Unlike WEP, WPA automatically generates unique encryption keys periodically to encrypt every data packet during a session.

In WEP, data integrity is provided by a 4-byte Integrity Check Value (ICV). Although the ICV is encrypted, attackers can modify the data and recalculate the ICV and update it in the frame. In case of WPA, the frame is encrypted along with an 8-byte message integrity code (MIC) placed between the payload and the 4-byte ICV. MIC also protects against replay attacks by using a new frame counter.

WPA_Network_Diagram

Figure 1: WPA Network Diagram

Next generation Wi-Fi Security

WPA 2, the next generation of Wi-Fi security, is an interoperable implementation of the IEEE 802.11i standard. WPA 2 uses the Advanced Encryption Standard (AES) encryption algorithm along with Cipher Block Chaining Message Authentication Code Protocol (CCMP) in Counter Mode. AES Counter Mode is a block cipher that uses a 128-bit key to encrypt 128-bit blocks of data at a time. The CCMP algorithm generates a message integrity code (MIC) that provides non-repudiation and integrity of data for the wireless frame.

WPA 2 offers a higher level of security than WPA because AES offers stronger encryption than Temporal Key Integrity Protocol (TKIP). WPA 2 creates unique session keys on every association for each client. This ensures that every packet sent over the wireless LAN is encrypted with a unique key, enhancing security greatly. WPA is still considered secure and TKIP has not been broken.

Mapping WPA and WPA 2 to IEEE 802.11i

As we have seen Wi-Fi Protected Access is a subset of the IEEE 802.11i standard. Here's a snapshot of the mapping between WPA/WPA2 and the IEEE 802.11i standard.

Map_WPA_802.11i

Figure 2: Map - WPA 802.11i

Additional References


Tags: Technical

About

Paladion

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset