The Institute of Electrical and Electronics Engineers (IEEE) 802.11i wireless networking standard specifies improvements to wireless LAN security. The 802.11i standard is currently in draft form, with ratification expected for the end of 2004. The 802.11i standard addresses many of the security issues of the original 802.11 standard. While the new IEEE 802.11i standard is being ratified, wireless vendors have agreed on an interoperable interim standard known as Wi-Fi Protected Access (WPA).
Features of WPA security
The following security features are included in the WPA standard:
802.1x authentication is required in WPA. In the 802.11 standard, 802.1x authentication was optional.
For environments without a Remote Authentication Dial-In User Service (RADIUS) infrastructure, WPA supports the use of a preshared key. For environments with a RADIUS infrastructure, Extensible Authentication Protocol (EAP) and RADIUS is supported.
WPA key management
With 802.1x, the rekeying of unicast encryption keys is optional. Additionally, 802.11 and 802.1x provide no mechanism to change the global encryption key used for multicast and broadcast traffic. With WPA, rekeying of both unicast and global encryption keys is required. For the unicast encryption key, the Temporal Key Integrity Protocol (TKIP) changes the key for every frame, and the change is synchronized between the wireless client and the wireless access point (AP). For the global encryption key, WPA includes a facility for the wireless AP to advertise the changed key to the connected wireless clients.
Temporal Key Integrity Protocol
For 802.11, Wired Equivalent Privacy (WEP) encryption is optional. For WPA, encryption using TKIP is required. TKIP replaces WEP with a new encryption algorithm that is stronger than the WEP algorithm, but uses the calculation facilities present on existing wireless devices to perform encryption operations. TKIP also provides for the following:
- The verification of the security configuration after the encryption keys are determined.
- The synchronized changing of the unicast encryption key for each frame.
- The determination of a unique starting unicast encryption key for each preshared key authentication.
With 802.11 and WEP, data integrity is provided by a 32-bit integrity check value (ICV) that is appended to the 802.11 payload and encrypted with WEP. Although the ICV is encrypted, you can use cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without being detected by the receiver.
With WPA, a method known as Michael specifies a new algorithm that calculates an 8 byte message integrity code (MIC) using the calculation facilities available on existing wireless devices. The MIC is placed between the data portion of the IEEE 802.11 frame and the 4 byte ICV. The MIC field is encrypted together with the frame data and the ICV.
Michael also helps provide replay protection. A new frame counter in the IEEE 802.11 frame helps prevent replay attacks.
WPA defines the use of Advanced Encryption Standard (AES) as an additional replacement for WEP encryption. Because you may not be able to add AES support through a firmware update to existing wireless equipment, support for AES is optional and is dependent on vendor driver support.
Supporting a mixture of WPA and WEP wireless clients
To support the gradual transition of WEP-based wireless networks to WPA, a wireless AP can support both WEP and WPA clients at the same time. During the association, the wireless AP determines which clients use WEP and which ones use WPA. The support of a mixture of WEP and WPA clients is problematic. The global encryption key is not dynamic because WEP-based clients cannot support it. All other benefits to the WPA clients are maintained, including integrity.
Changes required to support WPA
WPA requires software changes to the following:
- Wireless access points
- Wireless network adapters
- Wireless client programs
Changes to wireless access points
Wireless access points must have their firmware updated to support the following:
The new WPA information element
To advertise their support of WPA, wireless APs send the beacon frame with a new 802.11 WPA information element that contains the wireless AP's security configuration (encryption algorithms and wireless security configuration information).
- The WPA two-phase authentication
- Open system, and then open 802.1x (EAP with RADIUS or preshared key)
- AES (optional)
To upgrade your wireless access points to support WPA, obtain a WPA firmware update from your wireless AP vendor and upload it to your wireless AP.
Changes to wireless network adapters
Wireless network adapters must have their firmware updated to support the following:
- The new WPA information element
Wireless clients must be able to process the WPA information element and respond with a specific security configuration.
- The WPA two-phase authentication
- Open system, and then open 802.1x (EAP or preshared key).
- AES (optional)
To upgrade your wireless network adapters to support WPA, obtain a WPA update from your wireless network adapter vendor and update the wireless network adapter driver.
For Windows wireless clients, you must obtain an updated network adapter driver that supports WPA. For wireless network adapter drivers that are compatible with Windows XP (Service Pack 1) and Windows Server 2003, the updated network adapter driver must be able to pass the adapter's WPA capabilities and security configuration to the Wireless Zero Configuration service.
Microsoft has worked with many wireless vendors to embed the WPA firmware update in the wireless adapter driver. To update your Windows wireless client, you just obtain the new WPA-compatible driver and then install the driver. The firmware is automatically updated when the wireless network adapter driver is loaded in Windows.
Changes to wireless client programs
Wireless client programs must be updated to permit the configuration of WPA authentication (and preshared key) and the new WPA encryption algorithms (TKIP and the optional AES component).
For wireless clients that are running Windows XP Service Pack 1 (SP1) or Windows Server 2003 and that are using a wireless network adapter that supports the Wireless Zero Configuration service, you must obtain and install the Windows WPA Client. For wireless clients that are running Windows XP service pack 2 (SP2) and that are using a wireless network adapter that supports the Wireless Zero Configuration service, the Windows WPA Client is included in Windows XP SP2. Therefore, additional downloads are not needed. The Windows WPA Client updates the wireless network configuration dialog boxes to support new WPA options.
For additional information and to obtain the WPA client program, see the article in the Microsoft Knowledge Base: http://support.microsoft.com/default.aspx?kbid=826942.
For wireless clients running Windows 2000 (or clients running Windows XP SP1 or Windows Server 2003 and using a wireless network adapter that does not support the Wireless Zero Configuration service), you must obtain and install a new WPA-compliant configuration tool from your wireless network adapter vendor.
Related Intel information
For information about an Intel issue with this update, visit the following Intel Web site: http://www.intel.com/support/network/wireless/pro2100/sb/cs-006131-prd944.htm.
ABOUT THE AUTHOR: John Gormly has worked for a leading public accounting firm for the last 15 years. He is a Regional Technology Director responsible for all aspects of technology including PC support, LAN/WAN infrastructure, telecommunications, project management, training, IT deployments and personnel management.
This article first appeared in myITforum, the premier online destination for IT professionals responsible for managing their corporations' Microsoft Windows systems. The centerpiece of myITforum.com is a collection of member forums where IT professionals actively exchange technical tips, share their expertise, and download utilities that help them better manage their Windows environments, specifically Microsoft Systems Management Server (SMS). It is part of the TechTarget network of Web sites. To register for the site and sign up for the myITforum daily newsletter, click here.