Page 151 / 162 Scroll up to view Page 146 - 150
Reference Manual for the MR814 v3 Cable/DSL Wireless Router
Wireless Networking Basics
D-15
202-10039-01
Temporal Key Integrity Protocol (TKIP)
WPA uses TKIP to provide important data encryption enhancements including a per-packet key
mixing function, a message integrity check (MIC) named Michael, an extended initialization
vector (IV) with sequencing rules, and a re-keying mechanism. TKIP also provides for the
following:
The verification of the security configuration after the encryption keys are determined.
The synchronized changing of the unicast encryption key for each frame.
The determination of a unique starting unicast encryption key for each preshared key
authentication.
Michael
With 802.11 and WEP, data integrity is provided by a 32-bit
integrity check value
(ICV) that is
appended to the 802.11 payload and encrypted with WEP. Although the ICV is encrypted, you can
use cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without
being detected by the receiver.
With WPA, a method known as
Michael
specifies a new algorithm that calculates an 8-byte
message integrity code
(MIC) using the calculation facilities available on existing wireless
devices. The MIC is placed between the data portion of the IEEE 802.11 frame and the 4-byte ICV.
The MIC field is encrypted together with the frame data and the ICV.
Michael also provides replay protection. A new frame counter in the IEEE 802.11 frame is used to
prevent replay attacks.
AES Support
One of the encryption methods supported by WPA beside TKIP is the advanced encryption
standard (AES), although AES support will not be required initially for Wi-Fi certification. This is
viewed as the optimal choice for security conscience organizations, but the problem with AES is
that it requires a fundamental redesign of the NIC’s hardware in both the station and the access
point. TKIP was a pragmatic compromise that allows organizations to deploy better security while
AES capable equipment is being designed, manufactured, and incrementally deployed.
Page 152 / 162
Reference Manual for the MR814 v3 Cable/DSL Wireless Router
D-16
Wireless Networking Basics
202-10039-01
Is WPA Perfect?
WPA is not without its vulnerabilities. Specifically, it is susceptible to denial of service (DoS)
attacks. If the access point receives two data packets that fail the Message Integrity Code (MIC)
check within 60 seconds of each other then the network is under an active attack, and as a result,
the access point employs counter measures, which includes disassociating each station using the
access point. This prevents an attacker from gleaning information about the encryption key and
alerts administrators, but it also causes users to lose network connectivity for 60 seconds. More
than anything else, this may just prove that no single security tactic is completely invulnerable.
WPA is a definite step forward in WLAN security over WEP and has to be thought of as a single
part of an end-to-end network security strategy.
Product Support for WPA
Starting in August, 2003, NETGEAR, Inc. wireless Wi-Fi certified products will support the WPA
standard. NETGEAR, Inc. wireless products that had their Wi-Fi certification approved before
August, 2003 will have one year to add WPA so as to maintain their Wi-Fi certification.
WPA requires software changes to the following:
Wireless access points
Wireless network adapters
Wireless client programs
Supporting a Mixture of WPA and WEP Wireless Clients
To support the gradual transition of WEP-based wireless networks to WPA, a wireless AP can
support both WEP and WPA clients at the same time. During the association, the wireless AP
determines which clients use WEP and which clients use WPA. The disadvantage to supporting a
mixture of WEP and WPA clients is that the global encryption key is not dynamic. This is because
WEP-based clients cannot support it. All other benefits to the WPA clients, such as integrity, are
maintained.
However, a mixed mode supporting WPA and non-WPA clients would offer network security that
is no better than that obtained with a non-WPA network, and thus this mode of operation is
discouraged.
Changes to Wireless Access Points
Wireless access points must have their firmware updated to support the following:
Page 153 / 162
Reference Manual for the MR814 v3 Cable/DSL Wireless Router
Wireless Networking Basics
D-17
202-10039-01
The new WPA information element
To advertise their support of WPA, wireless APs send the beacon frame with a new 802.11
WPA information element that contains the wireless AP's security configuration (encryption
algorithms and wireless security configuration information).
The WPA two-phase authentication
Open system, then 802.1x (EAP with RADIUS or preshared key).
TKIP
Michael
AES
(optional)
To upgrade your wireless access points to support WPA, obtain a WPA firmware update from your
wireless AP vendor and upload it to your wireless AP.
Changes to Wireless Network Adapters
Wireless network adapters must have their firmware updated to support the following:
The new WPA information element
Wireless clients must be able to process the WPA information element and respond with a
specific security configuration.
The WPA two-phase authentication
Open system, then 802.1x (EAP or preshared key).
TKIP
Michael
AES
(optional)
To upgrade your wireless network adapters to support WPA, obtain a WPA update from your
wireless network adapter vendor and update the wireless network adapter driver.
For Windows wireless clients, you must obtain an updated network adapter driver that supports
WPA. For wireless network adapter drivers that are compatible with Windows XP (Service Pack 1)
and Windows Server 2003, the updated network adapter driver must be able to pass the adapter's
WPA capabilities and security configuration to the Wireless Zero Configuration service.
Microsoft has worked with many wireless vendors to embed the WPA firmware update in the
wireless adapter driver. So, to update you Windows wireless client, all you have to do is obtain the
new WPA-compatible driver and install the driver. The firmware is automatically updated when
the wireless network adapter driver is loaded in Windows.
Page 154 / 162
Reference Manual for the MR814 v3 Cable/DSL Wireless Router
D-18
Wireless Networking Basics
202-10039-01
Changes to Wireless Client Programs
Wireless client programs must be updated to permit the configuration of WPA authentication (and
preshared key) and the new WPA encryption algorithms (TKIP and the optional AES component).
To obtain the Microsoft WPA client program, visit the following Microsoft Web site.
Page 155 / 162
202-10039-01
Glossary
1
Glossary
10BASE-T
IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring.
100BASE-Tx
IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring.
802.11b
IEEE specification for wireless networking at 11 Mbps using direct-sequence
spread-spectrum (DSSS) technology and operating in the unlicensed radio
spectrum at 2.5GHz.
Denial of Service
attack
DoS. A hacker attack designed to prevent your computer or network from
operating or communicating.
DHCP
See
Dynamic Host Configuration Protocol.
DNS
See
Domain Name Server.
domain name
A descriptive name for an address or group of addresses on the Internet.
Domain names are of the form of a registered entity name plus one of a
number of predefined top level suffixes such as .com, .edu, .uk, etc. For
example, in the address mail.NETGEAR.com, mail is a server name and
NETGEAR.com is the domain.
Domain Name Server
A Domain Name Server (DNS) resolves descriptive names of network
resources (such as www.NETGEAR.com) to numeric IP addresses.
Dynamic Host
Configuration
Protocol
DHCP. An Ethernet protocol specifying how a centralized DHCP server can
assign network configuration information to multiple DHCP clients. The
assigned information includes IP addresses, DNS addresses, and gateway
(router) addresses.
Gateway
A local device, usually a router, that connects hosts on a local network to other
networks.
IP
See
Internet Protocol.
IP Address
A four-byte number uniquely defining each host on the Internet. Ranges of
addresses are assigned by Internic, an organization formed for this purpose.
Usually written in dotted-decimal notation with periods separating the bytes
(for example, 134.177.244.57).
ISP
Internet service provider.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top