Page 71 / 122 Scroll up to view Page 66 - 70
Reference Manual for the WG602 v2 54 Mbps Wireless Access Point
Wireless Networking Basics
B-9
M-10181-03
Enhanced data privacy
Robust key management
Data origin authentication
Data integrity protection
The Wi-Fi Alliance is now performing interoperability certification testing on Wi-Fi Protected
Access products. Starting August of 2003, all new Wi-Fi certified products will have to support
WPA. NETGEAR will implement WPA on client and access point products and make this
available in the second half of 2003. Existing Wi-Fi certified products will have one year to add
WPA support or they will loose their Wi-Fi certification.
The 802.11i standard is currently in draft form, with ratification due at the end of 2003. While the
new IEEE 802.11i standard is being ratified, wireless vendors have agreed on WPA as an
interoperable interim standard.
How Does WPA Compare to WEP?
WEP is a data encryption method and is not intended as a user authentication mechanism. WPA
user authentication is implemented using 802.1x and the Extensible Authentication Protocol
(EAP). Support for 802.1x authentication is required in WPA. In the 802.11 standard, 802.1x
authentication was optional. For details on EAP specifically, refer to IETF's RFC 2284.
With 802.11 WEP, all access points and client wireless adapters on a particular wireless LAN must
use the same encryption key. A major problem with the 802.11 standard is that the keys are
cumbersome to change. If you don't update the WEP keys often, an unauthorized person with a
sniffing tool can monitor your network for less than a day and decode the encrypted messages.
Products based on the 802.11 standard alone offer system administrators no effective method to
update the keys.
For 802.11, WEP encryption is optional. For WPA, encryption using Temporal Key Integrity
Protocol (TKIP) is required. TKIP replaces WEP with a new encryption algorithm that is stronger
than the WEP algorithm, but that uses the calculation facilities present on existing wireless devices
to perform encryption operations. TKIP provides important data encryption enhancements
including a per-packet key mixing function, a message integrity check (MIC) named Michael, an
extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through
these enhancements, TKIP addresses all of known WEP vulnerabilities.
Page 72 / 122
Reference Manual for the WG602 v2 54 Mbps Wireless Access Point
B-10
Wireless Networking Basics
M-10181-03
How Does WPA Compare to IEEE 802.11i?
WPA will be forward compatible with the IEEE 802.11i security specification currently under
development. WPA is a subset of the current 802.11i draft and uses certain pieces of the 802.11i
draft that are ready to bring to market today, such as 802.1x and TKIP. The main pieces of the
802.11i draft that are not included in WPA are secure IBSS (Ad-Hoc mode), secure fast handoff
(for specialized 802.11 VoIP phones), as well as enhanced encryption protocols such as
AES-CCMP. These features are either not yet ready for market or will require hardware upgrades
to implement.
What are the Key Features of WPA Security?
The following security features are included in the WPA standard:
WPA Authentication
WPA Encryption Key Management
Temporal Key Integrity Protocol (TKIP)
Michael
message integrity code
(MIC)
AES Support
Support for a Mixture of WPA and WEP Wireless Clients
These features are discussed below.
WPA addresses most of the known WEP vulnerabilities and is primarily intended for wireless
infrastructure networks as found in the enterprise. This infrastructure includes stations, access
points, and authentication servers (typically RADIUS servers). The RADIUS server holds (or has
access to) user credentials (e.g., user names and passwords) and authenticates wireless users
before they gain access to the network.
The strength WPA comes from an integrated sequence of operations that encompass 802.1X/EAP
authentication and sophisticated key management and encryption techniques. Its major operations
include:
Network security capability determination. This occurs at the 802.11 level and is
communicated through WPA information elements in Beacon, Probe Response, and (Re)
Association Requests. Information in these elements includes the authentication method
(802.1X or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES).
Page 73 / 122
Reference Manual for the WG602 v2 54 Mbps Wireless Access Point
Wireless Networking Basics
B-11
M-10181-03
The primary information conveyed in the Beacon frames is the authentication method and the
cipher suite. Possible authentication methods include 802.1X and Pre-shared key. Pre-shared
key is an authentication method that uses a statically configured pass phrase on both the
stations and the access point. This obviates the need for an authentication server, which in
many home and small office environments will not be available nor desirable. Possible cipher
suites include: WEP, TKIP, and AES (Advanced Encryption Standard). We’ll talk more TKIP
and AES when addressing data privacy below.
Authentication. EAP over 802.1X is used for authentication. Mutual authentication is gained
by choosing an EAP type supporting this feature and is required by WPA. 802.1X port access
control prevents full access to the network until authentication completes. 802.1X
EAPOL-Key packets are used by WPA to distribute per-session keys to those stations
successfully authenticated.
The supplicant in the station uses the authentication and cipher suite information contained in
the information elements to decide which authentication method and cipher suite to use. For
example, if the access point is using the Pre-shared key method then the supplicant need not
authenticate using full-blown 802.1X. Rather, the supplicant must simply prove to the access
point that it is in possession of the pre-shared key. If the supplicant detects that the service set
does not contain a WPA information element then it knows it must use pre-WPA 802.1X
authentication and key management in order to access the network.
Key management. WPA features a robust key generation/management system that integrates
the authentication and data privacy functions. Keys are generated after successful
authentication and through a subsequent 4-way handshake between the station and Access
Point (AP).
Data Privacy (Encryption). Temporal Key Integrity Protocol (TKIP) is used to wrap WEP in
sophisticated cryptographic and security techniques to overcome most of its weaknesses.
Data integrity. TKIP includes a message integrity code (MIC) at the end of each plaintext
message to ensure messages are not being spoofed.
Page 74 / 122
Reference Manual for the WG602 v2 54 Mbps Wireless Access Point
B-12
Wireless Networking Basics
M-10181-03
WPA Authentication: Enterprise-level User
Authentication via 802.1x/EAP and RADIUS
Figure B-3:
WPA Overview
IEEE 802.1x offers an effective framework for authenticating and controlling user traffic to a
protected network, as well as providing a vehicle for dynamically varying data encryption keys via
EAP from a RADIUS server, for example. This framework enables using a central authentication
server, which employs mutual authentication so that a rogue wireless user does not join the
network.
It's important to note that 802.1x doesn't provide the actual authentication mechanisms. When
using 802.1x, the EAP type, such as Transport Layer Security (EAP-TLS) or EAP Tunneled
Transport Layer Security (EAP-TTLS) defines how the authentication takes place.
Note
: For environments with a Remote Authentication Dial-In User Service (RADIUS)
infrastructure, WPA supports Extensible Authentication Protocol (EAP). For environments
without a RADIUS infrastructure, WPA supports the use of a preshared key.
Together, these technologies provide a framework for strong user authentication.
Windows XP implements 802.1x natively, and several Netgear switch and wireless access point
products support 802.1x.
WPA
enabled
wireless
client with
“supplicant”
Optional
Certificate
Authority
(eg Win
Server,
VeriSign,
etc)
TCP/IP
Ports Closed
Until
RADIUS Server
Wired Network with
Optional
802.1x Port Based Network
Access Control
WPA enabled
Access Point
using
pre-shared key
or
802.1x
TCP/IP
Ports Opened
After
Authenticated
Wireless LAN
Login
Authentication
Page 75 / 122
Reference Manual for the WG602 v2 54 Mbps Wireless Access Point
Wireless Networking Basics
B-13
M-10181-03
Figure B-4:
802.1x Authentication Sequence
The AP sends Beacon Frames with WPA information element to the stations in the service set.
Information elements include the required authentication method (802.1x or Pre-shared key) and
the preferred cipher suite (WEP, TKIP, or AES). Probe Responses (AP to station) and Association
Requests (station to AP) also contain WPA information elements.
1.
Initial 802.1x communications begin with an unauthenticated supplicant (i.e., client device)
attempting to connect with an authenticator (i.e., 802.11 access point). The client sends an
EAP-start message. This begins a series of message exchanges to authenticate the client.
2.
The access point replies with an EAP-request identity message.
1
2
3
4
5
6
7
Client with a WPA-
enabled wireless
adapter and supplicant
(Win XP, Funk,
Meetinghouse, etc.)
For example, a
WPA-enabled AP
For example, a
RADIUS server

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top