User Manual for the NETGEAR WGE111 Wireless Game Adapter

Wireless Networking Basics

C-9

The IEEE introduced the WEP as an optional security measure to secure 802.11b (Wi-Fi) WLANs,

but inherent weaknesses in the standard soon became obvious. In response to this situation, the

Wi-Fi Alliance announced a new security architecture in October 2002 that remedies the

shortcomings of WEP. This standard, formerly known as Safe Secure Network (SSN), is designed

to work with existing 802.11 products and offers forward compatibility with 802.11i, the new

wireless security architecture being defined in the IEEE.

WPA offers the following benefits:

•

Enhanced data privacy

•

Robust key management

•

Data origin authentication

•

Data integrity protection

How Does WPA Compare to WEP?

WEP is a data encryption method and is not intended as a user authentication mechanism. WPA

user authentication is implemented using 802.1x and the Extensible Authentication Protocol

(EAP). Support for 802.1x authentication is required in WPA. In the 802.11 standard, 802.1x

authentication was optional. For details on EAP specifically, refer to IETF's RFC 2284.

With 802.11 WEP, all access points and client wireless adapters on a particular wireless LAN must

use the same encryption key. A major problem with the 802.11 standard is that the keys are

cumbersome to change. If you do not update the WEP keys often, an unauthorized person with a

sniffing tool can monitor your network for less than a day and decode the encrypted messages.

Products based on the 802.11 standard alone offer system administrators no effective method to

update the keys.

For 802.11, WEP encryption is optional. For WPA, encryption using Temporal Key Integrity

Protocol (TKIP) is required. TKIP replaces WEP with a new encryption algorithm that is stronger

than the WEP algorithm, but that uses the calculation facilities present on existing wireless devices

to perform encryption operations. TKIP provides important data encryption enhancements

including a per-packet key mixing function, a message integrity check (MIC) named Michael, an

extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through

these enhancements, TKIP addresses all of known WEP vulnerabilities.

User Manual for the NETGEAR WGE111 Wireless Game Adapter

C-10

Wireless Networking Basics

How Does WPA Compare to IEEE 802.11i?

WPA is a subset of the current 802.11i draft and uses certain pieces of the 802.11i draft that are

ready to bring to market today, such as 802.1x and TKIP. The main pieces of the 802.11i draft that

are not included in WPA are secure IBSS (Ad Hoc mode), secure fast handoff (for specialized

802.11 VoIP phones), as well as enhanced encryption protocols, such as AES-CCMP. These

features are either not yet ready for market or will require hardware upgrades to implement.

What are the Key Features of WPA Security?

The following security features are included in the WPA standard:

•

WPA Authentication

•

WPA Encryption Key Management

–

Temporal Key Integrity Protocol (TKIP)

–

Michael message integrity code (MIC)

–

AES Support (to be phased in)

•

Support for a Mixture of WPA and WEP Wireless Clients, but mixing WEP and WPA is

discouraged

These features are discussed below.

WPA addresses most of the known WEP vulnerabilities and is primarily intended for wireless

infrastructure networks as found in the enterprise. This infrastructure includes stations, access

points, and authentication servers (typically RADIUS servers). The RADIUS server holds (or has

access to) user credentials (for example, user names and passwords) and authenticates wireless

users before they gain access to the network.

The strength of WPA comes from an integrated sequence of operations that encompass 802.1X/

EAP authentication and sophisticated key management and encryption techniques. Its major

operations include:

•

Network security capability determination. This occurs at the 802.11 level and is

communicated through WPA information elements in Beacon, Probe Response, and (Re)

Association Requests. Information in these elements includes the authentication method

(802.1X or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES).

User Manual for the NETGEAR WGE111 Wireless Game Adapter

Wireless Networking Basics

C-11

The primary information conveyed in the Beacon frames is the authentication method and the

cipher suite. Possible authentication methods include 802.1X and Pre-shared key. Pre-shared

key is an authentication method that uses a statically configured passphrase on both the

stations and the access point. This obviates the need for an authentication server, which in

many home and small office environments will not be available nor desirable. Possible cipher

suites include: WEP, TKIP, and AES (Advanced Encryption Standard). We talk more about

TKIP and AES when addressing data privacy below.

•

Authentication. EAP over 802.1X is used for authentication. Mutual authentication is gained

by choosing an EAP type supporting this feature and is required by WPA. 802.1X port access

control prevents full access to the network until authentication completes. 802.1X

EAPOL-Key packets are used by WPA to distribute per-session keys to those stations

successfully authenticated.

The supplicant in the station uses the authentication and cipher suite information contained in

the information elements to decide which authentication method and cipher suite to use. For

example, if the access point is using the pre-shared key method then the supplicant need not

authenticate using full-blown 802.1X. Rather, the supplicant must simply prove to the access

point that it is in possession of the pre-shared key. If the supplicant detects that the service set

does not contain a WPA information element then it knows it must use pre-WPA 802.1X

authentication and key management in order to access the network.

•

Key management. WPA features a robust key generation/management system that integrates

the authentication and data privacy functions. Keys are generated after successful

authentication and through a subsequent 4-way handshake between the station and access

point.

•

Data Privacy (Encryption). Temporal Key Integrity Protocol (TKIP) is used to wrap WEP in

sophisticated cryptographic and security techniques to overcome most of its weaknesses.

•

Data integrity. TKIP includes a message integrity code (MIC) at the end of each plain text

message to ensure messages are not being spoofed.

User Manual for the NETGEAR WGE111 Wireless Game Adapter

C-12

Wireless Networking Basics

WPA Authentication: Enterprise-level User

Authentication via 802.1x/EAP and RADIUS

Figure C-3:

WPA Overview

IEEE 802.1x offers an effective framework for authenticating and controlling user traffic to a

protected network, as well as providing a vehicle for dynamically varying data encryption keys via

EAP from a RADIUS server, for example. This framework enables using a central authentication

server, which employs mutual authentication so that a rogue wireless user does not join the

network.

It is important to note that 802.1x does not provide the actual authentication mechanisms. When

using 802.1x, the EAP type, such as Transport Layer Security (EAP-TLS), or EAP Tunneled

Transport Layer Security (EAP-TTLS), defines how the authentication takes place.

Note

: For environments with a Remote Authentication Dial-In User Service (RADIUS)

infrastructure, WPA supports Extensible Authentication Protocol (EAP). For environments

without a RADIUS infrastructure, WPA supports the use of a pre-shared key.

Together, these technologies provide a framework for strong user authentication.

Windows XP implements 802.1x natively, and several NETGEAR switch and wireless access

point products support 802.1x.

Certificate

Authority

(for

example

Win Server,

VeriSign)

WPA

enabled

wireless

client with

“supplicant”

TCP/IP

Ports Closed

Until

RADIUS Server

Wired Network with Optional

802.1x Port Based Network

Access Control

WPA enabled

Access Point

using

pre-shared key

or

802.1x

TCP/IP

Ports Opened

After

Authenticated

Wireless LAN

Login

Authentication

User Manual for the NETGEAR WGE111 Wireless Game Adapter

Wireless Networking Basics

C-13

Figure C-4:

802.1x Authentication Sequence

The access point sends Beacon Frames with WPA information elements to the stations in the

service set. Information elements include the required authentication method (802.1x or

Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES). Probe Responses (AP to

station) and Association Requests (station to AP) also contain WPA information elements.

1.

Initial 802.1x communications begin with an unauthenticated supplicant (client device)

attempting to connect with an authenticator (802.11 access point). The client sends an

EAP-start message. This begins a series of message exchanges to authenticate the client.

2.

The access point replies with an EAP-request identity message.

Client with a WPA-

enabled wireless

adapter and supplicant

(Win XP, Funk,

Meetinghouse)

For example, a

WPA-enabled AP

For example, a

RADIUS server