User Manual for the NETGEAR WGE111 Wireless Game Adapter

C-14

Wireless Networking Basics

3.

The client sends an EAP-response packet containing the identity to the authentication server.

The access point responds by enabling a port for passing only EAP packets from the client to

an authentication server located on the wired side of the access point. The access point blocks

all other traffic, such as HTTP, DHCP, and POP3 packets, until the access point can verify the

client's identity using an authentication server (for example, RADIUS).

4.

The authentication server uses a specific authentication algorithm to verify the client's identity.

This could be through the use of digital certificates or some other EAP authentication type.

5.

The authentication server will either send an accept or reject message to the access point.

6.

The access point sends an EAP-success packet (or reject packet) to the client.

7.

If the authentication server accepts the client, then the access point will transition the client's

port to an authorized state and forward additional traffic.

The important part to know at this point is that the software supporting the specific EAP type

resides on the authentication server and within the operating system or application “supplicant”

software on the client devices. The access point acts as a “pass through” for 802.1x messages,

which means that you can specify any EAP type without needing to upgrade an 802.1x-compliant

access point. As a result, you can update the EAP authentication type to such devices as token

cards (Smart Cards), Kerberos, one-time passwords, certificates, and public key authentication, or

as newer types become available and your requirements for security change.

WPA Data Encryption Key Management

With 802.1x, the rekeying of unicast encryption keys is optional. Additionally, 802.11 and 802.1x

provide no mechanism to change the global encryption key used for multicast and broadcast

traffic. With WPA, rekeying of both unicast and global encryption keys is required.

For the unicast encryption key, the Temporal Key Integrity Protocol (TKIP) changes the key for

every frame, and the change is synchronized between the wireless client and the wireless access

point (AP). For the global encryption key, WPA includes a facility (the Information Element) for

the wireless AP to advertise the changed key to the connected wireless clients.

If configured to implement dynamic key exchange, the 802.1x authentication server can return

session keys to the access point along with the accept message. The access point uses the session

keys to build, sign and encrypt an EAP key message that is sent to the client immediately after

sending the success message. The client can then use contents of the key message to define

applicable encryption keys. In typical 802.1x implementations, the client can automatically change

encryption keys as often as necessary to minimize the possibility of eavesdroppers having enough

time to crack the key in current use.

User Manual for the NETGEAR WGE111 Wireless Game Adapter

Wireless Networking Basics

C-15

Temporal Key Integrity Protocol (TKIP)

WPA uses TKIP to provide important data encryption enhancements including a per-packet key

mixing function, a message integrity check (MIC) named Michael, an extended initialization

vector (IV) with sequencing rules, and a re-keying mechanism. TKIP also provides for the

following:

•

The verification of the security configuration after the encryption keys are determined.

•

The synchronized changing of the unicast encryption key for each frame.

•

The determination of a unique starting unicast encryption key for each preshared key

authentication.

Michael

With 802.11 and WEP, data integrity is provided by a 32-bit

integrity check value

(ICV) that is

appended to the 802.11 payload and encrypted with WEP. Although the ICV is encrypted, you can

use cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without

being detected by the receiver.

With WPA, a method known as

Michael

specifies a new algorithm that calculates an 8-byte

message integrity check (MIC) using the calculation facilities available on existing wireless

devices. The MIC is placed between the data portion of the IEEE 802.11 frame and the 4-byte ICV.

The MIC field is encrypted together with the frame data and the ICV.

Michael also provides replay protection. A new frame counter in the IEEE 802.11 frame is used to

prevent replay attacks.

Optional AES Support to be Phased In

One of the encryption methods supported by WPA, besides TKIP, is the advanced encryption

standard (AES), although AES support will not be required initially for Wi-Fi certification. This is

viewed as the optimal choice for security conscience organizations, but the problem with AES is

that it requires a fundamental redesign of the NIC’s hardware in both the station and the access

point. TKIP is a pragmatic compromise that allows organizations to deploy better security while

AES capable equipment is being designed, manufactured, and incrementally deployed.

User Manual for the NETGEAR WGE111 Wireless Game Adapter

C-16

Wireless Networking Basics

Is WPA Perfect?

WPA is not without its vulnerabilities. Specifically, it is susceptible to denial of service (DoS)

attacks. If the access point receives two data packets that fail the message integrity code (MIC)

within 60 seconds of each other, then the network is under an active attack, and as a result, the

access point employs counter measures, which include disassociating each station using the access

point. This prevents an attacker from gleaning information about the encryption key and alerts

administrators, but it also causes users to lose network connectivity for 60 seconds. More than

anything else, this may just prove that no single security tactic is completely invulnerable. WPA is

a definite step forward in WLAN security over WEP and has to be thought of as a single part of an

end-to-end network security strategy.

Product Support for WPA

WPA requires software changes to the following:

•

Wireless access points

•

Wireless network adapters

•

Wireless client programs

Supporting a Mixture of WPA and WEP Wireless Clients is Discouraged

To support the gradual transition of WEP-based wireless networks to WPA, a wireless AP can

support both WEP and WPA clients at the same time. During the association, the wireless AP

determines which clients use WEP and which clients use WPA. The disadvantage to supporting a

mixture of WEP and WPA clients is that the global encryption key is not dynamic. This is because

WEP-based clients cannot support it. All other benefits to the WPA clients, such as integrity, are

maintained.

However, a mixed mode supporting WPA and non-WPA clients would offer network security that

is no better than that obtained with a non-WPA network, and thus this mode of operation is

discouraged.

User Manual for the NETGEAR WGE111 Wireless Game Adapter

Wireless Networking Basics

C-17

Changes to Wireless Access Points

Wireless access points must have their firmware updated to support the following:

•

The new WPA information element

To advertise their support of WPA, wireless APs send the beacon frame with a new 802.11

WPA information element that contains the wireless AP's security configuration (encryption

algorithms and wireless security configuration information).

•

The WPA two-phase authentication

Open system, then 802.1x (EAP with RADIUS or preshared key).

•

TKIP

•

Michael

•

AES

(optional)

To upgrade your wireless access points to support WPA, obtain a WPA firmware update from your

wireless AP vendor and upload it to your wireless AP.

Changes to Wireless Network Adapters

Wireless networking software in the adapter, and possibly in the OS or client application, must be

updated to support the following:

•

The new WPA information element

Wireless clients must be able to process the WPA information element and respond with a

specific security configuration.

•

The WPA two-phase authentication

Open system, then 802.1x supplicant (EAP or preshared key).

•

TKIP

•

Michael

•

AES

(optional)

To upgrade your wireless network adapters to support WPA, obtain a WPA update from your

wireless network adapter vendor and update the wireless network adapter driver.

For Windows wireless clients, you must obtain an updated network adapter driver that supports

WPA. For wireless network adapter drivers that are compatible with Windows XP (Service Pack 1)

and Windows Server 2003, the updated network adapter driver must be able to pass the adapter's

WPA capabilities and security configuration to the Wireless Zero Configuration service.

User Manual for the NETGEAR WGE111 Wireless Game Adapter

C-18

Wireless Networking Basics

Microsoft has worked with many wireless vendors to embed the WPA firmware update in the

wireless adapter driver. So, to update your Microsoft Windows wireless client, all you have to do is

obtain the new WPA-compatible driver and install the driver. The firmware is automatically

updated when the wireless network adapter driver is loaded in Windows.

Changes to Wireless Client Programs

Wireless client programs must be updated to permit the configuration of WPA authentication (and

preshared key) and the new WPA encryption algorithms (TKIP and the optional AES component).

To obtain the Microsoft WPA client program, visit the Microsoft Web site.