Page 131 / 148 Scroll up to view Page 126 - 130
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
Wireless Networking Basics
D-15
202-10090-01, April 2005
Temporal Key Integrity Protocol (TKIP)
WPA uses TKIP to provide important data encryption enhancements including a per-packet key
mixing function, a message integrity check (MIC) named Michael, an extended initialization
vector (IV) with sequencing rules, and a re-keying mechanism. TKIP also provides for the
following:
The verification of the security configuration after the encryption keys are determined.
The synchronized changing of the unicast encryption key for each frame.
The determination of a unique starting unicast encryption key for each preshared key
authentication.
Michael
With 802.11 and WEP, data integrity is provided by a 32-bit
integrity check value
(ICV) that is
appended to the 802.11 payload and encrypted with WEP. Although the ICV is encrypted, you can
use cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without
being detected by the receiver.
With WPA, a method known as
Michael
specifies a new algorithm that calculates an 8-byte
message integrity check (MIC) using the calculation facilities available on existing wireless
devices. The MIC is placed between the data portion of the IEEE 802.11 frame and the 4-byte ICV.
The MIC field is encrypted together with the frame data and the ICV.
Michael also provides replay protection. A new frame counter in the IEEE 802.11 frame is used to
prevent replay attacks.
AES Support for WPA2
One of the encryption methods supported by WPA2 is the advanced encryption standard (AES),
although AES support will not be required initially for Wi-Fi certification. This is viewed as the
optimal choice for security conscience organizations, but the problem with AES is that it requires a
fundamental redesign of the NIC’s hardware in both the station and the access point. TKIP is a
pragmatic compromise that allows organizations to deploy better security while AES capable
equipment is being designed, manufactured, and incrementally deployed.
Page 132 / 148
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
D-16
Wireless Networking Basics
202-10090-01, April 2005
Is WPA/WPA2 Perfect?
WPA/WPA2 is not without its vulnerabilities. Specifically, it is susceptible to denial of service
(DoS) attacks. If the access point receives two data packets that fail the message integrity code
(MIC) within 60 seconds of each other, then the network is under an active attack, and as a result,
the access point employs counter measures, which include disassociating each station using the
access point. This prevents an attacker from gleaning information about the encryption key and
alerts administrators, but it also causes users to lose network connectivity for 60 seconds. More
than anything else, this may just prove that no single security tactic is completely invulnerable.
WPA/WPA2 is a definite step forward in WLAN security over WEP and has to be thought of as a
single part of an end-to-end network security strategy.
Product Support for WPA/WPA2
Starting in August, 2003, NETGEAR, Inc. wireless Wi-Fi certified products will support the WPA
standard. NETGEAR, Inc. wireless products that had their Wi-Fi certification approved before
August, 2003 will have one year to add WPA so as to maintain their Wi-Fi certification.
WPA/WPA2 requires software changes to the following:
Wireless access points
Wireless network adapters
Wireless client programs
Supporting a Mixture of WPA, WPA2, and WEP Wireless Clients is Discouraged
To support the gradual transition of WEP-based wireless networks to WPA/WPA2, a wireless AP
can support both WEP and WPA/WPA2 clients at the same time. During the association, the
wireless AP determines which clients use WEP and which clients use WPA/WPA2. The
disadvantage to supporting a mixture of WEP and WPA/WPA2 clients is that the global encryption
key is not dynamic. This is because WEP-based clients cannot support it. All other benefits to the
WPA clients, such as integrity, are maintained.
However, a mixed mode supporting WPA/WPA2 and non-WPA/WPA2 clients would offer
network security that is no better than that obtained with a non-WPA/WPA2 network, and thus this
mode of operation is discouraged.
Page 133 / 148
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
Wireless Networking Basics
D-17
202-10090-01, April 2005
Changes to Wireless Access Points
Wireless access points must have their firmware updated to support the following:
The new WPA/WPA2 information element
To advertise their support of WPA/WPA2, wireless APs send the beacon frame with a new
802.11 WPA/WPA2 information element that contains the wireless AP's security configuration
(encryption algorithms and wireless security configuration information).
The WPA/WPA2 two-phase authentication
Open system, then 802.1x (EAP with RADIUS or preshared key).
TKIP
Michael
AES
(WPA2)
To upgrade your wireless access points to support WPA/WPA2, obtain a WPA/WPA2 firmware
update from your wireless AP vendor and upload it to your wireless AP.
Changes to Wireless Network Adapters
Wireless networking software in the adapter, and possibly in the OS or client application, must be
updated to support the following:
The new WPA/WPA2 information element
Wireless clients must be able to process the WPA/WPA2 information element and respond
with a specific security configuration.
The WPA/WPA2 two-phase authentication
Open system, then 802.1x supplicant (EAP or preshared key).
TKIP
Michael
AES
(WPA2)
To upgrade your wireless network adapters to support WPA/WPA2, obtain a WPA/WPA2 update
from your wireless network adapter vendor and update the wireless network adapter driver.
For Windows wireless clients, you must obtain an updated network adapter driver that supports
WPA. For wireless network adapter drivers that are compatible with Windows XP (Service Pack 1)
and Windows Server 2003, the updated network adapter driver must be able to pass the adapter's
WPA capabilities and security configuration to the Wireless Zero Configuration service.
Page 134 / 148
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
D-18
Wireless Networking Basics
202-10090-01, April 2005
Microsoft has worked with many wireless vendors to embed the WPA driver update in the wireless
adapter driver. So, to update your Microsoft Windows wireless client, all you have to do is obtain
the new WPA/WPA2-compatible driver and install the driver.
Changes to Wireless Client Programs
Wireless client programs must be updated to permit the configuration of WPA/WPA2
authentication (and preshared key) and the new WPA/WPA2 encryption algorithms (TKIP and
AES).
To obtain the Microsoft WPA client program, visit the Microsoft Web site.
Note
: The Microsoft WPA2 client is still in beta.
Page 135 / 148
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
Glossary
-1
202-10090-01, April 2005
Glossary
Use the list below to find definitions for technical terms used in this manual.
802.11 Standard
802.11, or IEEE 802.11, is a type of radio technology used for wireless local area networks (WLANs). It is a
standard that has been developed by the IEEE (Institute of Electrical and Electronic Engineers),
. The IEEE is an international organization that develops standards for hundreds of
electronic and electrical technologies. The organization uses a series of numbers, like the Dewey Decimal
system in libraries, to differentiate between the various technology families.
The 802 subgroup (of the IEEE) develops standards for local and wide area networks with the 802.11 section
reviewing and creating standards for wireless local area networks.
Wi-Fi , 802.11, is composed of several standards operating in different radio frequencies: 802.11b is a
standard for wireless LANs operating in the 2.4 GHz spectrum with a bandwidth of 11 Mbps; 802.11a is a
different standard for wireless LANs, and pertains to systems operating in the 5 GHz frequency range with a
bandwidth of 54 Mbps. Another standard, 802.11g, is for WLANS operating in the 2.4 GHz frequency but
with a bandwidth of 54 Mbps.
802.11a Standard
An IEEE specification for wireless networking that operates in the 5 GHz frequency range (5.15 GHz to
5.85 GHz) with a maximum 54 Mbps data transfer rate. The 5 GHz frequency band is not as crowded as the
2.4 GHz frequency, because the 802.11a specification offers more radio channels than the 802.11b. These
additional channels can help avoid radio and microwave interference.
802.11b Standard
International standard for wireless networking that operates in the 2.4 GHz frequency range (2.4 GHz to
2.4835 GHz) and provides a throughput of up to 11 Mbps. This is a very commonly used frequency.
Microwave ovens, cordless phones, medical and scientific equipment, as well as Bluetooth devices, all work
within the 2.4 GHz frequency band.
802.11d Standard
802.11d is an IEEE standard supplementary to the Media Access Control (MAC) layer in 802.11 to promote
worldwide use of 802.11 WLANs. It will allow access points to communicate information on the
permissible radio channels with acceptable power levels for client devices. The devices will automatically
adjust based on geographic requirements.
The purpose of 11d is to add features and restrictions to allow WLANs to operate within the rules of these
countries. Equipment manufacturers do not want to produce a wide variety of country-specific products and
users that travel do not want a bag full of country-specific WLAN PC cards. The outcome will be
country-specific firmware solutions.

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top