By 2001, hacker attacks on WEP had made strengthened wireless security imperative. The IEEE began work on 802.11i, an improved standard. In 2003, rather than wait until final approval of the standard, the Wi-Fi Alliance created Wi-Fi Protected Access (WPA), which is based on a subset of the then-current 802.11i draft.
WPA was carefully designed so that hardware upgrades would not be needed. The processing power of many early access points (APs) was quite limited. The RC4 cipher was chosen for WEP because it does not require a powerful CPU. WPA retains the use of RC4 but adds features designed to address the deficiencies in the way that WEP uses the cipher:
- Stronger authentication: An 802.1x server, such as a Radius server, can be used to authenticate users individually.
- A longer key: WPA lengthens the Initialization Vector (IV) to 48 bits and the master key to 128 bits.
- Temporal Key Integrity Protocol (TKIP) generates different keys for each client and alters keys for each successive packet.
- A message integrity code (MIC), or cryptographic checksum, verifies that messages have not been altered in transit and protects against replay attempts.
WPA can be used in either of two modes: Personal or Enterprise.
- Personal mode: This utilizes manually configured keys in the same manner as WEP. All clients use the same initial master key.
- Enterprise mode: The AP uses Extensible Authentication Protocol (EAP) to negotiate a pair-wise master key with each client individually. The AP then verifies the identity of the client with an 802.1x server. The result is that each client that is permitted to use the network is validated against information configured in the 802.1x server and uses a key different from the keys used by other clients.
EAP, defined by RFC 3748, is an extensible protocol. It does not define a specific authentication protocol but simply specifies a set of functions and formats. A large number of EAP methods have been defined. The Wi-Fi Alliance has chosen a subset of the available methods.
Reuse of keys provides a hacker with a great deal of data to use to determine the master key. With WEP, all stations used the same master key, and the 24-bit IV generated only 16 million possible values, so that on a busy network the same IV would be used within hours. It would take years to exhaust all of the values of a 48-bit IV.
In addition to increasing the length of the IV, TKIP solves the problem of weak IVs. Approximately 9,000 of the 16 million WEP IVs are called weak IVs because they reveal more about the master key than other IVs. The TKIP algorithm eliminates weak IVs.
In Enterprise mode, the 802.1x server supplies a different master key to each client, but in Personal mode, all master keys are the same. The TKIP algorithm combines the IV and the master key with the sender's MAC address and adds a sequence counter. Inclusion of the MAC address in the key means that the same combined key will not be used by all clients. Including the packet sequence number generates a different combined key for each subsequent packet.
Use of the sequence number also provides a way to eliminate replay attacks. The receiving station can detect that the sequence number has not advanced as it should with each received packet.
Message integrity check
The CRC32 checksum used in WEP did not provide adequate protection. A hacker can modify a WEP packet by changing one or more bits in the packet and making corresponding changes in the checksum. WPA uses a MIC algorithm called Michael. It provides much greater protection than CRC32, while requiring limited processor resources.
The IEEE 802.11i standard was finalized in June 2004. The Wi-Fi Alliance applies the term WPA2 to its implementation of the standard's mandatory requirements. Since spring 2006, the Wi-Fi alliance has required that a product support WPA2 in order to be labeled "Wi-Fi certified."
WPA2 uses the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) protocol, based on the Advanced Encryption Standard (AES) algorithm for authentication and data encryption. TKIP greatly increases the difficulty of intercepting wireless traffic over WEP, but CCMP is more secure than the combination of RC4 and TKIP. Since CCMP requires more processor cycles than RC4, an upgrade to WPA2 may require replacement of APs or client wireless interfaces.
Both Personal and Enterprise modes are supported. In Personal mode, the pre-shared key is combined with the SSID to create the pairwise master key (PMK). The client and AP exchange messages using the PMK to create the pairwise transient key (PTK).
In Enterprise mode, after successfully authenticating -- using one of the EAP methods -- the client and AP receive messages from the 801.1x server that both use to create the PMK. They then exchange messages to create the PTK. The PTK is then used to encrypt and decrypt messages.
In both cases, Personal and Enterprise, a group temporal key (GTK) is created during the exchange between the client and AP. The GTK is used to decrypt broadcast and multi-cast messages.
WPA2 also adds methods to speed the handoff as a client moves from AP to AP. The process of authenticating with an 802.1x server and generating keys takes enough time to cause a noticeable interruption of a voice over wireless call. WPA2 specifies ways in which a client can pre-authorize with neighboring APs. APs and clients can also retain keys so that a client returning to an AP can quickly resume communication.
About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software startups.