| Wi-fi Protected Access |
Website Links For Access |
Information AboutWi-fi Protected Access |
| CATEGORIES ABOUT WI-FI PROTECTED ACCESS | |
| cryptographic protocols | |
| computer network security | |
| ieee 802.11 | |
HISTORY WPA was created by The Wi-Fi Alliance , an industry trade group, which owns the trademark to the Wi-Fi name and certifies devices that carry that name. Certifications for implementations of WPA started in April 2003 and became mandatory in November 2003 . The full 802.11i was ratified in June 2004 . WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user; however, it can also be used in a less secure "pre-shared key" (PSK) mode, where every user is given the same passphrase. The Wi-Fi Alliance calls the pre-shared key version ''WPA-Personal'' or ''WPA2-Personal'' and the 802.1X authentication version ''WPA-Enterprise'' or ''WPA2-Enterprise''. Data is encrypted using the RC4 Stream Cipher , with a 128-bit key and a 48-bit Initialization Vector (IV). One major improvement in WPA over WEP is the Temporal Key Integrity Protocol ( TKIP ), which dynamically changes keys as the system is used. When combined with the much larger IV, this defeats the well-known Key Recovery Attacks on WEP. In addition to authentication and encryption, WPA also provides vastly improved payload integrity. The Cyclic Redundancy Check (CRC) used in WEP is inherently insecure; it is possible to alter the payload and update the message CRC without knowing the WEP key. A more secure Message Authentication Code (usually known as a MAC, but here termed a MIC for " Message Integrity Code ") is used in WPA, an algorithm named "Michael". The MIC used in WPA includes a frame counter, which prevents Replay Attacks being executed; this was another weakness in WEP. WPA was formulated as an intermediate step towards improved 802.11 security for two reasons: first, 802.11i's work lasted far longer than originally anticipated, spanning four years, during a period of ever-increasing worries about wireless security; second, it encompasses as a subset of 802.11i only elements that were backwards compatible with WEP for even the earliest 802.11b adopters. WPA firmware upgrades have been provided for the vast majority of Wireless Network Interface Card s ever shipped; 802.11 Access Point s sold before 2003 generally needed to be replaced. By increasing the size of the keys and IVs, reducing the number of packets sent with related keys, and adding a secure message verification system, WPA makes breaking into a Wireless LAN far more difficult. The Michael algorithm was the strongest that WPA designers could come up with that would still work with most older network cards; however it is subject to a packet forgery attack. To limit this risk, WPA networks shut down for 60 seconds whenever an attempted attack is detected. WPA2 WPA2 is the certified form of supports WPA2 on all AirPort Extreme -enabled Macintoshes , the AirPort Extreme Base Station, and the AirPort Express . Firmware upgrades needed are included in AirPort 4.2, released July 14 , 2005 . Note that from March 13 , 2006 , WPA2 certification is mandatory for all new devices wishing to be Wi-Fi certified. SECURITY IN PRE-SHARED KEY MODE
Security is strengthened by employing a PBKDF2 Key Derivation Function . However, the weak passphrases users typically employ are vulnerable to Password Cracking attack. Password cracking can be defeated by using a passphrase of at least 5 Diceware words or 14 completely random letters with WPA and WPA2. For maximum strength, 8 Diceware words or 22 random characters should be employed. Passphrases should be changed at regular intervals, or whenever an individual with access is no longer authorized to use the network or when a device configured to use the network is lost or compromised. Some consumer chip manufacturers have attempted to bypass weak passphrase choice by adding a method of automatically generating and distributing strong keys through a software or hardware interface that uses an external method of adding a new Wi-Fi adapter or appliance to a network. These methods include pushing a button ( JumpStart ). EAP TYPES UNDER WPA- AND WPA2- ENTERPRISE The Wi-Fi alliance has announced the inclusion of additional EAP ( Extensible Authentication Protocol ) types to its certification programs for WPA- and WPA2- Enterprise. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS ( Transport Layer Security ) was certified by the Wi-Fi alliance. The EAP types now included in the certification program are:
Other EAP types may be supported by 802.1X clients and servers developed by specific firms. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks. SEE ALSO
REFERENCES
EXTERNAL LINKS
|
|
|