Wi-Fi Protected Access (WPA)

In 2004, the 802.11i security amendment was ratified. The 802.11i amendment defines an enterprise authentication method as well as a method of authentication for home use.

The 802.11i amendment requires the use of an 802.1X/EAP authentication method in the enterprise and the use of a preshared key or a passphrase in a SOHO environment.

The 802.11i amendment also requires the use of stronger dynamic key management encryption methods. CCMP/AES encryption is the default encryption method, while TKIP/RC4 is the optional encryption method as defined by the 802.11i amendment.

Prior to the ratification of the 802.11i amendment, the Wi-Fi Alliance introduced the Wi-Fi Protected Access (WPA) certification as a snapshot of the not-yet-released 802.11i amendment, supporting only TKIP/RC4 dynamic encryption key management.

802.1X/EAP authentication was required in the enterprise and passphrase authentication in a SOHO environment. After 802.11i was ratified, the Wi-Fi Alliance introduced the WPA2 certification.

WPA2 is a more complete implementation of the 802.11i amendment and supports both CCMP/AES and TKIP/RC4 dynamic encryption key management. 802.1X/EAP authentication is required in the enterprise and passphrase authentication in a SOHO environment.

Robust Security Network (RSN)

The 802.11i amendment defines what is known as a robust security network (RSN) and robust security network associations (RSNAs). Under 802.11i, two stations (STAs) must establish a procedure to authenticate and associate with each other as well as create dynamic encryption keys through a process known as the 4-way handshake.

This association between two stations is referred to as an RSNA. A robust security network (RSN) is a network that only allows for the creation of robust security network associations (RSNAs).

An RSN can be identified by a new field found in beacons, probe response frames, association request frames, and re-association request frames. This new field is known as the RSN Information Element (IE).

This field may identify the cipher suite capabilities of each station. The 802.11.i amendment does allow for the creation of pre-robust security network associations (pre-RSNAs) as well as RSNAs.

In other words, legacy security measures can be supported in the same basic service set (BSS) along with 802.11i security defined mechanisms. A transition security network (TSN) supports 802.11i defined security as well as legacy security such as WEP within the same BSS.

4-Way Handshake

Dynamic encryption key management is much more complicated under the 802.11i amendment as opposed to the generation of dynamic WEP keys described earlier. Robust secure network associations (RSNAs) utilize a dynamic encryption key management method that actually involves the creation of five separate keys.

It is beyond the scope of this book to fully explain this entire process, but a brief explanation is appropriate. Part of the RSNA process involves the creation of two master keys known as the Group Master Key (GMK) and the Pairwise Master Key (PMK).

These keys are created as a result of 802.1X/EAP authentication. A PMK can also be created from a preshared key (WPA2 Passphrase) typically used in SOHO authentication. These master keys are the seeding material that is used to create the final dynamic keys that are actually used for encryption and decryption.

The final encryption keys are known as the Pairwise Transient Key (PTK) and the Group Temporal Key (GTK). These final keys are created during a four-way EAP frame exchange that is known as the 4-way handshake.

The 4-way handshake will always be the final four frames exchanged during either 802.1X/EAP authentication or passphrase authentication. Whenever TKIP/RC4 or CCMP/AES dynamic keys are created, the 4-way handshake must occur.

WPA/WPA2 Personal

Do you have a RADIUS server in your home or small business? The answer to that question will almost always be no. If you do not own a RADIUS server, 802.1X/EAP authentication will not be possible. WPA/WPA2 Enterprise solutions require 802.1X for mutual authentication using some form of EAP.

Additionally, an authentication server will be needed. Because most of us do not have a RADIUS server in our basement, the 802.11i amendment offers a simpler method of authentication using a preshared key (PSK).

This method involves manually typing matching passphrases on both the access point and all client stations that will need to be able to associate to the wireless network.

An algorithm is run that converts the passphrase to a Pairwise Master Key (PMK) used with the 4-way handshake to create the final dynamic encryption keys. This simple method of authentication and encryption key generation is known as WPA/WPA2 Personal.

Other names include WPA/WPA2 Pre-Shared Key and WPA/WPA2 PSK. While this is certainly better than static WEP, it still requires significant administrative overhead and has potential social engineering issues in a corporate or enterprise environment.

An 802.1X/EAP solution as defined by WPA/WPA2 Enterprise is the preferred method of security in a corporate and workplace environment.

TKIP

The optional encryption method defined by the 802.11i amendment is Temporal Key Integrity Protocol (TKIP). This method uses the RC4 cipher just as WEP encryption does. As a matter of fact, TKIP is actually an enhancement of WEP encryption that addresses many of the known weaknesses of WEP.

TKIP starts with a 128-bit temporal key that is combined with a 48-bit Initialization Vector (IV) and source and destination MAC addresses in a complicated process known as per-packet key mixing. This key mixing process mitigates the known IV collision and weak key attacks used against WEP.

TKIP also uses a sequencing method to mitigate the re-injection attacks used against WEP. Additionally, TKIP uses a stronger data integrity check known as the Message Integrity Check (MIC) to mitigate known bit-flipping attacks against WEP.

The MIC is sometimes referred to by the nickname Michael. WEP encryption will add an extra 8 bytes of overhead to the body of an 802.11 data frame. When TKIP is implemented, because of the extra overhead from the extended IV and the MIC, a total of 20 bytes of overhead is added to the body of an 802.11 data frame.

Because TKIP uses the RC4 algorithm and is simply WEP that has been enhanced, most vendors released a WPA firmware upgrade that gave legacy WEP-only cards the capability of using TKIP encryption.

CCMP

The default encryption method defined under the 802.11i amendment is known as Counter mode with Cipher Block Chaining-Message Authentication Code (CCMP). This method uses the Advanced Encryption Standard (AES) algorithm (Rijndael algorithm).

CCMP/AES uses a 128-bit encryption key size and encrypts in 128-bit fixed length blocks. An 8-byte Message Integrity Check is used that is considered much stronger than the one used in TKIP.

Also, because of the strength of the AES cipher, per-packet key mixing is unnecessary. CCMP/AES encryption will add an extra 16 bytes of overhead to the body of an 802.11 data frame.

Because the AES cipher is processor intensive, older legacy radio cards will not have the processing power necessary to perform AES calculations. Older radio cards will not be firmware upgradeable and a hardware upgrade is often needed to support WPA2.

Because of the requirement to upgrade the hardware to implement AES, the transition to WPA2 has been slow. For wireless security solutions, it is a recommended practice to choose hardware that handles the processing needs of CCMP/AES encryption.

There are some vendors that still attempt to achieve this in software rather than through a hardware mechanism. Software solutions will always perform substantially slower. It is recommended that a device is selected with a CCMP/AES solution implemented on the card’s chipset.