WPA (or Wi-Fi Protected Access) is today the security standard in wireless networking that
is rapidly replacing the older WEP (Wired Equivalency Privacy)
standard. WPA and its younger sibling WPA2 are newer standards based on
the IEEE 802.11i ratified amendment set out to improve some of the
disadvantages of WEP.
 |
This wireless security standard is playing today a vital role in the security of wireless networks.
This tutorial is a continuation from the first page: Wireless Wi-Fi network security tutorial 101 (part 1)
WPA Wi-Fi Protected Access (WPA & WPA2)
WPA
builds upon WEP, making it more secure by adding extra security
algorithms and mechanisms to fight intrusion. Perhaps the most important
improvement over WEP is a dynamic security key exchange mechanism and
much more improved authentication and encryption mechanisms.
WPA-802.1x and WPA-PSK
WPA comes in two flavors, that is WPA-802.1x and WPA-PSK.
WPA-802.1x is a good choice for large businesses because it combines
access point authentication with another layer of authentication through
external authentication services.
This means that after the authenticating user associates with the
wireless access point, his or her credentials are also checked against a
locally stored database or even external sources (for example RADIUS or
Kerberos). Authentication servers also distribute security keys to
individual users dynamically. WPA-PSK on the other hand is a solution for small businesses and homes which utilizes so-called Pre-Shared Key (PSK)
which is technically (from the user perspective) similar to how
security keys with WEP are implemented but in a more secure way
(more about this in the TKIP section below).
The
following table compares WPA-802.1x, WPA-PSK, and WEP in their
suitability for large corporations or home and small business use:
Now let's take a look at the difference between WPA and WPA2.
WPA and WPA2
WAP
is also better than WEP in its data encryption abilities. While WEP
uses the same static security key for both encryption and decryption of
all communication (the key never expires), WPA implements a mechanism
involving a number of security keys. This is done through so-called Temporal Key Integrity Protocol (TKIP).
This is a revolutionary improvement because even if the intrusor
obtains one security key, he will not be able to use it for long. This
system changes the security key used for data transmission every
specified amount of time to prevent cracking attempts.
When we talk about security keys,
we implicitly talk about a working mechanism of security keys. The TKIP
mechanism shares a starting key between devices, but each device then
changes its encryption key for the ongoing communication.
First, initial authentication is done using the Pre-Shared Key
set in the wireless configuration (the key that is set at the access
point and then distributed by the admin to clients). So far, the concept
of WPA is the same like in WEP. However, once the initial
authentication is completed, then another so-called Master Key is generated which is bound to the particular session between the access point and the client.
The Master Key is then further split into so-called Group Transient Key which secures multicast and broadcast messages sent by the access point to the clients, and to another security key called Pairwise Transient Key which secures the unicast messages sent from wireless clients to the access point.
Some wireless
routers provide a function allowing the administrator to control how
often the Group Transient Key is changed by the access point.
As
you can see, this mechanism is principially quite hard to crack because
even if the attacker captures some security key from the data flow, it
is limited to a single session and can even expire within that session
as well.
Encryption algorithm and security fundamentals
WPA employs
the RC4 encryption mechanism which is the same like WEP, but WPA uses a
longer security key, 128 bit in length (compared to 104 bit in WEP)
and longer initialization vector, 48 bit in length (compared to 24 bit
in WEP). This gives WPA more strength compared to WEP because a hacker
would need to capture significantly more data packets in case of WPA
when trying to perform so-called statistical attack.
Data integrity control
WPA
also provides better data integrity control when compared to WEP. This
prevents hackers from capturing existing data packets, modifying them,
and then re-sending to the access point. In simple words, WPA includes
a mechanism to determine whether a received packet has already been sent
or not.
Encryption algorithms in WPA2
WPA2 compliments TKIP and the improved data integrity control algorithm with more secured encryption mechanism called Advanced Encryption Standard (AES) - Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).
In other words, this means an improved encryption algorithm. Experts
say that AES-CCMP is robust enough to be used for government data
security purposes.
What are the disadvantages of WPA?
The
disadvantage of WPA is that older wireless access points may need to
have their firmware updated. Wireless clients' software also may need to
be upgraded. For example, clients based on Windows XP effectively
require either Service Pack 2 and some patches or the addition of the
WPA client to their wireless configuration.
If the AES algorithm
is your choice, then know that it requires special hardware support, so a
firmware/driver update on an older router does not get AES to work. AES
requires AES-enabled hardware. Even with simple WPA, encryption and
decryption is slower for devices using software rather than dedicated
WPA hardware support.
WPA-802.1x together with RADIUS is more complicated to set up than an average home user is willing to do.
WPA2
is known to cause significant CPU overhead because the AES
cryptographic algorithm is simply more resources demanding than the RC4
algorithm.
In any case, since WPA adds to the packet size, transmission takes longer.
How can I implement WPA in my network?
You can find more about this on the next page: How to set up and configure WPA-PSK in Windows?
How else can I improve my security?
Wireless
network security does not stop with the selection of the best standard.
There are many other security steps that can be taken to further
improve your network. See the third part of this tutorial: IPSec, VPN, architecture (wireless security tutorial - part 3)
Is WPA backwards compatible with WEP?
Yes,
a wireless access point that is set up to use primarily WPA still can
authenticate WEP clients at the same time. During the association,
the access point determines which clients use WEP and which clients use
WPA and behaves accordingly. However, supporting a mixture of WEP and
WPA clients is problematic; therefore, it is suggested all clients are
upgraded to WPA once it is determined that WPA security should be
implemented at the access point.
Where can I find more details about WPA and WPA?
We suggest visiting the following link:
http://tldp.org/HOWTO/8021X-HOWTO/index.html
ok, maybe much for all that I can give sorry if there is a shortage, may be useful.
Thank`s for attentions.