Wi-Fi Protected Access 2 (WPA2) Overview

By The Cable Guy The original IEEE 802.11 standard provided the following set of security features to secure wireless LAN communication:

y y y

Two different authentication methods: Open system and shared key The Wired Equivalent Privacy (WEP) encryption algorithm An Integrity Check Value (ICV), encrypted with WEP, which provided data integrity

Over time, these security features proved to be insufficient to protect wireless LAN communication in common scenarios. To address the security issues of the original IEEE 802.11 standard, the following additional technologies are used:

The IEEE 802.1X Port-Based Network Access Control standard is an optional method for authenticating 802.11 wireless clients. IEEE 802.1X provides per-user identification and authentication, extended authentication methods, and, depending on the authentication method, encryption key management dynamic, per-station or per-session key management and rekeying.

Wi-Fi Protected Access (WPA) is an interim standard adopted by the Wi-Fi Alliance to provide more secure encryption and data integrity while the IEEE 802.11i standard was being ratified. WPA supports authentication through 802.1X (known as WPA Enterprise) or with a preshared key (known as WPA Personal), a new encryption algorithm known as the Temporal Key Integrity Protocol (TKIP), and a new integrity algorithm known as Michael. WPA is a subset of the 802.11i specification.

The IEEE 802.11i standard formally replaces Wired Equivalent Privacy (WEP) and the other security features of the original IEEE 802.11 standard. WPA2 is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as being compatible with the 802.11i standard. The goal of WPA2 certification is to support the additional mandatory security features of the 802.11i standard that are not already included for products that support WPA. Like WPA, WPA2 offers both Enterprise and Personal modes of operation. Windows Vista, Windows XP with SP3, and Windows Server 2008 support WPA2. For WPA2 support in Windows XP with SP2, install the Wireless Client Update for Windows XP with Service Pack 2. This article describes the features of WPA2 security and the support for WPA2 included with Windows XP SP3 and the Wireless Client Update for Windows XP with SP2.

Features of WPA2 Security

The following features of WPA2 security are supported in Windows XP SP3 and the Wireless Client Update for Windows XP with SP2:

WPA2 authentication

For WPA2 Enterprise, WPA2 requires authentication in two phases; the first is an open system authentication and the second uses 802.1X and an Extensible Authentication Protocol (EAP) authentication method. For environments without a Remote Authentication Dial-In User Service (RADIUS) infrastructure such as small office/home office (SOHO) networks, WPA2 Personal supports the use of a preshared key (PSK).

WPA2 key management Like WPA, WPA2 requires the determination of a mutual pairwise master key (PMK) based on the EAP or PSK authentication processes and the calculation of pairwise transient keys through a 4-way handshake. For more information, see Wi-Fi Protected Access Data Encryption and Integrity.

Advanced Encryption Standard WPA2 requires support for the Advanced Encryption Standard (AES) using the Counter Mode-Cipher Block Chaining (CBC)-Message Authentication Code (MAC) Protocol (CCMP). AES Counter Mode is a block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key. The CBC-MAC algorithm produces a message integrity code (MIC) that provides data origin authentication and data integrity for the wireless frame. A Packet Number field included in the WPA2-protected wireless frame and incorporated into the encryption and MIC calculations provides replay protection. AES encryption meets the Federal Information Processing Standard (FIPS) 140-2 requirement.

Additional Features of WPA2 for Fast Roaming

When a wireless client authenticates using 802.1X, there are a series of messages sent between the wireless client and the wireless access point (AP) to exchange credentials. This message exchange introduces a delay in the connection process. When a wireless client roams from one wireless AP to another, the delay to perform 802.1X authentication can cause noticeable interruptions in network connectivity, especially for time-dependent traffic such as voice or video-based data streams. To minimize the delay associated with roaming to another wireless AP, WPA2 wireless equipment can optionally support PMK caching and preauthentication.

PMK Caching
As a wireless client roams from one wireless AP to another, it must perform a full 802.1X authentication with each wireless AP. WPA2 allows the wireless client and the wireless AP to cache the results of a full 802.1X authentication so that if a client roams back to a wireless AP with which it has previously authenticated, the wireless client needs to perform only the 4-way handshake and determine new pairwise transient keys. In the Association Request frame, the wireless client includes a PMK identifier that was determined during the initial authentication and stored with both the wireless client and wireless AP's PMK cache entries. PMK cache entries are stored for a finite amount of time, as configured on the wireless client and the wireless AP. To make the transition faster for wireless networking infrastructures that use a switch that acts as the 802.1X authenticator, the WPA2/WPS IE Update calculates the PMK identifier value so that the PMK as determined by the 802.1X authentication with the switch can be reused when roaming between wireless APs that are attached to the same switch. This practice is known as opportunistic PMK caching. For information about controlling PMK caching behavior with registry values, see The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available.

Preauthentication
With preauthentication, a WPA2 wireless client can optionally perform 802.1X authentications with other wireless APs within its range, while connected to its current wireless AP. The wireless client sends preauthentication traffic to the additional wireless AP over its existing wireless connection. After preauthenticating with a wireless AP and

storing the PMK and its associated information in the PMK cache, a wireless client that connects to a wireless AP with which it has preauthenticated needs to perform only the 4-way handshake. WPA2 clients that support preauthentication can only preauthenticate with wireless APs that advertise their preauthentication capability in Beacon and Probe Response frames. For information about controlling preauthentication behavior with registry values, see The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available.

Supporting a Mixture of WPA2, WPA and WEP Wireless Clients

WPA2 certified wireless equipment is also compatible with WPA and WEP. You can have a mixture or WPA2, WPA, and WEP wireless devices operating in the same environment.

Changes Required to Support WPA2

WPA2 support requires changes to the following:

y y y

Wireless APs Wireless network adapters Wireless client software

Changes to wireless APs

With WPA, wireless network devices could be upgraded through a firmware update because the WPA security features leveraged the existing computational facilities designed for WEP. With WPA2, however, a wireless AP that does not have the computational facilities to perform the more complex calculations for AES CCMP cannot be upgraded through a firmware update and must be replaced. These types of wireless APs are typically older wireless APs manufactured before inclusion of support for the 802.11g standard. Newer wireless APs, such as those that support the 802.11g standard, might be upgradeable with a firmware update. Check with your wireless AP vendor documentation or Web site to determine if your wireless APs require replacement or a firmware update to support WPA2. If only a firmware update is needed, obtain the update from your wireless AP vendor and install it on your wireless APs. For information about wireless APs that have been WPA2 certified, see the Wi-Fi Alliance Web site.

Changes to wireless network adapters

Like wireless APs, whether you must replace wireless network adapters depends on whether they have the computational facilities to perform AES CCMP. Check with your wireless network adapter vendor documentation or Web site to determine if your wireless network adapters require replacement or a firmware update in order to support WPA2. If only a firmware update is needed, obtain the update from your wireless adapter vendor and install it on your wireless network adapters. For wireless clients running Windows XP with Service Pack 2, you must obtain an updated network adapter driver that supports WPA2. The updated network adapter driver must be able to pass the adapter's WPA2 capabilities to Windows XP Wireless Auto Configuration. For information about wireless network adapters that have been WPA2 certified, see the Wi-Fi Alliance Web site.

Changes to wireless client programs

Wireless client software must be updated to allow for the configuration of WPA2 authentication options. The WPA2/WPS IE Update for computers running Windows XP with SP2 includes support for WPA2 and modifies the following

The Choose a wireless network dialog box

The Association tab for the properties of a wireless network.

When you are connected to a WPA2-capable wireless network, the type of network is displayed as WPA2 in the Choose a wireless network dialog box. The following figure shows an example.

If your browser does not support inline frames, click here to view on a separate page. On the Association tab for the properties of a wireless network, the Network Authentication drop-down box has the additional options: WPA2 (for WPA2 Enterprise) and WPA2-PSK (for WPA2 Personal). These options will be present only if the wireless network adapter and its driver support WPA2.

The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available

View products that this article applies to.

To continue receiving security updates for Windows, make sure you're running Windows XP with Service Pack 3 (SP3). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows

On This Page

y y y o o o      o o

SUMMARY INTRODUCTION MORE INFORMATION Important information about this update WPA2 Registry values that control preauthentication and PMK caching PMKCacheMode PMKCacheTTL PMKCacheSize PreAuthMode PreAuthThrottle Wireless Provisioning Services Information Element (WPS IE) Additional changes in the WPA2/WPS IE Update <style>#tocTitle, #tocDiv{display: none;}</style> Expand all | Collapse all SUMMARY

This article describes the Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update. You can install this update on a computer that is running Windows XP with Service Pack 2. The update supports the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA. Additionally, after you install the update, Windows XP will display previously hidden Service Set Identifiers (SSIDs) in the Choose A Wireless Network dialog box. This functionality makes it easier for you to connect to public Wi-Fi networks to which you have not previously connected. Back to the top INTRODUCTION

The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update for computers that are running Microsoft Windows XP with Service Pack 2 (SP2) is available. This update enhances the Windows XP wireless client software with support for the new Wi-Fi Alliance certification for wireless security. The update also makes it easier to connect to secure public spaces that are equipped with wireless Internet access. These locations are otherwise known as "Wi-Fi hotspots." Back to the top MORE INFORMATION

Important information about this update

This update is superseded by the update in Microsoft Knowledge Base article 917021. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 917021 Description of the Wireless Client Update for Windows XP with Service Pack 2 Back to the top

WPA2
WPA2 is a product certification that is available through the Wi-Fi Alliance. WPA2 certifies that wireless equipment is compatible with the IEEE 802.11i standard. The WPA2 product certification formally replaces Wired Equivalent Privacy (WEP) and the other security features of the original IEEE 802.11 standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA.

The WPA2/WPS IE Update supports the following features of WPA2:

y y

WPA2 Enterprise using IEEE 802.1X authentication and WPA2 Personal using a preshared key (PSK). The Advanced Encryption Standard (AES) using the Counter Mode-Cipher Block Chaining (CBC)Message Authentication Code (MAC) Protocol (CCMP) that provides data confidentiality, data origin authentication, and data integrity for wireless frames.

The optional use of Pairwise Master Key (PMK) caching and opportunistic PMK caching. In PMK caching, wireless clients and wireless access points cache the results of 802.1X authentications. Therefore, access is much faster when a wireless client roams back to a wireless access point to which the client already authenticated.

The optional use of preauthentication. In preauthentication, a WPA2 wireless client can perform an 802.1X authentication with other wireless access points in its range when it is still connected to its current wireless access point.

You must use the WPA2/WPS IE Update together with the following:

y y y

Wireless access points that support WPA2. Wireless network adaptors that support WPA2. Windows XP wireless network adaptor drivers that support the passing of WPA2 capabilities to Windows Wireless Auto Configuration.

The WPA2/WPS IE Update modifies the following dialog boxes:

When you are connected to a WPA2 capable wireless network, the type of network is displayed as WPA2 in the Choose A Wireless Network dialog box.

On the Association tab for the properties of a wireless network, the Network Authentication list has the following additional options:

o o

WPA2 - for WPA2 Enterprise WPA2-PSK - for WPA2 Personal

Note These options are not present if the wireless network adaptor driver does not support WPA2.

For more information about WPA2 security features, see the "Wi-Fi Protected Access 2 (WPA2) Overview" topic at the following Microsoft Web site: http://technet.microsoft.com/en-us/library/bb878054.aspx Back to the top

Registry values that control preauthentication and PMK caching

The following registry entries in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global subkey control the behavior of preauthentication and PMK caching for the WPA2/WPS IE Update:

y y y y y

PMKCacheMode PMKCacheTTL PMKCacheSize PreAuthMode PreAuthThrottle

PMKCacheMode

Value type: REG_DWORD - Boolean Valid range: 0 (disabled), 1 (enabled) Default value: 1 Present by default: No Description: Specifies whether a Windows XP-based wireless client will perform PMK caching. By default, PMKCacheMode is enabled.

PMKCacheTTL
Value type: REG_DWORD Valid range: 5-1440 Default value: 720 Present by default: No Description: Specifies the number of minutes that an entry in the PMK cache can exist before being removed. The maximum value is 1440 (24 hours). The default value is 720 (12 hours).

PMKCacheSize
Value type: REG_DWORD Valid range: 1-255 Default value: 100 Present by default: No Description: Specifies the maximum number of entries that can be stored in the PMK cache. By default, the PMK cache has 16 entries.

PreAuthMode
Value type: REG_DWORD - Boolean Valid range: 0 (disabled), 1 (enabled) Default value: 0 Present by default: No Description: Specifies whether a Windows XP-based wireless client will try preauthentication. By default, PreAuthMode is disabled.

PreAuthThrottle
Value type: REG_DWORD Valid range: 1-16 Default value: 3 Present by default: No Description: Specifies the number of top candidate wireless access points with which the Windows XP-based

computer will try preauthentication. The value is based on the ordered list of the most favored wireless access points, as reported by the wireless network adaptor driver. By default, PreAuthThrottle has a value of 3. Note Changes to any one or more of these registry entry values do not take effect until the next time that you restart the wireless service or the next time that you restart the computer. Back to the top

Wireless Provisioning Services Information Element (WPS IE)

Wireless Internet service providers (WISPs) first offered wireless access to the Internet without security. This prevented customers from having to configure wireless security settings. Because wireless security has become more important, WISPs want to move to secure public Wi-Fi networks. During the migration, WISPs must be able to support both nonsecure and secure wireless access to the Internet. To be cost effective during migration, WISPs must be able to support and advertise two different logical wireless networks that have two different wireless network names, and that use a single physical network infrastructure.

Note Wireless network names are also known as Service Set Identifiers (SSIDs).

Some wireless access points that are available today can advertise multiple SSIDs and support multiple logical network configurations at the same time. However, because of hardware limitations, the vast majority of the wireless access points that are deployed today in public Wi-Fi hotspots only permit one SSID to be included in the broadcast Beacon and Probe Response frames. This behavior effectively hides secondary SSIDs from wireless client computers. Therefore, it is much more difficult for you to discover and connect to public Wi-Fi network names that you have not previously connected to. Without wireless AP support to advertise multiple SSIDs in broadcast Beacon and Probe Response frames, the additional wireless networks must either be implemented by using an additional set of physical wireless access points, or users must manually configure their wireless clients by using the names of hidden SSIDs. The implementation of an additional set of wireless access points is not cost effective for WISPs. The manual configuration of wireless clients is difficult for customers, and does not scale to a large WISP network.

The WPS IE is a newly defined 802.11 information element that solves the hidden SSID problem for WISPs. The WPS IE also provides a way for wireless access points to advertise additional SSIDs in the broadcast Beacon and Probe Request frames. The WPS IE includes the SSID and additional details, such as:

y y

Whether IEEE 802.1X authentication is required. Whether the wireless network can provide provisioning information to the wireless client.

The WPS IE must be included in the broadcast Beacon and Probe Request frames, and must be recognized and processed by wireless client computers. Frequently, you can add WPS IE support to wireless access points through a firmware update. Therefore, you typically do not have to replace existing wireless access points or install additional ones. Verify with your wireless AP vendor documentation or your vendor's Web site to determine whether a firmware update for your wireless AP is available. For a Windows XP with SP2based wireless client, you must install the WPA2/WPS IE Update.

When you install the WPA2/WPS IE Update on wireless client computers that are running Windows XP with SP2, the wireless components of Windows XP recognize the WPS IE in the broadcast Beacon or Probe Response frames. This functionality makes the previously hidden SSIDs visible to the user in the Choose A Wireless Network dialog box. Windows XP-based wireless client computers without the WPA2/WPS IE Update installed do not recognize the WPS IE and do not display the hidden SSIDs.

To successfully deploy support for the WPS IE, you must have the following:

Wireless access points that support the configuration of additional SSIDs and their advertisement with the WPS IE. For example, Cisco has released firmware updates for its wireless access points to support the new WPS IE. For information, visit the following Cisco Web site:

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_bulletin0900aecd801b83b 0_ps6087_Products_Bulletin.html

Wireless client computers that are running Windows XP with SP2 and the WPA2/WPS IE Update.

After the update is deployed, the use of the WPS IE provides the following benefits:

Enables easy and cost-effective migration from nonsecure public Wi-Fi hotspot wireless connections to secure public Wi-Fi hotspot wireless connections. The secure public Wi-Fi hotspots must use 802.1X authentication, encryption, and Wireless Provisioning Services (WPS) to provision wireless settings, using the same set of wireless access points.

Lets wireless users easily discover and choose whether they want nonsecured or secured wireless connections. Additionally, wireless users can quickly configure wireless settings.

For more information about WPS, see the "Deploying Wireless Provisioning Services (WPS) Technology" white paper. To download the white paper, visit the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=42996

Back to the top

Additional changes in the WPA2/WPS IE Update

The following changes are also included in the WPA2/WPS IE Update:

Windows XP now prompts you to validate whether you want to create a nonsecured preferred wireless network. Nonsecured is defined as an Open system authenticated connection that does not use encryption to help protect data. Additionally, when connected to a nonsecured wireless network, the wireless network is displayed with the label Unsecured. These changes were added to make sure that you are aware that you are connecting to a wireless network that is susceptible to security attacks.

The Choose A Wireless Network dialog box in Windows XP with SP2 merged infrastructure and ad-hoc networks by using the same wireless network name so that only one appeared in the list of available networks. This issue has been corrected. With the update installed, the Choose A Wireless Network dialog box now displays both types of wireless networks in the available networks list as separate entries.

The static provisioning interface API for Wireless Provisioning Services (WPS) has been updated so that you can specify WPA2 as an authentication method. For more information about this API, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms940173.aspx

Previously, there was a one-minute connection delay when you started the computer if you connected to a WPS-provisioned wireless network. This issue has been corrected.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Wi-Fi Protected Access Data Encryption and Integrity

By The Cable Guy Wi-Fi Protected Access (WPA), as described in the Wi-Fi Protected Access (WPA) Overview Cable Guy article, is an interim industry standard that makes 802.11 wireless LAN networking secure through a firmware upgrade to 802.11-based wireless network adapters and wireless access points (APs). WPA replaces Wired Equivalent Privacy (WEP) with the combination of the Temporal Key Integrity Protocol (TKIP), which provides data confidentiality through encryption, and Michael, which provides data integrity. This article describes the details of TKIP and Michael and the WPA encryption and decryption processes.

Cryptographic Features of TKIP and Michael

WEP in the original IEEE 802.11 standard has the following cryptographic weaknesses: The initialization vector (IV) is too small WEP uses the IV along with the WEP encryption key as the input to the RC4 pseudo-random number generator (PRNG), which produces a key stream that is used to encrypt the 802.11 frame payload. With a 24-bit WEP IV, it is easy to capture multiple WEP frames with the same IV value, making real-time decryption easier.

Weak data integrity WEP data integrity consists of performing the Cyclic Redundancy Check-32 (CRC-32) checksum calculation on the bytes in the unencrypted 802.11 payload and then encrypting its value with WEP. Even encrypted, it is relatively easy to change bits in the encrypted payload and then properly update the encrypted CRC32 result, preventing the receiving node from detecting that the frame contents have changed.

Uses the master key rather than a derived key The WEP encryption key, either manually configured or determined through 802.1X authentication, is the only available keying material. Therefore, the WEP encryption key is the master key. Using the master key to encrypt data is less secure than using a key derived from the master key.

No rekeying WEP does not provide for a method to refresh the encryption keys.

No replay protection WEP does not provide any protection against replay attacks, in which an attacker sends a series of previously captured frames in an attempt to gain access or modify data.

The following table shows how TKIP and Michael address the cryptographic weaknesses of WEP.

WEP weakness IV is too short Weak data integrity

How weakness is addressed by WPA In TKIP, the IV has been doubled in size to 48 bits. The WEP-encrypted CRC-32 checksum calculation has been replaced with Michael, an algorithm that is designed to provide strong data integrity. The Michael algorithm calculates a 64-bit message integrity code (MIC) value, which is encrypted with TKIP. TKIP and Michael use a set of temporal keys that are derived from a master key and other values. The master key is derived from the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected EAP (PEAP) 802.1X authentication process. Additionally, the secret portion of the input to the RC4 PRNG is changed with each frame through a packet mixing function. WPA rekeys automatically to derive new sets of temporal keys. TKIP uses the IV as a frame counter to provide replay protection.

Uses the master key rather than derived key

No rekeying No replay protection

WPA Temporal Keys

Unlike WEP, which uses a single key for unicast data encryption and typically a separate key for multicast and broadcast data encryption, WPA uses a set of four different keys for each wireless client-wireless AP pair (known as the pairwise temporal keys) and a set of two different keys for multicast and broadcast traffic. The set of pairwise keys used for unicast data and EAP over LAN (EAPOL)-Key messages consist of the following: Data encryption key A 128-bit key used for encrypting unicast frames. Data integrity key A 128-bit key used for calculating the MIC for unicast frames. EAPOL-Key encryption key A 128-bit key used for encrypting EAPOL-Key messages. EAPOL-Key integrity key A 128-bit key used for calculating the MIC for EAPOL-Key messages.

y y y y

To derive the pairwise temporal keys, WPA uses the following values: Pairwise Master Key (PMK) A 256-bit key derived from the EAP-TLS or PEAP authentication process. Nonce 1 A random number determined by the wireless AP. MAC 1 The MAC address of the wireless AP. Nonce 2 A random number determined by the wireless client. MAC 2 The MAC address of the wireless client.

y y y y y

For 802.1X authentication using a RADIUS server, the PMK is mutually determined by the wireless client and the RADIUS server, which conveys the PMK to the wireless AP in the RADIUS Access-Accept message. After receiving the PMK, the wireless AP initiates the temporal key message exchange, which consists of the following: 1. EAPOL-Key message sent by the wireless AP that contains Nonce 1 and MAC 1. Because the temporal unicast keys are not yet determined, this message is sent as clear text and without message integrity protection. The wireless client now has all the elements needed to calculate the pairwise temporal keys. 2. EAPOL-Key message sent by the wireless client that contains Nonce 2, MAC 2, and a MIC. Because the wireless client has calculated the pairwise temporal keys, it calculates a MIC using the derived EAPOL-Key integrity key. The wireless AP uses the Nonce 2 and MAC 2 values to derive the pairwise temporal keys and to validate the value of the MIC.

3.

EAPOL-Key message sent by the wireless AP that contains a MIC and a starting sequence number, indicating that the wireless AP is ready to start sending encrypted unicast and EAPOL-Key frames.

4.

EAPOL-Key message sent by the wireless client that contains a MIC and a starting sequence number, indicating that the wireless client is ready to start sending encrypted unicast and EAPOL-Key frames.

This set of messages exchanges the values needed to determine the pairwise temporal keys, verifies that each wireless peer has knowledge of the PMK (by verifying the value of the MIC), and indicates that each wireless peer is ready to begin encrypting and providing message integrity protection for subsequent unicast data frames and EAPOL-Key messages. For multicast and broadcast traffic, the wireless AP derives a 128-bit group encryption key and a 128-bit group integrity key and sends these values to the wireless client using an EAPOL-Key message, encrypted with the EAPOL-Key encryption key and integrity-protected with the EAPOL-Key integrity key. The wireless client acknowledges the receipt of the EAPOL-Key message with an EAPOL-Key message.

WPA Encryption and Decryption Process

WPA needs the following values to encrypt and integrity-protect a wireless data frame: The IV, which starts at 0 and increments for each subsequent frame The data encryption key (for unicast traffic) or the group encryption key (for multicast or broadcast traffic) The destination address (DA) and source address (SA) of the wireless frame The value of a Priority field, which is set to 0 and reserved for future purposes The data integrity key (for unicast traffic) or the group integrity key (for multicast or broadcast traffic)

y y y y y

The following figure shows the WPA encryption process for a unicast data frame.

If your browser does not support inline frames, click here to view on a separate page. 1. The IV, the DA, and the data encryption key are input into a WPA key mixing function, which calculates the per-packet encryption key. 2. The DA, SA, Priority, the data (the unencrypted 802.11 payload), and the data integrity key are input into the Michael data integrity algorithm to produce the MIC. 3. 4. The ICV is calculated from the CRC-32 checksum. The IV and per-packet encryption key are input into the RC4 PRNG function to produce a key stream that is the same size as the data, the MIC, and the ICV. 5. The key stream is exclusively ORed (XORed) with the combination of the data, the MIC, and the ICV to produce the encrypted portion of the 802.11 payload. 6. The IV is added to the encrypted portion of the 802.11 payload in the IV and Extended IV fields, and the result is encapsulated with the 802.11 header and trailer. The following figure shows the WPA decryption process for a unicast data frame.

If your browser does not support inline frames, click here to view on a separate page. 1. The IV value is extracted from the IV and Extended IV fields in the 802.11 frame payload and input along with the DA and data encryption key into the key mixing function, producing the per-packet encryption key. 2. The IV and the per-packet encryption key are input into the RC4 PRNG function to produce a key stream that is the same size as the encrypted data, MIC, and ICV.

3.

The key stream is XORed with the encrypted data, MIC, and ICV to produce the unencrypted data, MIC, and ICV.

4.

The ICV is calculated and compared to the value of the unencrypted ICV. If the ICV values do not match, the data is silently discarded.

5.

The DA, SA, data, and the data integrity key are input into the Michael integrity algorithm to produce the MIC.

6.

The calculated value of the MIC is compared to the value of the unencrypted MIC. If the MIC values do not match, the data is silently discarded. If the MIC values match, the data is passed to the upper networking layers for processing.

Wi-Fi Protected Access (WPA) Overview

By The Cable Guy The original IEEE 802.11 standard provided the following set of security features to secure wireless LAN communication: Two different authentication methods: Open system and shared key The Wired Equivalent Privacy (WEP) encryption algorithm An Integrity Check Value (ICV), encrypted with WEP, which provides data integrity

y y y

Eventually, these original security features would not be sufficient to protect wireless LAN communication in some common scenarios especially large traffic volume environments. The original 802.11 standard has the following security issues: No per-user identification and authentication No support for extended authentication methods (for example, token cards, certificates/smart cards, onetime passwords, biometrics, and so on)

y y y

No support for key management dynamic, per-station or per-session key management and rekeying

To resolve these issues, the IEEE 802.1X Port-Based Network Access Control standard was adopted as an optional mechanism to provide authentication for 802.11 wireless LANs. With 802.1X authentication, the following is supported: Per-user identification and authentication 802.1X uses Extensible Authentication Protocol (EAP), which enforces user-level authentication. In a Windows environment, authentication uses the credentials of a user or computer account in Active Directory.

Support for extended authentication methods (for example, token cards, certificates/smart cards, onetime passwords, biometrics, and so on)

EAP provides an infrastructure to support arbitrary authentication methods. Windows wireless networking supports EAP-Transport Level Security (EAP-TLS) for certificate and smart card-based authentication and Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) for password-based authentication.

Support for key management dynamic, per-station or per-session key management and rekeying The EAP-TLS and PEAP-MS-CHAP v2 authentication processes derive mutually-determined unicast encryption keys. The unicast encryption key is changed periodically either by the wireless access point (AP) or by the Windows wireless client. Key determination attacks can be prevented through frequent rekeying.

The combination of IEEE 802.11, 802.1X, and the use of either EAP-TLS or PEAP-MS-CHAP v2 authentication provides secure wireless networking in a Windows environment. IEEE 802.11i is a new standard that specifies improvements to wireless LAN networking security and addresses many of the security issues of the original 802.11 specification. While the new IEEE 802.11i standard was being ratified, wireless vendors agreed on an interoperable interim standard known as Wi-Fi Protected Access (WPA). The goals of WPA are the following: To require secure wireless networking As described later in this article, WPA requires secure wireless networking by requiring 802.1X authentication, the use of encryption, and the use of unicast and global encryption key management.

To address the issues with WEP encryption through a software upgrade WPA solves all the remaining security issues with WEP encryption. As discussed later in this article, WPA requires firmware updates in wireless equipment and an update for wireless clients. Existing wireless equipment is not expected to require replacement.

To provide a secure wireless networking solution for small office/home office (SOHO) wireless users For the SOHO, there is no RADIUS server to provide 802.1X authentication with an EAP type. SOHO wireless clients must use either shared key authentication (not recommended) or open system authentication (recommended) with a single static WEP key for both unicast and multicast traffic. WPA provides a preshared key option intended for SOHO configurations. The preshared key is configured on the wireless AP and each wireless client. The initial unicast encryption key is derived from the authentication process, which verifies that both the wireless client and the wireless AP have the preshared key.

To be forward-compatible with the upcoming IEEE 802.11i standard WPA is a subset of the security features in the proposed IEEE 802.11i standard. There are no features of WPA that are not described in the current draft of the 802.11i standard.

To be available today. WPA upgrades to wireless equipment and for wireless clients were available beginning in February, 2003.

On This Page

y y y

Features of WPA Security Changes Required to Support WPA For More Information

Features of WPA Security

The following sections describe the features of WPA security. WPA Authentication With 802.11, 802.1X authentication is optional. With WPA, 802.1X authentication is required. Authentication with WPA is a combination of open system and 802.1X authentication, which uses two phases: The first phase uses open system authentication and indicates to the wireless client that it can send frames to the wireless AP.

y y

The second phase uses 802.1X to perform a user-level authentication.

For environments without a RADIUS infrastructure, WPA supports the use of a preshared key. For environments with a RADIUS infrastructure, WPA supports EAP and RADIUS. WPA Key Management With 802.1X, rekeying of unicast encryption keys is optional. Additionally, 802.11 and 802.1X provide no mechanism to change the global encryption key that is used for multicast and broadcast traffic. With WPA, rekeying of both unicast and global encryption keys is required. The Temporal Key Integrity Protocol (TKIP) changes the unicast encryption key for every frame and each change is synchronized between the wireless client and the wireless AP. For the global encryption key, WPA includes a facility for the wireless AP to advertise changes to the connected wireless clients. Temporal Key Integrity Protocol (TKIP) For 802.11, WEP encryption is optional. For WPA, encryption using TKIP is required. TKIP replaces WEP with a new encryption algorithm that is stronger than the WEP algorithm, yet can be performed using the calculation facilities present on existing wireless hardware. TKIP also provides for: The verification of the security configuration after the encryption keys are determined. The synchronized changing of the unicast encryption key for each frame. The determination of a unique starting unicast encryption key for each preshared key authentication.

y y y
Michael

With 802.11 and WEP, data integrity is provided by a 32-bit ICV that is appended to the 802.11 payload and encrypted with WEP. Although the ICV is encrypted, it is possible through cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without being detected by the receiver. With WPA, a method known as Michael specifies a new algorithm that calculates an 8-byte message integrity code (MIC) with the calculation facilities available on existing wireless hardware. The MIC is placed between the data portion of the 802.11 frame and the 4-byte ICV. The MIC field is encrypted along with the frame data and the ICV. Michael also provides replay protection. A new frame counter in the 802.11 frame is used to prevent replay attacks. AES Support WPA defines the use of AES as an additional optional replacement for WEP encryption. Because adding AES support through a firmware update might not be possible for existing wireless equipment, support for AES on wireless network adapters and wireless APs is not required. Supporting a mixture of WPA and WEP wireless clients To support the gradual transition of a WEP-based wireless network to WPA, it is possible for a wireless AP to support both WEP and WPA clients at the same time. During the association, the wireless AP determines which clients are using WEP and which are using WPA. The disadvantage to supporting a mixture of WEP and WPA clients is that the global encryption key is not dynamic. All other security enhancements for WPA clients are preserved.

Changes Required to Support WPA

WPA requires software changes to: Wireless APs.

y y

Wireless network adapters. Wireless client software.

Changes to wireless APs Wireless APs must have their firmware updated to support the following: The new WPA information element To advertise their capability to perform WPA, wireless APs send the beacon frame with a new 802.11 WPA information element that contains the wireless AP's security configuration (encryption algorithms, and so on).

y y y y

The WPA two-phase authentication: Open system followed by 802.1X (EAP with RADIUS or WPA preshared key) TKIP Michael AES (optional)

To upgrade your wireless APs to support WPA, you can obtain a WPA firmware update from your wireless AP vendor and upload it to your wireless APs. Changes to wireless network adapters Wireless network adapters must have their firmware updated to support the following: The new WPA information element Wireless clients must be able to process the WPA information element in beacon frames and respond with a specific security configuration.

y y y y

The WPA two-phase authentication: Open system followed by 802.1X (EAP or WPA preshared key) TKIP Michael AES (optional)

To upgrade your wireless network adapters to support WPA, you must upload a WPA firmware update to your wireless network adapter. For Windows wireless clients, you must obtain an updated network adapter driver that supports WPA. For wireless network adapter drivers that are compatible with Windows XP with Service Pack 2 (SP2), Windows XP with Service Pack 1 (SP1), and Windows Server 2003, the updated network adapter driver must be able to pass the adapter's WPA capabilities and security configuration to Windows Wireless Auto Configuration. Microsoft has worked with many wireless vendors to embed the WPA firmware update within the wireless adapter driver. Because of this, updating your Windows wireless client consists of simply obtaining the new WPA-compatible driver and installing it. The firmware is automatically updated when the wireless network adapter driver is loaded into Windows. Changes to wireless client software Wireless client software must be updated to allow for the configuration of WPA authentication (including preshared key) and the new WPA encryption algorithms (TKIP and AES). You must obtain and install a new WPA-compliant configuration tool from your wireless network adapter vendor for wireless clients running the following: Windows 2000

Windows XP with SP2, Windows XP with SP1, and Windows Server 2003, and using a wireless network adapter that does not support the Wireless Auto Configuration

WPA support is provided with Windows XP SP2. For wireless clients running Windows XP with SP1 or Windows Server 2003, and using a wireless network adapter that supports the Wireless Auto Configuration, you must obtain and install the WPA Wireless Security Update in Windows XP a free download from Microsoft. The WPA Wireless Security Update updates the wireless network configuration dialog boxes to support new WPA options. The following figure shows the Association tab for the properties of a wireless network in Windows XP with SP1 and Windows Server 2003. To view the Association tab, obtain the properties of the wireless network adapter in the Network Connections folder, and then click the Wireless Networks tab. Either click a wireless network in the list of available networks, and then click Configure or click a wireless network in the list of preferred networks, and then click Properties.

In the Wireless network key (WEP) section of the Association tab, the first two check boxes are: Data encryption (WEP enabled) This setting enables or disables WEP encryption. By default, WEP encryption is enabled.

Network Authentication (Shared mode) When selected, shared key authentication is performed. When cleared, open system authentication is performed. By default, open system authentication is performed.

Installing Windows XP SP2 or the WPA Wireless Security Update changes the Association tab, as shown in the following figure.

The Wireless network key (WEP) section is now named Wireless network key and the two check boxes previously described are replaced with drop-down boxes. The Data encryption (WEP enabled) check box is replaced with a Data encryption drop-down box that provides the following selections: Disabled Encryption of 802.11 frames is disabled. WEP 802.11 WEP is used as the encryption algorithm. TKIP TKIP is used as the encryption algorithm. AES AES is used as the encryption algorithm. This selection is only available if the wireless network adapter and its driver support the optional AES encryption algorithm. If the wireless network adapter and its driver do not support WPA, you will not see the TKIP and AES options. The Network Authentication (Shared Mode) check box is replaced with a Network Authentication drop-down box that provides the following selections: Open The open system authentication method is used. Shared The shared key authentication method used and the key is typed in Network key and Confirm network key.

y y y y

y y y y

WPA WPA authentication (802.1X) is used with an EAP type configured on the Authentication tab. WPA-PSK WPA authentication (802.1X) is used with a preshared key and the key is typed in Network key and Confirm network key.

If the wireless network adapter and its driver do not support WPA, you will not see the WPA and WPA-PSK options.

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access