Wi-Fi Protected Access (WPA) is a security standard for users of computers equipped with Wi-Fi wireless connection. It is an improvement on and is expected to replace the original Wi-Fi security standard, Wired Equivalent Privacy (WEP). WPA provides more sophisticated data encryption than WEP and also provides user authentication (WEP's user authentication is considered insufficient). WEP is still considered useful for the casual home user, but insufficient for the corporate environment where the large flow of messages can enable eavesdroppers to discover encryption keys more quickly.
The following security features are included in the WPA standard:
- WPA Authentication
- WPA Encryption Key Management
- Temporal Key Integrity Protocol (TKIP)
- Michael message integrity code (MIC)
- AES Support
- Support for a Mixture of WPA and WEP Wireless Clients
These features are discussed below.
WPA addresses most of the known WEP vulnerabilities and is primarily intended for wireless infrastructure networks as found in the enterprise. The strength of WPA comes from an integrated sequence of operations that encompass 802.1X/EAP authentication and sophisticated key management and encryption techniques. For environments with a RADIUS infrastructure, WPA supports Extensible Authentication Protocol (EAP). For environments without a RADIUS infrastructure, WPA supports the use of a pre-shared key. Its major operations include:
Network security capability: This occurs at the 802.11 level and is communicated through WPA information elements in Beacon, Probe Response, and (Re) Association Requests. Information in these elements includes the authentication method (802.1X or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES, which is Advanced Encryption Standard).
Authentication, EAP over 802.1X is used for authentication: Mutual authentication is gained by choosing an EAP type supporting this feature and is required by WPA. The 802.1X port access control prevents full access to the network until authentication completes. The 802.1X EAPOL-Key packets are used by WPA to distribute per-session keys to those stations successfully authenticated.
Key management: WPA features a robust key generation/management system that integrates the authentication and data privacy functions. Keys are generated after successful authentication and through a subsequent four-way handshake between the station and access point.
Data Privacy (Encryption): Temporal Key Integrity Protocol (TKIP) is used to wrap WEP in sophisticated cryptographic and security techniques to overcome most of its weaknesses.
Data integrity: TKIP includes a message integrity code (MIC) at the end of each plain text message to ensure messages are not being spoofed.
How it works:
The access point (AP) sends Beacon Frames with WPA information elements to the stations in the service set. Information elements include the required authentication method (802.1x or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES). Probe Responses (AP to station) and Association Requests (station to AP) also contain WPA information elements.
- Initial 802.1x communications begin with an unauthenticated supplicant (that is, client device) attempting to connect with an authenticator (that is, 802.11 access point). The client sends an EAP-start message. This begins a series of message exchanges to authenticate the client.
- The access point replies with an EAP-request identity message.
- The client sends an EAP-response packet containing the identity to the authentication server. The access point responds by enabling a port for passing only EAP packets from the client to an authentication server located on the wired side of the access point. The access point blocks all other traffic, such as HTTP, DHCP, and POP3 packets, until the access point can verify the client's identity using an authentication server (for example, RADIUS).
- The authentication server uses a specific authentication algorithm to verify the client's identity. This could be through the use of digital certificates or some other EAP authentication type.
- The authentications servers will either send accept or reject message to the access point.
- The access point sends an EAP-success packet (or reject packet) to the client.
- If the authentication server accepts the client, then the access point will transition the client's port to an authorized state and forward additional traffic.
WPA uses TKIP to provide important data encryption enhancements including a per-packet key mixing function, a message integrity check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Other encryption method supported by WPA, besides TKIP, is the advanced encryption standard (AES), although AES support will not be required initially for Wi-Fi certification. This is viewed as the optimal choice for security-conscious organizations.