|
|
|
|
|
Wi-fi Protected AccessWi-Fi Protected Access (WPA) is a system to secure wireless (WiFi) networks, created to patch the security of the previous system, WEP (Wired Equivalent Privacy); researchers have found a number of weaknesses in WEP. As a replacement, WPA implements part of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while the new security standard (802.11i) was prepared. Certifications for implementations of WPA started in April 2003, while the full 802.11i was ratified in June 2004. WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user; however, it can also be used in a less secure pre-shared key (PSK) mode. Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV). One major improvement over WEP is given by the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined with the much larger IV, this defeats the well-known key recovery attacks on WEP. In addition to authentication and encryption, WPA also provides vastly improved payload integrity. The cyclic redundancy check (CRC) used in WEP is inherently insecure; it is possible to alter the payload and update the message CRC without knowing the WEP key. A far more secure message authentication code (here termed a Message Integrity Check (MIC)) called "Michael" is used in WPA. Further, the MIC used in WPA includes a frame counter, which prevents replay attacks being executed. In summary, by increasing the size of the keys, the number of keys in use, and adding a secure message verification system, WPA makes breaking into a Wireless LAN far more difficult. WPA2 is the implementation of IEEE 802.11i approved by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i http://www.wi-fi.org/opensection/pdf/WPA2_Q_A.pdf. The Wi-Fi Alliance has introduced the terms WPA(2)-Personal and WPA(2)-Enterprise for use in their Wi-Fi Interoperability Certificate. WPA(2)-Personal refers to WPA operating in pre-shared key mode while WPA(2)-Enterprise refers to WPA operating with an authentication server. The terms serve to indicate what features and capabilities the certified product has in terms of security. Security in pre-shared key mode Pre-shared key mode is designed for home and small office networks that cannot afford the cost and complexity of an 802.1X authentication server. Each user must enter a passphrase to access the network. The passphrase is typically stored on the user's computer, so it need only be entered once. Security is strengthened by employing a PBKDF2 key derivation function, however the weak passphrases users typically employ create a major vulnerability to password cracking attacks. It is recommended that a passphrase of at least 5 Diceware words or 14 completely random letters be used with WPA. For maximum strength, 8 Diceware words or 22 random characters should be employed. Passphrases should be changed whenever an individual with access is no longer authorized to use the network or when a device configured to use the network is lost or compromised. See also References - Wi-Fi Alliance. (2003). Wi-Fi Protected Access: Strong, standards-based, interoperable security for todays Wi-Fi networks. Retrieved March 1, 2004 from http://www.wifialliance.com/OpenSection/pdf/Whitepaper_Wi-Fi_Security4-29-03.pdf
- Wi-Fi Alliance. (2004). Wi-Fi Protected Access™ security sees strong adoption: Wi-Fi Alliance takes strong position by requiring WPA security for product certification. Retrieved January 5, 2004 from http://www.wi-fi.org/opensection/ReleaseDisplay.asp?TID=4&ItemID=165&StrYear=2004&strmonth=2
- Weakness in Passphrase Choice in WPA Interface, by Robert Moskowitz. Retrieved March 2, 2004 from http://wifinetnews.com/archives/002452.html
External links
|
 |
| |
|
|