Wi-Fi Protected Access (WPA and WPA2) is a class of systems to secure wireless (Wi-Fi) computer networks. It was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).
WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is specifically designed to also work with pre-WPA wireless network interface cards (through firmware upgrades), but not necessarily with first generation wireless access points. WPA2 implements the full standard, but will not work with some older network cards.
WPA2 implements the mandatory elements of 802.11i. In particular, it introduces a new AES-based algorithm, CCMP, that is considered fully secure. From March 13, 2006, WPA2 certification is mandatory for all new devices wishing to be Wi-Fi certified.
Security in pre-shared key mode
Pre-shared key mode (PSK, also known as personal mode) is designed for home and small office networks that don’t require the complexity of an 802.1X authentication server. Each user must enter a passphrase to access the network. The passphrase may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits (256 bits).[2] If you choose to use the ASCII characters, a hash function reduces it from 504 bits (63 characters * 8 bits/character) to 256 bits (using also the SSID). The passphrase may be stored on the user’s computer at their discretion under most operating systems to avoid re-entry. The passphrase must remain stored in the Wi-Fi access point.
Security is strengthened by employing a PBKDF2 key derivation function. However, the weak passphrases users typically employ are vulnerable to password cracking attacks. To protect against a brute force attack, a truly random passphrase of at least 20 characters should be used, and 33 characters or more is recommended.[3]
Some consumer chip manufacturers have attempted to bypass weak passphrase choice by adding a method of automatically generating and distributing strong keys through a software or hardware interface that uses an external method of adding a new Wi-Fi adapter or appliance to a network. These methods include pushing a button (Broadcom SecureEasySetup[4] and Buffalo AirStation One-Touch Secure System) and entering a short challenge phrase through software (Atheros JumpStart[5]). The Wi-Fi Alliance has standardized these methods in a program called Wi-Fi Protected Setup (formerly Simple Config).
EAP extensions under WPA- and WPA2- Enterprise
The Wi-Fi alliance has announced the inclusion of additional EAP (Extensible Authentication Protocol) types to its certification programs for WPA- and WPA2- Enterprise. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance.
The EAP types now included in the certification program are:
EAP-TLS (previously tested)
EAP-TTLS/MSCHAPv2
PEAPv0/EAP-MSCHAPv2
PEAPv1/EAP-GTC
EAP-SIM
Other EAP types may be supported by 802.1X clients and servers developed by specific firms. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks
WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is specifically designed to also work with pre-WPA wireless network interface cards (through firmware upgrades), but not necessarily with first generation wireless access points. WPA2 implements the full standard, but will not work with some older network cards.
WPA2 implements the mandatory elements of 802.11i. In particular, it introduces a new AES-based algorithm, CCMP, that is considered fully secure. From March 13, 2006, WPA2 certification is mandatory for all new devices wishing to be Wi-Fi certified.
Security in pre-shared key mode
Pre-shared key mode (PSK, also known as personal mode) is designed for home and small office networks that don’t require the complexity of an 802.1X authentication server. Each user must enter a passphrase to access the network. The passphrase may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits (256 bits).[2] If you choose to use the ASCII characters, a hash function reduces it from 504 bits (63 characters * 8 bits/character) to 256 bits (using also the SSID). The passphrase may be stored on the user’s computer at their discretion under most operating systems to avoid re-entry. The passphrase must remain stored in the Wi-Fi access point.
Security is strengthened by employing a PBKDF2 key derivation function. However, the weak passphrases users typically employ are vulnerable to password cracking attacks. To protect against a brute force attack, a truly random passphrase of at least 20 characters should be used, and 33 characters or more is recommended.[3]
Some consumer chip manufacturers have attempted to bypass weak passphrase choice by adding a method of automatically generating and distributing strong keys through a software or hardware interface that uses an external method of adding a new Wi-Fi adapter or appliance to a network. These methods include pushing a button (Broadcom SecureEasySetup[4] and Buffalo AirStation One-Touch Secure System) and entering a short challenge phrase through software (Atheros JumpStart[5]). The Wi-Fi Alliance has standardized these methods in a program called Wi-Fi Protected Setup (formerly Simple Config).
EAP extensions under WPA- and WPA2- Enterprise
The Wi-Fi alliance has announced the inclusion of additional EAP (Extensible Authentication Protocol) types to its certification programs for WPA- and WPA2- Enterprise. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance.
The EAP types now included in the certification program are:
EAP-TLS (previously tested)
EAP-TTLS/MSCHAPv2
PEAPv0/EAP-MSCHAPv2
PEAPv1/EAP-GTC
EAP-SIM
Other EAP types may be supported by 802.1X clients and servers developed by specific firms. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks
Comments