|
|
WPA: It's like WEP, but GoodThe frame is transmitted using the RC4 stream cipher, which translates the encrypted frame into the bits making up the radio stream. The receiving station decrypts the encoded frame as it is received and sends it on its way.And that—in several nutshells—is the way that WLAN security has been implemented in the past. The encoding of data information transmitted over the WLAN was enough to discourage the casual eavesdropper, but not strong enough for enterprise usage because it could be easily attacked and decrypted by a determined adversary. The problem that faced the IEEE was how to strengthen the security of the protocol while assuring functional compatibility with the WLANs already out there. Whatever they did, it couldn't "break" existing WLAN installations. This greatly limited the available options, to be sure. Worse, there was an upcoming standard called 802.11i that had to be taken into account. Any changes that were made now couldn't be allowed to cause problems in the future as well as trip over what was done in the past. These kinds of parameters made the solution fairly tough to come up with.TKIP: changing the key over timeThe IEEE committee did it though. The new security protocol WPA is both backwards and forwards compatible. They integrated part of what is to be done in the upcoming 802.11i into WPA, namely a cipher suite called TKIP (temporal key integrity protocol). This is the method that actually does the encryption of the data packets. What TKIP's use does is directly address one of the critical problems with WEP—that is, it didn't change the encryption keys enough over time. This allowed someone to "listen" to the packets with a receiver and then wait for the limited number of encryption keys used in WEP to repeat. If you got enough repeats, you could figure out the base key. It was comparatively easy to do as these things go, since it was not a very long key to begin with. (It can be shown mathematically that an increase in a key's length makes it harder to figure out. Therefore, a short key is easier to crack than a longer one).TKIP starts with a longer key length then was used in WEP so it gains some cryptological strength from this right off the bat. The key is 256 bits in length, whether the key is entered as 64 hex digits or by ASCII characters. If the key is input as ASCII, WPA uses a hash function to create the actual 256-bit key. It is also recommended by the WPA committee that passwords longer than 8 characters should be used. Indeed, they recommend that 20 characters or longer is a reasonable length for a password. And unlike WEP, TKIP changes the base key it uses to encode the data frames after a certain number of frames have been sent. (Most implementations make this around 10,000 frames.) This means that a listener will find it much harder to break the packet's encryption than he would have if one were using the WEP system. This is where the temporal part comes in. As time changes, so does the key.Next Page: Using RADIUS to be authentic.
|
|
|
Data Protection Virtual Tradeshow
Available On-Demand
Join Cameron Crotty and experts as they explore best practices and solutions needed to maintain a secure flow of data.
|
|
|
