WPA: It's like WEP, but Good

By Larry Loeb
10/31/2005 12:01:00 AM

WLAN (wireless local area networks) that follow the various IEEE (Institute of Electrical and Electronics Engineers) standards that are grouped together under the number/name of 802.11 have had problems with security since the first commercial products were introduced a few years ago.

The security methods that were provided in the first implementations of 802.11 were found to be vulnerable to attacks that compromised the confidentiality of the data sent out over the WLAN.

WPA (Wi-Fi protected access) is an update of these security measures that fixes both the ciphers and the authentication methods used in the protocol.

WPA increases Wi-Fi WEP security in two ways: it fixes the problem with an easily cracked key, and makes authentication of users possible.

That they did it without breaking all the hardware that has already been purchased (save for a needed firmware upgrade at most) is testament to some very wise engineering that went on in the development process. This time, users won.

What has gone before WPA

Before the security improvements that have recently been introduced to 802.11 by WPA can be understood, the original security mechanism used has to be somewhat explained.

This is because both the original and the improvements share common ground in their functioning.

The first security mechanism that was used in the 802.11 protocol is called WEP (wired equivalent protocol). It operates in the MAC (medium access control) layer of the system.

The MAC Layer manages and maintains communications between the various 802.11 stations (the radio network cards and access points) by coordinating access to a shared radio channel.

The 802.11 MAC Layer uses an 802.11 Physical (PHY) Layer, such as 802.11b or 802.11a, to perform the actual tasks of carrier sensing, transmission, and receiving of the 802.11-defined frames of information.

The MAC layer is the layer where the logical decisions about the configuration (as well as the authentication) of the WLAN are made.

Authentication in these 802.11 systems can be either "open" or "shared key".

If the system is open, any wireless station that adheres to the standard and is in transmit/receive range can be added to the WLAN as a full-fledged member.

To authenticate a station trying to join the WLAN with shared key is a four-step process.

First, one station will start the process by requesting authentication. The destination station then sends the originator some text. The originator encrypts the text using the shared key both stations are assumed to possess, and sends it back to the destination.

The destination compares the decrypted response to the original challenge text and, if they match, lets the originator join the WLAN.

After authentication, WEP—which is optional and separate from this shared key ("password") access gate—carries this concept one step further by encrypting just the body and CRC (cyclic redundancy check) of a message (but not the headers) with the shared key.

Next Page: Encrypting data packets using TKIP.

The frame is transmitted using the RC4 stream cipher, which translates the encrypted frame into the bits making up the radio stream. The receiving station decrypts the encoded frame as it is received and sends it on its way.

And that—in several nutshells—is the way that WLAN security has been implemented in the past. The encoding of data information transmitted over the WLAN was enough to discourage the casual eavesdropper, but not strong enough for enterprise usage because it could be easily attacked and decrypted by a determined adversary.

The problem that faced the IEEE was how to strengthen the security of the protocol while assuring functional compatibility with the WLANs already out there.

Whatever they did, it couldn't "break" existing WLAN installations.

This greatly limited the available options, to be sure. Worse, there was an upcoming standard called 802.11i that had to be taken into account.

Any changes that were made now couldn't be allowed to cause problems in the future as well as trip over what was done in the past. These kinds of parameters made the solution fairly tough to come up with.

TKIP: changing the key over time

The IEEE committee did it though. The new security protocol WPA is both backwards and forwards compatible.

They integrated part of what is to be done in the upcoming 802.11i into WPA, namely a cipher suite called TKIP (temporal key integrity protocol).

This is the method that actually does the encryption of the data packets. What TKIP's use does is directly address one of the critical problems with WEP—that is, it didn't change the encryption keys enough over time.

This allowed someone to "listen" to the packets with a receiver and then wait for the limited number of encryption keys used in WEP to repeat.

If you got enough repeats, you could figure out the base key. It was comparatively easy to do as these things go, since it was not a very long key to begin with. (It can be shown mathematically that an increase in a key's length makes it harder to figure out. Therefore, a short key is easier to crack than a longer one).

TKIP starts with a longer key length then was used in WEP so it gains some cryptological strength from this right off the bat.

The key is 256 bits in length, whether the key is entered as 64 hex digits or by ASCII characters. If the key is input as ASCII, WPA uses a hash function to create the actual 256-bit key.

It is also recommended by the WPA committee that passwords longer than 8 characters should be used. Indeed, they recommend that 20 characters or longer is a reasonable length for a password.

And unlike WEP, TKIP changes the base key it uses to encode the data frames after a certain number of frames have been sent. (Most implementations make this around 10,000 frames.)

This means that a listener will find it much harder to break the packet's encryption than he would have if one were using the WEP system.

This is where the temporal part comes in. As time changes, so does the key.

Next Page: Using RADIUS to be authentic.

Further increasing security, TKIP adds a message integrity check to the data packet to prevent forgeries. The method of this integrity check is called Michael, and was designed to be performed "on the fly" by legacy equipment.

This is actually trickier than it sounds, because the method had to be constructed so that it provides the desired result without requiring the computationally intense operations (and concomitant hardware co-processor) that are usually associated with this sort of thing.

As implied, Michael does not integrity check management and control messages, only data.

Martha and the master keys

The committee also changed how the initial "master" key is to be generated, further increasing the security options available to the WLAN.

One method is to specify that initial key can be initiated from a location using some password that is unique for that location. (This is the kind of security that would be used by most single or home users.)

But an enterprise needs a different way to manage an enterprise-linked WLAN. Keys can't just be assigned by Martha in Accounting on the Third Floor. A WLAN is dynamic, ever changing.

In recognition of this, WPA allows use of a central server (whose name should be, but is not, Martha) to authenticate the passwords in an enterprise network.

Through the use of the RADIUS (remote access dial-in user service) protocol, a user trying to join a network can be authenticated first before being joined.

This method of authentication is built on existing standards, so it is not platform-dependent.

Authentication the RADIUS way

Here's an overview of how the RADIUS authentication proceeds. This stuff gets fairly dense, and assumes that you understand the basics of the EAP (extensible authentication protocol) standard.

If you don't, fear not. You'll be able to derive the meanings from the context in which it is used.

Let's begin with the simplest situation. When a roaming station wants to connect to an AP, the following operations are performed in this order by the roaming station:

1. Select a network, i.e. specifying a SSID (Service Station ID).

2. Find APs that are nearby for the selected SSID.

3. Associate to a chosen APs.

4. Initiate 802.1X authenticated key management. (There is a whole process associated with this that we will skip over for brevity's sake, and just assume that it is completed successfully.)

5. Installing the keys obtained from authenticating to the AP

Roaming can be done by (re)associating and then doing 802.1X authentication. In this case the station repeats the same actions as for an association, but the encryption/integrity keys are removed from the encryption/integrity engine when roaming away from the AP that the keys were obtained from.

The station then deletes the keys when it disassociates/deauthenticates from the previous SSID.

Configuration issues

APs advertise their capabilities in the WPA IE (information element). So, if one doesn't want particular ciphers to be used, then they should not be advertised in the WPA IE for the AP/station.

APs/stations should also be capable of being configured to either allow non-WPA stations to associate or to not allow non-WPA stations to associate.

When configured to allow association of non-WPA stations, the multicast cipher should be the older WEP.

Next Page: The many configuration options.

There are configuration options an AP should support for WPA compliance, namely:

1. Select one or more station configurations to associate to the AP (WEP, WPA, or WEP rekeying using the existing EAP keymessage.

2. For WPA, select the list of available ciphers for unicast.

3. Pre-shared key for WPA, which can be an ASCII passphrase or a 256 bit key.

4. Configure a WEP key for static WEP stations, which can be 40 or 104bits in length.

The configuration options a roaming station should support are similar to the ones above and have the same basic set of choices. Stations get the WPA information element from the beacon or probe response messages.

Based on the station encryption/integrity capabilities and policy configuration of the ciphers the station is willing to communicate with, the station decides which APs it is willing to use.

The policy configuration could include the ciphers the station is willing to use, the authenticated key management the station is willing to use, whether the station is willing to allow group keys to be used for unicast, and the like.

Does WPA want to associate with you?

If the station or AP receives a WPA information element with an authentication suite of WPA, then it should do 802.1X authentication and 802.1X key management. (802.1X key management is the term used for managing the keys using IEEE 802.1X EAPOL-Key message).

If the authentication suite is WPA-PSK, then it should do 802.1X key management. If the station does not receive a WPA information element in the Beacon or Probe Response, the station then follows the normal 802.11 authentication (This may include the current 802.1X authentication).

Likewise, if the AP does not receive a WPA information element in the Association Request the AP will follow the normal 802.11 association processing.

The AP should have a way to disable non-WPA clients from associating. If the AP supports WPA and non-WPA stations, there are a couple of cases to consider:

1. The non-WPA station supports an 802.1X supplicant that is a non-WPA 802.1X supplicant. In this case the AP can use 802.1X to send WEP key updates to the station. A non-WPA supplicant only supports group keys and so the AP must track per station whether it supports unicast keys or not.

2. The non-WPA station does not support an 802.1X supplicant. The WEP key must be pre-configured into the non-WPA station and AP. Since the AP for broadcast/multicast traffic must use the pre-configured key, it must use WPA key update exchanges to send the key to the WPA stations.

This means that the WPA stations in this configuration will have fixed keys for broadcast/multicast traffic, though they may use different keys for the unicast traffic if supported by the station and AP.

The AP uses WPA Group key exchange to send the fixed WEP key to the WPA stations.