WPA: New Protection for 802.11
October 31, 2002
Say good-bye to WEP encryption: the standards body behind Wi-Fi network interoperability is now touting Wi-Fi Protected Access (WPA) as the soon-to-be official security of WLANs.
The non-profit Wi-Fi Alliance, the consortium
behind interoperability standards and testing for 802-11based networks, has
announced an official replacement for the much derided Wired Equivalent Privacy
Why not wait for 802.11i? According to Dennis Eaton, the chairman of the Wi-Fi Alliance, "[IEEE] Task Group I doing 802.11i is still on a path to be complete about this time next year with a fully ratified standard, but that's a little too long. We had to do something sooner."
That something sooner is WPA, which, according to Eaton, will work with the majority of 802.11-based products out today once they've gone through a firmware/software upgrade. WPA is forward compatible with 802.11i. By the time 11i is ratified around September of next year, expect to see a WPA version 2.0 with full 802.11i support. Eventually, the Alliance expects to require Wi-Fi products to shop with WPA turned on as a default.
The way WPA will work in the enterprise is similar to the setup of any 802.1X authentication system. The clients and access points must have WPA enabled for encryption to and from an 802.1X with Extensible Authentication Protocol (EAP) authentication server of some sort, such as a RADIUS server, with centralized access management.
"The server provides the scalability for the design, user credentials, authorization as users request access, and generates the keys for Temporal Key Integrity Protocol (TKIP) encryption...TKIP is part WPA," says Eaton. Once the server authenticates the user, the access point will let that user on to the wired network -- up to that point, the client only talked to the server.
Home network users usually won't have an authentication server, but the WPA solution still uses 802.1X. They won't get the upper layer authentication, but can take advantage of Pre-shared Key mode.
"Pre-shared Key is used much like WEP -- you key in a pass phrase [called the master key] in both the client and access point," says Eaton. In the association process, if the password matches, then the access point allows access to the Internet or wired network. You still get the advantage of 802.1X, so my key is different from my wife's key on the same access point, but our key's are refreshed every time we connect. The pass phrase is the same, but the key is generated."WEP, on the other hand, uses a static key that is seldom changed by users. This cryptographic weakness is responsible for many of the known security issues in WLANs today -- any patient criminal hacker can eventually figure out the encryption key and get on the network.
WPA takes advantage of the 802.11i specifications requirements for things like 802.1X and TKIP, but leaves out things that require a hardware upgrade or aren't ready, such as secure fast handoff, secure de-authentication and disassociation, and AES-CCMP enhanced encryption.
The Wi-Fi Alliance is only requiring products going forward to have WPA built in if they expect to get the Wi-Fi Certification stamp -- older and current WLAN products don't have to get a WPA upgrade. However, Eaton expects that upgrades to WPA will start appearing from vendors in the next several months. Whether vendors provide the upgrade for individual products or not depends upon their stance and whether they get support for it from the core technology providers such as the chipset makers. Already announcing support for WPA with future upgrades are major 802.11 vendors (and Wi-Fi Alliance members) such as Agere, Atheros, Atmel, Colubris, Funk Software, Intersil, Proxim, Resonext, and Texas Instruments.
"We're fully behind it," says Bill Carney, Director of Marketing and Business Development at Texas Instruments. "It's important security. Security is the biggest roadblock to adoption."
Companies are free to resubmit older products with WPA implemented to the Alliance for testing. Interoperability testing such products will begin in February 2003.
Eric Griffith is the managing editor of 802.11 Planet.