Protecting Your 80211 Network with WPA
May 21, 2003
Now that Wi-Fi Protected Access is arriving in an 802.11 product installed near you, the big questions come up, such as: How do you actually use it? And is it worth upgrading to it in the long run? Experts from the industry will explain WPA at the upcoming 80211 Planet Conference & Expo.
After suffering with Wired Equivalent Privacy (WEP) for what seems like ages, we finally have a wireless security protocol, Wi-Fi Protected Access (WPA) that gives us reasonable, albeit not perfect, protection. But, now the question is: how do you actually use it?
The theory of how WPA works is simple enough. WEP's main problems are that its security keys are very breakable and that they're no easy way to way reset keys on a regular basis to avoid someone breaking messages encrypted with an overused key.
WPA addresses these concerns, not by replacing the weak RSA Security's RC4 encryption, but by improving how RC4 is implemented and adding automatic key resetting. Specifically, WPA first increases the initialization vector (IV) from 24-bits to 48-bits. This makes a WPA protected message orders of magnitude harder to crack.
Next, WPA changes the key with every 802.11 packet using the Temporal Key Integrity Protocol (TKIP). This is a mixed blessing. While it does make packets harder to break, it comes at the cost of PC and Network Interface Card (NIC) performance.
Finally, WPA uses that ancient message security technique of a checksum (define). In WPA, this is done by checking the validity of an 8-bit message integrity code (MIC), also known as "Michael," within the frame and by testing the 802.11's frame 4-byte integrity check value (ICV).
In addition, WPA includes some of 802.1X server-based authentication tricks with support for Extensible Authentication Protocol (EAP) using Remote Authentication Dial-In User Service (RADIUS) (define) or a pre-shared key. Although this doesn't help security directly, server-based authentication can go a long way toward stopping and tracking security breaches for larger Wi-Fi installations.
The end result of these technology improvements is that Wi-Fi will be far safer. How much safer? Enough to make the safety distance between a top of the line Saab and a 'fire in the back!" Pinto look minute.
Before you charge out and start implementing WPA, you should know that WPA is a stopgap security measure. It's really just a snapshot of the IEEE 802.11i standard (rumor has it the Wi-Fi Alliance might want to brand 802.11i as WPA2 for just that reason). Unfortunately, 802.11i is still a ways out from being done and since ever faster computers made hacking WEP ever easier, the Wi-Fi Alliance decided to put out a temporary standard, WPA, until 802.11i is finalized.
One headache you shouldn't have though, which many of us have faced with pre-standard 802.11g equipment, is compatibility. The Wi-Fi Alliance has set down the ground-rules for WPA and is making sure that all vendors stick to the letter of the WPA law.
The idea also is that any WPA devices or software you buy soon will be backwards compatible with 802.11i. Well, except that 802.11i will also introduce an optional replacement for RC4 called Advanced Encryption Standard (AES) (define). Given RC4's track record in WEP, many vendors and users will want AES and many current WPA implementations won't be able to support it since to run in real-time, this encryption protocol currently requires a dedicated encryption/decryption chip. But if AES hardware is present, WPA will use it in place of TKIP.
Some WPA cards will be able to support 802.11i. For example, take Texas Instrument's TNETW1130 chip, which supports 802.11a, b and g, and has built in hardware accelerators for AES. If you buy any access point or NIC with that chip, you will be able to use them with WPA and also after 802.11i finally arrives.
The moral of the story is if you're looking to upgrade your wireless infrastructure only once within the next year or two, your best bet is to look for equipment with 802.11i-capable chipsets.
Ready to Replace Everything?
Next, if you're going to seriously use WPA, you can't just replace/upgrade an access point here and a radio-based NIC there. You need to replace and upgrade all your Wi-Fi equipment.
Why? Because while WPA equipment will work with WEP hardware, it does so by down-shifting to WEP. A security chain is only as strong as its weakest link, so if you try mixing old WEP hardware with WPA, you're likely to end up with a false sense of security followed by a criminal hacker in your network.
In theory, you can upgrade your existing WEP equipment to WPA with a firmware (define) upgrade. While these products are slowly becoming available, you may want to hold up for a while. Upgrading firmware can be difficult in its own right and 1.0 versions of anything tend to be the versions with problems.
In any cases, you simply can't upgrade the cards. For example, there was a rumor at the beginning of the year that Apple's AirPort Card could be firmware upgraded to take advantage of WPA. It isn't.
Indeed, it may well be that before WPA solid firmware upgrades become available, 802.11i equipment will be arriving on the scene. Therefore, if you need better wireless security today, your best move may to bite the bullet and replace your equipment with WPA-capable hardware today.
If you simply can't afford that but need additional security right sooner than later, vendors like Atheros recommend using a Virtual Private Network (VPN) (define) for your non-WPA equipment and forcing non-WPA-capable routers to use a Virtual LAN (VLAN) to connect with a VPN gateway. This way, all your non-WPA traffic must run with a VPN before entering the better secured division of your network.
Don't think, by the way, that if you're running Windows XP as your operating system (OS) (define), you can avoid these problems. While it's true that Microsoft supports WPA in XP, that doesn't mean it enables XP to run WPA in the operating system thus avoiding the need for new WPA-capable equipment or a firmware update. As Microsoft spells out in its WPA document: "Wireless network adapters must have their firmware updated" to make use of WPA's functionality. Indeed, when you get right down to it, the only thing Microsoft does to support WPA is to enable "clients that are running Windows XP service pack 1 (SP1) and later or Windows Server 2003 and that are using a wireless network adapter that supports the Wireless Zero Configuration (WZC) service." That's it.
Microsoft will also not be giving support to those few WZC users running on earlier versions of their operating system. The Redmond giant has, however, promised to support 802.11i and 802.1X across their product line, including the almost outmoded Windows 98 Second Edition.
On most operating systems, such as Linux and MacOS, you won't have to make any operating system changes. Of course, your client software and driver will need to be upgraded to work with WPA, but that's true of any significant NIC change.
For the most part, though, changing over to WPA will simply be a matter of plugging in the new hardware, upgrading your software and logging on to the network. It should take only seconds longer than installing WEP-empowered NICs or access points today.
If you're using a RADIUS server for authenticaiton, you will of course have to work the WPA hardware into your RADIUS setup using your vendor's directions. If you have a small business or a home Wi-Fi network, you'll want to use a pre-shared key and set it on each workstation and access point. This shouldn't cause you any grief. It's less trouble than doing WEP right in the first place and provides much better protection.
The real question is: "Is WPA worth it with 802.11i on the horizon?" There's no good answer. If the IEEE standardization process goes extremely well, 802.11i might be available as early as the end of this year. In that case, your new WPA hardware might only be state of the security art for as little as six months.
In the worse case scenario, though, we could still be sitting here in May of 2004 and still not have either standard finalized. In that case, buying WPA makes much more sense.
So ask yourself is how important is Wi-Fi security for you today? If it's mission-critical, go ahead and buy WPA-capable access points and NICs. But, if it's not, maybe you should stick to doing what you can with WEP and a VPN, and gamble that 802.11i will arrive by the end of this year instead of next year.
Want to learn more about WPA and its implementation? Join us at the 802.11 Planet Conference & Expo, June 25-27, 2003 at the World Trade Center Boston in Boston. Sam Ho and Ajay Rane of Intel's Wireless Networking Group are presenting a workshop on "End-to-End Enterprise WLAN Security Implementation Using CCx and WPA" on June 25. On June 26, a panel of security experts will discuss "Does WPA Close The Wi-Fi Security Gap?"