NETW 05A: APPLIED WIRELESS
SECURITY
802.11i & Wi-Fi Protected Access
By Mohammad Shanehsaz
Spring 2005
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
802.11i
IEEE standards board approved the 802.11i
security standard on Thursday, June 24, 2004.
The new 802.11i standard, or WPA2, supports the
128-bit Advanced Encryption Standard (AES)
This new standard specifies use of Temporal Key
Integrity Protocol (TKIP) and 802.1x/EAP with
mutual authentication
802.1x authentication and key-management
features for the various 802.11 Wi-Fi flavors.
AES supports 128-bit, 192-bit and 256-bit keys.
Any wireless LAN equipment complying with this
standard will require a hardware upgrade due to
AES encryption
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access was co-developed by the Wi-Fi
Alliance and IEEE 802.11 Task Group 1 as an interim
security solution while 802.11i task group addresses the
details involved with securing wireless LANs
WPA was designed to run on existing hardware as a
security upgrade firmware patch
The goals were strong data encryption through TKIP
and mutual authentication through 802.1x/EAP solution
WPA v1.0 was a subset of the IEEE 802.11i standard
WPA2 is the name chosen by the Wi-Fi Alliance to
identify IEEE 802.11i standard gear.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wi-Fi Protected Access (WPA)
WPA v1.0 did not include the following
802.11i items:




Secure IBSS (Independent Basic Service Set
ad-hoc mode)
Secure fast handoff
Secure de-authentication and disassociation
Advanced Encryption Standard
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
WPA Pre-Shared Key (PSK)
WPA PSK runs in SOHO environment where there
is no authentication server and no EAP framework
Allows the use of manually entered keys or
passwords and is designed to be easily
implemented
All the home user needs to do is enter a password
in their AP or home wireless gateway and each PC
associated to the WI-Fi wireless networks, WPA
takes over automatically from that point
Password keeps out eavesdroppers and starts
TKIP encryption process
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
WPA Mixed Mode Deployment
Useful in large networks with many clients
with several types of authentications and
encryption solutions in place during
transition between legacy and leading edge
security standards
Supports clients running both Wi-Fi
protected access and original WEP security
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Deployment and Limitations
As part of the Wi-Fi product certification, the
Alliance will initially allow vendors to ship
units with WPA disabled, but easily enabled
and configured
Now WPA is included as a mandatory part of
Wi-Fi certification testing, devices must ship
with WPA enabled, a user will have to
configure a master key or authentication
server
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Limitations
TKIP is built around WEP
Government deployments require that
encryption technology be certified to comply
with the Federal Information Processing
Standard (FIPS) 140 standard published by
National Institute of Standards and
Technology (NIST)
These restrictions push manufacturers toward
standardization on security solutions that
implement data encryption through the use of
3DES or AES
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Resources
CWSP certified wireless security
professional, from McGraw-Hill
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.