Sie sind auf Seite 1von 2

S P E C I A L F E AT U R E :

NEXT GENERATION TELECOM

WPA: How it works


By Jon A. LaRosa

W
i-Fi Protected Access (WPA)  Authentication: EAP over 802.1X (Re) Association Request frames. As
addresses most known Wired performs authentication. Mutual Figure 2 shows, these 802.11 frames now
Equivalent Privacy (WEP) authentication is gained by choosing contain network capability information in
vulnerabilities and is primar- an EAP type supporting this feature a WPA information element. The primary
ily intended for wireless infrastructure and is required by WPA. 802.1X port information the Beacon frames convey is
networks as found in the enterprise. This access control prevents full access to the authentication method and the cipher
infrastructure includes stations, access the network until authentication com- suite. Possible authentication methods
points, and authentication servers (typi- pletes. WPA uses 802.1X EAPOL- include 802.1X and pre-shared key. The
cally RADIUS servers). The RADIUS Key packets to distribute per-session pre-shared key authentication method uses
server holds (or has access to) user keys to those stations successfully a statically configured pass phrase on both
credentials (user names and passwords) authenticated. the stations and the access point. This obvi-
and authenticates wireless users before  Key management: WPA features a ates the need for an authentication server,
they gain access to the network. In this robust key generation/management which in many home and small office envi-
article, Jon will discuss how WPA works system that integrates the authentica- ronments will not be available or desirable.
and provide insight into its function. tion and data privacy functions. The Possible cipher suites include:
system generates keys after success-
WPA ful authentication and through a sub-  WEP
WPA strength comes from an integrated sequent four-way handshake between  TKIP
sequence of operations that encompass the station and Access Point (AP).  AES
802.1X/EAP (Extensible Authentication  Data Privacy (Encryption):
Protocol) authentication and sophisticated WPA uses TKIP to wrap WEP in The supplicant in the station uses the
key management and encryption tech- sophisticated cryptographic and authentication and cipher suite informa-
niques. Its major operations include: security techniques to overcome tion contained in the information elements
most WEP weaknesses. to decide which authentication method
 Network security capability  Data integrity: TKIP includes a and cipher suite to use. For example, if
determination: WPA information Message Integrity Code (MIC) at the access point is using the pre-shared
elements in Beacon, Probe Response, the end of each plain text message key method, then the supplicant need not
and (Re) Association Requests to ensure messages are not being authenticate using full-blown 802.1X.
communicate this at the 802.11 lev- spoofed. Rather, the supplicant must simply prove
els. Information in these elements to the access point that it is in possession
includes the authentication method Figure 1 illustrates a wireless networkʼs of the pre-shared key. If the supplicant
(802.1X or pre-shared key) and the typical data path. detects that the service set does not con-
preferred cipher suite, which includes tain a WPA information element, then
WEP, Temporal Key Integrity WPA bases its network capability deter- it knows it must use pre-WPA 802.1X
Protocol (TKIP), or Advanced mination feature on changing the 802.11 authentication and key management in
Encryption Standard (AES). formats of Beacon, Probe Response, and order to access the network.

Figure 1

Reprinted from CompactPCI Systems / April 2004 Copyright 2004


T E C H N O L O G Y F E AT U R E :

HIGH AVAILABILITY

Figure 2

WPAʼs authentication process is primarily


802.1X/EAP as shown in Figure 2 (again,
a small office or home environment can
opt to deploy the pre-shared key method).
This mode restricts WPA to those EAP
methods that support mutual authentica-
tion of the supplicant and authentication
server, such as TLS, TTLS, LEAP, and
PEAP. Port access control is maintained
pending successful authentication by
802.1X.

The mutual authentication process in-


cludes generating a Pairwise Master Key
(PMK) on the station and RADIUS server,
and the RADIUS server sends the PMK to
the AP over a secure channel. This is not Figure 3
different than pre-WPA 802.1X authenti-
cation. What is different is that WPA never Jon LaRosa is a Technical Consultant the development of Hewlett-Packardʼs
uses the PMK directly with encryption or for Meetinghouse. Jon represents ProCurve product family. He received
hashing functions, but instead uses it to Meetinghouse as a voting member of his Masters of Science degree in
generate transient keys for the subsequent the IEEE 802.11i committee. With 12 Computer Science from the University
encryption and hash functions. Using plus years of experience in the design of New Hampshire.
transient keys is important because of the and development of mission-critical
weak key attack described earlier. The enterprise networking applications, For further information, contact Jon at:
PMK is never directly involved in gener- including 802.1X WPA authentica-
ating keystreams for encryption, and this tion solutions, Jon is regarded as an Meetinghouse
helps thwart any weak key attacks. Figure expert in network and data security. Tel: 603-430-7710
3 shows the breakdown of the PMK inter- As a developer of Ethernet switching Email: jal@mtghouse.com
action. technology, Jon has contributed to Website: www.mtghouse.com

Reprinted from CompactPCI Systems / April 2004 Copyright 2004