NETW 05A: APPLIED

WIRELESS SECURITY
802.11i & Wi-Fi Protected
Access
By Mohammad Shanehsaz
Spring 2005

This work is supported by the

National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.

802.11i
IEEE standards board approved the
802.11i security standard on Thursday, June 24, 2004.
The new 802.11i standard, or WPA2, supports the 128bit Advanced Encryption Standard (AES)
This new standard specifies use of Temporal Key
Integrity Protocol (TKIP) and 802.1x/EAP with mutual
authentication
802.1x authentication and key-management features
for the various 802.11 Wi-Fi flavors.
AES supports 128-bit, 192-bit and 256-bit keys.
Any wireless LAN equipment complying with this
standard will require a hardware upgrade due to AES
encryption

This work is supported by the

National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.

This work is supported by the

National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.

Wi-Fi Protected Access

(WPA)
Wi-Fi Protected Access was co-developed by the WiFi Alliance and IEEE 802.11 Task Group 1 as an
interim security solution while 802.11i task group
addresses the details involved with securing
wireless LANs
WPA was designed to run on existing hardware as a
security upgrade firmware patch
The goals were strong data encryption through TKIP
and mutual authentication through 802.1x/EAP
solution
WPA v1.0 was a subset of the IEEE 802.11i standard
WPA2 is the name chosen by the Wi-Fi Alliance to
identify IEEE 802.11i standard gear.

This work is supported by the

National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.

Wi-Fi Protected Access

(WPA)
WPA v1.0 did not include the
following 802.11i items:

Secure IBSS (Independent Basic

Service Set ad-hoc mode)
Secure fast handof
Secure de-authentication and
disassociation
Advanced Encryption Standard

This work is supported by the

National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.

WPA Pre-Shared Key (PSK)

WPA PSK runs in SOHO environment where there
is no authentication server and no EAP framework
Allows the use of manually entered keys or
passwords and is designed to be easily
implemented
All the home user needs to do is enter a
password in their AP or home wireless gateway
and each PC associated to the WI-Fi wireless
networks, WPA takes over automatically from that
point
Password keeps out eavesdroppers and starts
TKIP encryption process
This work is supported by the
National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.

WPA Mixed Mode

Deployment

Useful in large networks with many

clients with several types of
authentications and encryption solutions
in place during transition between legacy
and leading edge security standards
Supports clients running both Wi-Fi
protected access and original WEP
security

This work is supported by the

National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.

Deployment and
Limitations

As part of the Wi-Fi product certification,

the Alliance will initially allow vendors to
ship units with WPA disabled, but easily
enabled and configured
Now WPA is included as a mandatory part
of Wi-Fi certification testing, devices must
ship with WPA enabled, a user will have to
configure a master key or authentication
server
This work is supported by the
National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.

Limitations
TKIP is built around WEP
Government deployments require that
encryption technology be certified to
comply with the Federal Information
Processing Standard (FIPS) 140 standard
published by National Institute of
Standards and Technology (NIST)
These restrictions push manufacturers
toward standardization on security
solutions that implement data encryption
through the use of 3DES or AES
This work is supported by the
National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.

Resources
CWSP certified wireless security
professional, from McGraw-Hill

This work is supported by the

National Science Foundation
under Grant Number DUE0302909.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect those of the
National Science Foundation.