WPA
WPA was designed as a replacement for WEP. The Temporal Key Integrity Protocol
(TKIP) is an improvement over WEP. It causes keys to automatically change, and when
used in conjunction with a larger initialization vector (IV), it makes discovering keys
highly unlikely.
Credentials
Used
Digital
certificate
Windows
password
Clients:
Windows,
Novell NDS,
LDAP password,
and OTP
or token.
Server: Digital
certificate
Windows
password
Server: Digital
certificate
Windows
password,
LDAP user
ID and
password
PAC
Single Sign-On
Using
Windows
Login?
Yes Yes No Yes Yes
Password
Expiration and
Change?
– No No Yes Yes
Fast Secure
Roaming
Compatible?
No Yes No No Yes
WPA
Compatible?
Yes Yes Yes Yes Yes
Table 4-1 Comparing 802.1X Authentication Methods (Continued)
78 Wi-Fi Protected Access (WPA)
NOTE: An IV is a block of bits added to the first block of data of a block cipher. This block
is added—or hashed—with the base key and is used with other types of ciphers. This block
strengthens security because the same transmissions with the same key yield the same
output. As a result, attackers can notice the similarities and derive both the messages and
the keys being used.
On top of authentication and encryption improvements, WPA secures the payload
better than in WEP. With WEP, cyclic redundancy checks (CRC) are used to ensure
packet integrity. However, it is possible to alter the payload and update the message
CRC without knowing the WEP key because the CRC is not encrypted. WPA uses
message integrity checks (MIC) to ensure packet integrity. The MICs also employ a
frame counter, which prevents replay attacks.
NOTE: Replay attacks occur when an attacker intercepts a transmission, and then
rebroadcasts that transmission at a later time. For example, if a password is intercepted, the
attacker does not need to know how to read the message; he can simply rebroadcast it later,
and then gain access using the victim’s credentials.
NOTE: MICs are often called Michael in Wi-Fi parlance.
Breaking into a WLAN using WPA is more difficult than WEP because the IVs are
larger, there are more keys in use, and there is a sturdier message verification system.