Since it looks like 802.11i won’t be ratified for a while yet (possibly not in 2003), the Wireless Ethernet Compatibility Alliance (now known as the WiFi Alliance) has taken on the challenge of bringing forth an interim mechanism for securing Wireless Local Area Networks.

It’s a well-known fact that 802.11b security has been the topic of discussion for almost two years now. The weaknesses of Wired Equivalent privacy (WEP) have been well documented.  The ability to break into a WLAN can be relatively easy. It’s really amazing how many WLAN’s are in operation that have been installed with default settings. Sure, it makes the WLAN almost child’s play to get running, but the downside is this mode of operation is the WLAN being totally devoid of any security. Access points installed on default values literally scream, “Hack Me!”  They advertise their presence and will allow anyone to associate. That’s why Wardriving is such a popular sport nowadays. 

One of the first cardinal rules of WLAN installation is never use the defaults. Change the SSID to something else. Turn off Broadcast SSID (Called Closed System in some products). Set and use 128bit encryption. Okay, so WEP has been found to be insecure, but it’s better than leaving the front door open and leaving a sign that says: “Gone Fishing”. 

802.11 Task Group i (802.11i) is chartered with the responsibility of addressing the weaknesses of WEP. The upcoming 802.11i standard will finally close the gaping holes in 802.11 networks. But until that standard is ratified, what can be done to plug the holes? 

There have been a number of vendors that have come up with their own ways to put a cork in 802.11 networks. But because they’re from the individual manufacturers, they tend to be proprietary and are not interoperable with other vendor’s products.  

Since the WiFi Alliance was formed by the manufacturers to test and certify products for interoperability, they took it upon them selves to work with the 802.11 committee to try and come up with an interim way to secure networks that would not be incompatible with 802.11i when it was ratified. What the WiFi Alliance did was to develop a subset of 802.11i and 802.1x mechanisms that can be implemented by manufactures by purely firmware upgrades to access points and client radios.  

The result is called WiFi Protected Access or WPA. What WPA does is take certain components of the 802.11i draft that are unlikely to change and can be implemented with current generation WLAN products by firmware updates. 

To be secure a network should do minimally two things:

      1.  Authenticate the User: Identify and check the users credentials, is the person who he says he is.

2.  After Authentication, encrypt all traffic to prevent eavesdropping.  

In addition, a secure network should protect from “Man in the Middle” attacks. A “Man in the Middle” attack is done by an intruder intercepting traffic and then modifying data within the packet and sending to the AP. By doing this an intruder could obtain enough data to attempt cracking encryption schemes and inject bad data into the WLAN system.

WPA handles Authentication by using EAP, which is a component of 802.1x. EAP (Extensible Authentication Protocol) is used by 802.1x to perform mutual identification and authentication of the network as well as the user. Usually by username and password or by another means such as certificates or secure tokens. WPA authentication usually requires a RADIUS server in the network to support the authentication. But for SOHO or residential use, WPA allows for a simple predefined password to be used. This password is never broadcast and must be input into both the client and access point before any communications takes place.

To satisfy the encryption requirement, WPA implements a technique called TKIP (Temporal Key Integrity Protocol). TKIP eliminates the weak key syndrome that plaques WEP as well as implements an automatic key rotation to regularly change encryption keys.

The additional need to prevent “Man in the Middle” attacks is satisfied by a system called MIC (Message Integrity Check), also called Michael. Michael basically adds a kind of check digit to each message to detect if any data has been tampered with.

These three mechanisms make up the heart of WPA. The next question is: Are there any Gotcha’s? Anyone who knows me, knows that I’m always looking for the Gotcha’s. Well, WPA does have a few Gotcha’s. Fortunately they’re manageable. 

The first is: What does it take to implement WPA? WPA will require a firmware update to both access points and wireless client adapters. New drivers will be needed as well. The MIC function is normally done by the driver and therefore could be a performance concern for devices like DOS Data Collection terminals with limited memory and CPU power.  

The second question is: Who’s supporting WPA now? The answer is not many. The first test group was announced by the WiFi Alliance just recently and the only enterprise class Access Point certified is the Cisco AP1230. The only Client Adapters were by Intel and the Symbol Networker Compact Flash Adapter. 

Most mainstream wireless manufactures have announced support for WPA but few have actually released any actual updates yet. There also has been no SOHO or residential vendors announced yet.

Here’s another question: Can I support parts of WPA now? Yes. Several manufactures have implemented parts of WPA now. If the manufacturer support 802.1x and EAP-TLS, EAP-TTLS or Cisco LEAP you can enjoy many of the benefits of WPA. Most enterprise class access points support 802.1x with EAP-TLS, EAP-TTLS or EAP-MD5.
Cisco supports TKIP, MIC and LEAP separately so you could use just TKIP and MIC. Or LEAP and just TKIP. This is an attractive solution for DOS Data Collection devices since LEAP and TKIP is implemented mostly in the card firmware. This is just one example.