Wi-Fi Protected Access: Difference between revisions
No edit summary |
|||
Line 4: | Line 4: | ||
</ref> |
</ref> |
||
The WPA protocol implements the majority of the [[IEEE 802.11i-2004|IEEE 802.11i]] standard. The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the preparation of 802.11i. Specifically, the [[Temporal Key Integrity Protocol]] (TKIP), was brought into WPA. TKIP encryption replaces WEP's 40-bit or |
The WPA protocol implements the majority of the [[IEEE 802.11i-2004|IEEE 802.11i]] standard. The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the preparation of 802.11i. Specifically, the [[Temporal Key Integrity Protocol]] (TKIP), was brought into WPA. TKIP encryption replaces WEP's 40-bit or 104-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP is a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet and thus prevents collisions.<ref>{{cite book |last = Meyers |first = Mike |title = Managing and Troubleshooting Networks |publisher = McGraw Hill |series = Network+ |year = 2004 |isbn = 978-0-07-225665-9}}</ref> TKIP could be implemented on pre-WPA [[wireless network interface card]]s that began shipping as far back as 1999 through [[firmware]] upgrades. However, since the changes required in the [[wireless access point]]s (APs) were more extensive than those needed on the network cards, most pre-2003 APs could not be upgraded to support WPA with TKIP. Researchers have since discovered a flaw in TKIP that relied on older weaknesses to retrieve the keystream from short packets to use for re-injection and [[Spoofing attack|spoofing]].<ref>{{cite web | url=http://arstechnica.com/articles/paedia/wpa-cracked.ars | title=Battered, but not broken: understanding the WPA crack | date=2008-11-06 | accessdate=2008-11-06 | publisher=Ars Technica }}</ref> |
||
WPA also includes a [[Message authentication code|message integrity check]]. This is designed to prevent an attacker from capturing, altering and/or resending data packets. This replaces the [[cyclic redundancy check]] (CRC) that was used and implemented by the WEP standard. CRC's main flaw was that it did not provide a sufficiently strong data integrity guarantee for the packets it handled. [[Message integrity code|MIC]] solved these problems. MIC uses an algorithm to check the integrity of the packets using the Integrity Check Value [[Integrity Check Value|ICV]], and if it does not equal, drops the packet.<ref>{{cite book |last = Ciampa |first = Mark |title = CWNA Guide to Wireless LANS |publisher = Thomson |series = Networking |year = 2006}}</ref> |
WPA also includes a [[Message authentication code|message integrity check]]. This is designed to prevent an attacker from capturing, altering and/or resending data packets. This replaces the [[cyclic redundancy check]] (CRC) that was used and implemented by the WEP standard. CRC's main flaw was that it did not provide a sufficiently strong data integrity guarantee for the packets it handled. [[Message integrity code|MIC]] solved these problems. MIC uses an algorithm to check the integrity of the packets using the Integrity Check Value [[Integrity Check Value|ICV]], and if it does not equal, drops the packet.<ref>{{cite book |last = Ciampa |first = Mark |title = CWNA Guide to Wireless LANS |publisher = Thomson |series = Networking |year = 2006}}</ref> |
Revision as of 13:45, 5 December 2011
This article may be confusing or unclear to readers. (September 2010) |
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy).[1]
The WPA protocol implements the majority of the IEEE 802.11i standard. The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the preparation of 802.11i. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP encryption replaces WEP's 40-bit or 104-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP is a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet and thus prevents collisions.[2] TKIP could be implemented on pre-WPA wireless network interface cards that began shipping as far back as 1999 through firmware upgrades. However, since the changes required in the wireless access points (APs) were more extensive than those needed on the network cards, most pre-2003 APs could not be upgraded to support WPA with TKIP. Researchers have since discovered a flaw in TKIP that relied on older weaknesses to retrieve the keystream from short packets to use for re-injection and spoofing.[3]
WPA also includes a message integrity check. This is designed to prevent an attacker from capturing, altering and/or resending data packets. This replaces the cyclic redundancy check (CRC) that was used and implemented by the WEP standard. CRC's main flaw was that it did not provide a sufficiently strong data integrity guarantee for the packets it handled. MIC solved these problems. MIC uses an algorithm to check the integrity of the packets using the Integrity Check Value ICV, and if it does not equal, drops the packet.[4]
The later WPA2 certification mark indicates compliance with the full IEEE 802.11i standard. This advanced protocol will not work with some older network cards.[5]
A high-level overview of WPA terminology
On a high level, different WPA versions and protection mechanisms can be distinguished. A distinction can be made based on the (chronological) version of WPA, the target end-user (based on the simplicity of the authentication key distribution), and the encryption protocol used.
Version
- WPA: Initial WPA version, to supply enhanced security over the older WEP protocol. Typically uses the TKIP encryption protocol (see further).
- WPA2: Also known as IEEE 802.11i-2004. Successor of WPA, and replaces the TKIP encryption protocol with CCMP to provide additional security. Mandatory for Wi-Fi–certified devices since 2006.
Target users (authentication key distribution)
- WPA-Personal: Also referred to as WPA-PSK (Pre-shared key) mode. Is designed for home and small office networks and doesn't require an authentication server. Each wireless network device authenticates with the access point using the same 256-bit key.
- WPA-Enterprise: Also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK). Is designed for enterprise networks, and requires a RADIUS authentication server. This requires a more complicated setup, but provides additional security (e.g. protection against dictionary attacks). An Extensible Authentication Protocol (EAP) is used for authentication, which comes in different flavors (for example EAP-TLS, EAP-TTLS, EAP-SIM).
Note that WPA-Personal and WPA-Enterprise are both applicable to WPA and WPA2.
Encryption protocol
- TKIP (Temporal Key Integrity Protocol): A 128-bit per-packet key is used, meaning that it dynamically generates a new key for each packet. Used by WPA.
- CCMP: An AES-based encryption mechanism that is stronger than TKIP. Sometimes referred to as AES instead of CCMP. Used by WPA2.
So at current, the router or access point of a typical home user would support WPA in WPA-PSK mode with TKIP encryption. As routers are upgraded, they will support WPA2 in WPA-PSK mode using CCMP encryption.
WPA2
WPA2 has replaced WPA; WPA2 requires testing and certification by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i. In particular, it introduces CCMP, a new AES-based encryption mode with strong security.[6] Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.[7]
Security and insecurity in pre-shared key mode
Pre-shared key mode (PSK, also known as Personal mode) is designed for home and small office networks that don't require the complexity of an 802.1X authentication server.[8] Each wireless network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters.[9] If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.[10]
Shared-key WPA remains vulnerable to password cracking attacks if users rely on a weak passphrase. To protect against a brute force attack, a truly random passphrase of 13 characters (selected from the set of 95 permitted characters) is probably sufficient.[11] To further protect against intrusion, the network's SSID should not match any entry in the top 1000 SSIDs[12] as downloadable rainbow tables have been pre-generated for them and a multitude of common passwords.[13]
In November 2008 Erik Tews and Martin Beck - researchers at two German technical universities (TU Dresden and TU Darmstadt) - uncovered a WPA weakness[14] which relied on a previously known flaw in WEP that could be exploited only for the TKIP algorithm in WPA. The flaw can only decrypt short packets with mostly known contents, such as ARP messages. The attack requires Quality of Service (as defined in 802.11e) to be enabled, which allows packet prioritization as defined. The flaw does not lead to key recovery, but only a keystream that encrypted a particular packet, and which can be reused as many as seven times to inject arbitrary data of the same packet length to a wireless client. For example, this allows someone to inject faked ARP packets which make the victim send packets to the open Internet. This attack was further optimized by two Japanese computer scientists Toshihiro Ohigashi and Masakatu Morii.[15] Their attack doesn't require Quality of Service to be enabled. In October 2009, Halvorsen with others made further progress, enabling attackers to inject larger malicious packets (596 bytes, to be more specific) within approximately 18 minutes and 25 seconds.[16] In February 2010, a new attack was found by Martin Beck that allows an attacker to decrypt all traffic towards the client. The authors say that the attack can be defeated by deactivating QoS, or by switching from TKIP to AES-based CCMP.[17]
The vulnerabilities of TKIP are significant in that WPA-TKIP was, up until the proof-of-concept discovery, held to be an extremely safe combination. WPA-TKIP is still a configuration option upon a wide variety of wireless routing devices provided by many hardware vendors.
EAP extensions under WPA- and WPA2- Enterprise
In April of 2010, the Wi-Fi alliance announced the inclusion of additional EAP (Extensible Authentication Protocol)[18] types to its certification programs for WPA- and WPA2- Enterprise certification programs.[19] This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance.
As of 2010[update] the certification program includes the following EAP types:
- EAP-TLS (previously tested)
- EAP-TTLS/MSCHAPv2
- PEAPv0/EAP-MSCHAPv2
- PEAPv1/EAP-GTC
- PEAP-TLS
- EAP-SIM
- EAP-AKA
- EAP-FAST
802.1X clients and servers developed by specific firms may support other EAP types. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks.
Commercial 802.1X servers include Microsoft IAS and Juniper Networks Steelbelted RADIUS. FreeRadius is an opensource 802.1X server. SkyFriendz is a free cloud-based 802.1X solution.
Hardware support
Most newer certified Wi-Fi devices support the security protocols discussed above out-of-the-box: compliance with this protocol has been required for a Wi-Fi certification since September 2003.[20]
The protocol certified through Wi-Fi Alliance's WPA program (and to a lesser extent WPA2) was specifically designed to also work with wireless hardware that was produced prior to the introduction of the protocol[5] which usually had only supported inadequate security through WEP. Many of these devices support the security protocol after a firmware upgrade. Firmware upgrades are not available for all legacy devices.
Furthermore, many consumer Wi-Fi device manufacturers have taken steps to eliminate the potential of weak passphrase choices by promoting an alternative method of automatically generating and distributing strong keys when users add a new wireless adapter or appliance to a network. The Wi-Fi Alliance has standardized these methods and certifies compliance with these standards through a program called Wi-Fi Protected Setup.
References
- ^ "Understanding WEP Weaknesses". Wiley Publishing. Retrieved 2010-01-10.
- ^ Meyers, Mike (2004). Managing and Troubleshooting Networks. Network+. McGraw Hill. ISBN 978-0-07-225665-9.
- ^ "Battered, but not broken: understanding the WPA crack". Ars Technica. 2008-11-06. Retrieved 2008-11-06.
- ^ Ciampa, Mark (2006). CWNA Guide to Wireless LANS. Networking. Thomson.
- ^ a b "Wi-Fi Protected Access White Paper". Wi-Fi Alliance.
WPA is both forward and backward-compatible and is designed to run on existing Wi-Fi devices as a software download.
- ^ Jonsson, Jakob. "On the Security of CTR + CBC-MAC" (PDF). NIST. Retrieved 2010-05-15.
- ^ "WPA2 Security Now Mandatory for Wi-Fi CERTIFIED Products" "WPA2 Security Now Mandatory for Wi-Fi CERTIFIED Products". Wi-Fi Alliance.
- ^ "Wi-Fi Alliance: Glossary". Retrieved 2010-03-01.
- ^ Each character in the pass-phrase must have an encoding in the range of 32 to 126 (decimal), inclusive. (IEEE Std. 802.11i-2004, Annex H.4.1)
The space character is included in this range. - ^ van Rantwijk, Joris (2006-12-06). "WPA key calculation — From passphrase to hexadecimal key". Retrieved 2009-01-16.
- ^ "A key generated from a passphrase of less than about 20 characters is unlikely to deter attacks." "... against current brute-strength attacks, 96 bits [of security] SHOULD be adequate." (Weakness in Passphrase Choice in WPA Interface, by Robert Moskowitz. Retrieved March 2, 2004.)
- ^ "Wireless Geographic Logging Engine - SSID Stats". WiGLE. Retrieved 2010-11-15.
- ^ "Church of Wifi WPA-PSK Rainbow Tables". The Renderlab. Retrieved 2010-11-15.
- ^ "Practical Attacks against WEP and WPA" (PDF). Retrieved 2010-11-15.
- ^ "A Practical Message Falsification Attack on WPA" (PDF). Retrieved 2010-11-15.
- ^ Halvorsen, Finn M.; Haugen, Olav; Eian, Martin; Mjølsnes, Stig F. (September 30, 2009). "An Improved Attack on TKIP". 5838: 120–132. doi:10.1007/978-3-642-04766-4_9.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ "Enhanced TKIP Michael Attacks" (PDF). Retrieved 2010-11-15.
- ^ "Wi-Fi Alliance: Extended EAP (Extensible Authentication Protocol)". Wi-Fi Alliance Featured Topics.
- ^ "Wi-Fi Alliance expands Wi-Fi Protected Access Certification Program for Enterprise and Government Users". Wi-Fi Alliance Press Release.
- ^ "Wi-Fi Protected Access Security Sees Strong Adoption". Wi-Fi Alliance Press Room.