Scribd
Upload
67 views3 pages

Wi-Fi Protected Access: From Wikipedia, The Free Encyclopedia

WPA and WPA2 are security protocols developed by the Wi-Fi Alliance to secure wireless networks by implementing the majority of the IEEE 802.11i standard. WPA was an intermediate measure to replace the insecure WEP protocol, while WPA2 fully implements 802.11i and uses the more secure AES encryption algorithm. Products that comply with WPA/WPA2 standards can be certified by the Wi-Fi Alliance.

Uploaded by

Yogesh Gandhi
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
67 views3 pages

Wi-Fi Protected Access: From Wikipedia, The Free Encyclopedia

WPA and WPA2 are security protocols developed by the Wi-Fi Alliance to secure wireless networks by implementing the majority of the IEEE 802.11i standard. WPA was an intermediate measure to replace the insecure WEP protocol, while WPA2 fully implements 802.11i and uses the more secure AES encryption algorithm. Products that comply with WPA/WPA2 standards can be certified by the Wi-Fi Alliance.

Uploaded by

Yogesh Gandhi
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Wi-Fi Protected Access

From Wikipedia, the free encyclopedia

Jump to: navigation, search

Wi-Fi Protected Access (WPA and WPA2) is a certification program developed by the Wi-Fi
Alliance to indicate compliance with the security protocol created by the Wi-Fi Alliance to
secure wireless computer networks. The Alliance defined the protocol in response to several
serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent
Privacy).[1]

The WPA protocol implements the majority of the IEEE 802.11i standard. The Wi-Fi Alliance
intended WPA as an intermediate measure to take the place of WEP pending the preparation of
802.11i. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP
could be implemented on pre-WPA wireless network interface cards that began shipping as far
back as 1999 through firmware upgrades. Because the changes required fewer modifications on
the client than on the wireless access points (APs), most pre-2003 APs could not be upgraded to
support WPA with TKIP. Researchers have since discovered a flaw in TKIP that relied on older
weaknesses to retrieve the keystream from short packets to use for re-injection and spoofing.[2]

The later WPA2 certification mark indicates compliance with an advanced protocol that
implements the full standard. This advanced protocol will not work with some older network
cards.[3] Products that have successfully completed testing by the Wi-Fi Alliance for compliance
with the protocol can bear the WPA certification mark.

Contents
[hide]

 1 WPA2
 2 Security in pre-shared key mode
 3 EAP extensions under WPA- and WPA2- Enterprise
 4 Hardware support
 5 References
 6 External links

[edit] WPA2
Main article: IEEE 802.11i-2004

WPA2 has replaced WPA; WPA2 requires testing and certification by the Wi-Fi Alliance.
WPA2 implements the mandatory elements of 802.11i. In particular, it introduces a new AES-
based algorithm, CCMP, which is considered fully secure. Certification began in September,
2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-
Fi trademark.[4]

[edit] Security in pre-shared key mode


Pre-shared key mode (PSK, also known as Personal mode) is designed for home and small office
networks that don't require the complexity of an 802.1X authentication server[5]. Each wireless
network device encrypts the network traffic using a 256 bit key. This key may be entered either
as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters.[6] If
ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation
function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.[7]

Shared-key WPA remains vulnerable to password cracking attacks if users rely on a weak
passphrase.[8][9] To protect against a brute force attack, a truly random passphrase of 13 characters
(selected from the set of 95 permitted characters) is probably sufficient.[10] Lookup tables have
been computed by the Church of WiFi (a wireless security research group) for the top 1000
SSIDs[11] for a million different WPA/WPA2 passphrases.[12] To further protect against intrusion
the network's SSID should not match any entry in the top 1000 SSIDs.

In November 2008 Erik Tews and Martin Beck - reseachers at two German technical universities
(TU Dresden and TU Darmstadt) - uncovered a WPA weakness[13] which relied on a previously
known flaw in WEP that could be exploited only for the TKIP algorithm in WPA. The flaw can
only decrypt short packets with mostly known contents, such as ARP messages, and 802.11e,
which allows Quality of Service packet prioritization as defined. The flaw does not lead to key
recovery, but only a keystream that encrypted a particular packet, and which can be reused as
many as seven times to inject arbitrary data of the same packet length to a wireless client. For
example, this allows someone to inject faked ARP packets which makes the victim send packets
to the open Internet. This attack was further optimised by two Japanese computer scientists
Toshihiro Ohigashi and Masakatu Morii.[14] They developed a way to break the stopgap WPA
system that uses the Temporal Key Integrity Protocol (TKIP) algorithm, whereas WPA2 systems
that use the stronger CCMP algorithm are not affected.[15] In October 2009, Halvorsen with
others made a further progress, enabling attackers to inject larger malicious packets (596 bytes,
to be more specific) within approximately 18 minutes and 25 seconds.[16]

[edit] EAP extensions under WPA- and WPA2- Enterprise


The Wi-Fi alliance has announced[when?] the inclusion of additional EAP (Extensible
Authentication Protocol) types to its certification programs for WPA- and WPA2- Enterprise
certification programs. This was to ensure that WPA-Enterprise certified products can
interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was
certified by the Wi-Fi alliance.

As of 2010 the certification program includes the following EAP types:


 EAP-TLS (previously tested)
 EAP-TTLS/MSCHAPv2
 PEAPv0/EAP-MSCHAPv2
 PEAPv1/EAP-GTC
 PEAP-TLS
 EAP-SIM

802.1X clients and servers developed by specific firms may support other EAP types. This
certification is an attempt for popular EAP types to interoperate; their failure to do so is currently
one of the major issues preventing rollout of 802.1X on heterogeneous networks.

[edit] Hardware support


Most newer certified Wi-Fi devices support the security protocols discussed above, out-of-the-
box: compliance with this protocol has been required for a Wi-Fi certification since September
2003.[17]

The protocol certified through Wi-Fi Alliance's WPA program (and to a lesser extent WPA2)
was specifically designed[by whom?] to also work with wireless hardware that was produced prior to
the introduction of the protocol[3] which usually had only supported inadequate security through
WEP. Many of these devices support the security protocol after a firmware upgrade. Firmware
upgrades are not available for all legacy devices.

Furthermore, many consumer Wi-Fi device manufacturers have taken steps to eliminate the
potential of weak passphrase choices by promoting an alternative method of automatically
generating and distributing strong keys when users add a new wireless adapter or appliance to a
network. The Wi-Fi Alliance has standardized these methods and certifies compliance with these
standards through a program called Wi-Fi Protected Setup.

You might also like