Dr. Dobb's Journal June, 2004
Most of the known 802.11 Wireless LAN (WLAN) security issues are related to the weakness of the Wired Equivalent Protocol (WEP) in the original 802.11 specification. Since WEP is based on RC4 encryption, a predetermined WEP key is manually entered at the access point (AP) and on each mobile client (such as a PC or PDA). Only mobile clients with the matched WEP key setting can set up wireless link layer connections with the AP to access the network. Figure 1 illustrates a simple WEP-based WLAN configuration.
Wi-Fi Protected Access (WPA), from the Wi-Fi Alliance and IEEE, is designed to address known WLAN security issues in the original 802.11 specification. Table 1 lists the security problems of WEP and the solutions offered by WPA. WPA is a subset of technologies taken from the upcoming 802.11i Standard, which the Wi-Fi Alliance has dubbed "WPA2." In this article, I describe WPA's authentication, privacy, and data-integrity mechanisms, and illustrate how they address WLAN security issues.
In Figure 1, the "Thick" AP (say, Linksys or D-Link) performs all necessary WLAN operations, including:
Each packet exchanged over the air is encrypted using the manually entered WEP key. Figure 2 illustrates a WEP-encrypted 802.11 data packet.
WPA is derived from the forthcoming IEEE 802.11i draft Standard. Unlike the IEEE 802.11i specification, which requires hardware upgrade to APs and mobile client adaptors to support the proposed AES data encryption, WPA is designed such that existing APs and mobile client adaptors can incorporate WPA via software or firmware upgrades. At this time, most WLAN vendors concentrate WPA support on their latest 802.11g (54 Mbps) products instead of older 802.11b (11 Mbps) ones. Given the falling price of 802.11g products over the past year, most enterprises now deploy WLAN using 802.11g instead of 802.11b technology to take advantage of the higher wireless link bandwidth of 802.11g.
WPA can be summarized by: WPA=802.1x+EAP+TKIP+MIC. Figure 3 shows a WPA-encrypted 802.11 packet. Compared to the WEP-encrypted 802.11 packet in Figure 2, a WPA-encrypted packet contains additional headers such as the Extended IV, MIC, and ICV. Figure 4 illustrates WPA in a WLAN using a WLAN switch with "Thin" APs.
A WLAN switch encompasses most of the functions of a Thick AP, letting the Thin AP perform only 802.11-related functions (beacon frame broadcast, wireless data encryption/decryption, and the like). By centralizing WLAN functions at the WLAN switches, you can scale a WLAN to support large geographical areas that are otherwise too complex for the regular or Thick APs. Many WLAN switch start-ups and telecom vendors are trying to solve the WLAN scalability and security challenges using the architecture in Figure 4, although each adds some product differentiation, including:
A typical mobile client might be a Windows XP PC with Microsoft's Wireless Provisioning Service pack (which supports WPA). At this point, Windows XP Professional is the most well-supported mobile client platform for WPA operations. Other computing platforms, such as Windows 98 and Apple's Macintosh OS X, may require additional client software. (WPA's TKIP and MIC functions normally reside at the 802.11 radio unit or chipset.)
WPA authentication is based on the IEEE 802.1x spec, which utilizes the IETF's RFC 2284 Extended Authentication Protocol (EAP) to provide centralized user and/or wireless network authentication, as well as encryption key management and distribution. (All EAP protocols support mobile client authentication. Some EAP protocols, such as the EAP-TLS, support both mobile client and wireless network authentication at the same time.) WPA supports two modes of authentication for different users, as indicated in Table 2.
802.1x and EAP in WPA's Enterprise Authentication mode require the use of a radius server, which is commonly available in enterprises but less so in small offices and home offices (SO/HO). Therefore, simple password matching (preshared keys, for instance) between the AP and mobile clients is used for WPA's SO/HO authentication where radius servers are not required. No matter which WPA authentication method is used, after successful authentication, TKIP (the data privacy mechanism) is used for encrypting messages over the air.
Again, WPA enterprise authentication is based on the IEEE 802.1x specification, which utilizes EAP to carry out the actual mobile client and/or wireless network authentication.
In the context of WLAN, 802.1x uses terminology such as "supplicant," "authenticator," and "authentication server" to represent the mobile client, AP, and radius server, respectively. In some WLAN implementations, the authentication server can be an LDAP server. Figure 1 illustrates the placement of each of the 802.1x subsystems. Before a supplicant is authenticated using one of the EAP authentication methods supported by the authentication server, the authenticator only passes control or authentication messages from the supplicant to the authentication server (that is, the 802.1x control channel is unblocked, but the data channel is blocked). Once a supplicant is authenticated, the authenticator can forward data traffic from the supplicant, subject to the predefined traffic filters for the supplicant to the network (the 802.1x data channel is now unblocked).
EAP is an extensible authentication protocol and supports many different authentication methods, such as password, digital certificate, and smartcards. IEEE's 802.1x framework lets mobile clients use any one of the supported authentication methods installed at the radius server for authentication. Only when all the authentication methods fail does an AP reject the credentials of a mobile client. EAP authentication methods are installed as supplicant software at the supplicant and authentication server. For example, Microsoft's Wireless Provisioning Service Pack enables a Windows XP PC to support PEAP-TLS and PEAP-MS-CHAP Version 2 user and network authentication. Of course, the corresponding software needs to be installed at the authentication server to support the specified EAP authentication methods.
WPA-enabled APs broadcast WPA-formatted beacon messages. When a mobile client roams near the AP, it tries to associate its SSID with the AP. After successful 802.11 association where a wireless link layer is established between the mobile client and AP, the mobile client starts the WPA's enterprise authentication using the EAPOL-START message.
Two sets of keys, such as pair-wise keys (that is, unicast or session keys) and group-wise keys (multicast keys) are generated and delivered to the mobile client via the EAPOL-KEY message following a successful WPA enterprise authentication. The keys are used for encrypting 802.11 packets before being sent over the air. The group-wise keys are shared among all mobile clients connected to the same AP and are used for multicast traffic. The pair-wise keys are unique to each association between a mobile client and the AP for unicast traffic. In IEEE's 802.1x nomenclature, this creates a private virtual port between a supplicant client and the authenticator. This 802.1x key distribution mechanism solves the WEP authentication problem where all mobile clients share the same WEP key for authentication and data encryption. If the radius server responds with a failure message, the AP disassociates the mobile client to prevent it from accessing the network beyond the AP.
Support of WPA's enterprise authentication at the WLAN switch and the Thin AP is straightforward. All the complexity of the authentication resides at the mobile client (that is, supplicant software) and radius server (authentication server software).
WPA enterprise authentication requires an authentication or radius server that is not commonly found in SO/HO. For WPA to be practical for SO/HO, WPA has a SO/HO authentication mode called "preshared key" (WPA-PSK). Basically, a single password (that is, preshared key) is manually entered at each mobile client and AP for user and network authentication. As long as the passwords match, mobile clients can gain access to the network. This is similar to the existing 802.11 authentication based on WEP. However, under WPA-PSK, the password or preshared key automatically kicks off the TKIP encryption process after successful authentication or password matching.
WEP's privacy problem is mainly due to the initialization vector (IV) that's sent over the air via cleartext (not encrypted). In busy WLANs, the IV repeats once every few hours. By capturing packets that contain the same IV, intruders can find out the WEP key via repeated XOR operations and gain illegal access to the network.
The Temporary Key Integrity Protocol (TKIP) in WPA addresses the WEP's encryption weakness as follows:
The TKIP process begins with a 128-bit "temporal key" (a pair-wise or group-wise key) that is shared among the mobile clients and the AP. TKIP combines the temporal key with the client's MAC address, then adds a large 16-byte initialization vector to produce the key to encrypt data. Figure 5 (extracted from the WPA specification) highlights the operations of TKIP.
One of the advantages of TKIP as compared to other encryption mechanisms is that it is relatively simple in terms of computational requirements and, thus, existing APs and client adaptors can be upgraded to support TKIP via firmware upgrades. The upcoming WPA2 uses AES encryption that is more computational intensive. New APs and client adaptors with AES-specific hardware are required to support WPA2. Reportedly, TKIP reduces the performance of a WLAN mobile client by only a few percentages. This is an acceptable performance penalty for the increased data privacy.
The Message Integrity Check (MIC) is designed to prevent attackers from capturing data packets, altering them, and resending them. The MIC function (nicknamed "Michael") is a one-way cryptographic hash function used instead of the CRC-32 checksum used in WEP. The MIC provides a strong mathematical function in which the receiver and transmitter each compute—and then compare—the MIC. If they do not match, the data is assumed to have been tampered with and the packet is dropped.
The MIC is calculated over the source and destination MAC addresses and the MSDU plaintext after being seeded by the MIC key and the TSC (see Figure 5). By computing the MIC over source/destination addresses, the packet data is keyed to the sender/receiver, preventing attacks based on packet forgery.
WPA provides fixes for all known WEP authentication, data privacy, and integrity problems. It is a reasonable and secure WLAN security mechanism, and most enterprises should find it useful for rolling out their WLAN networks for production use.
DDJ