not logged in | [Login]

Quick Links

Always use radiusd -X when debugging!

Table of Contents

Overview

IEEE 802.11i, also known as WPA2, is an amendment to the 802.11 standard specifying security mechanisms for wireless networks (see Wi-Fi). The draft standard was ratified on 24 June, 2004, and supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have severe security weaknesses. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2. 802.11i makes use of the Advanced Encryption Standard (AES) block cipher; WEP and WPA use the RC4 stream cipher.

The 802.11i architecture contains the following components: 802.1X for authentication (entailing the use of EAP and an authentication server), RSN for keeping track of associations, and AES-based CCMP to provide confidentiality, integrity and origin authentication. Another important element of the authentication process is the four-way handshake, explained below.

Encryption key distribution

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange has provided the shared secret key PMK (Pairwise Master Key). This key is however designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address and STA MAC address. The product is then put through a cryptographic hash function.

The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are:

  1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC.
  3. The AP sends the GTK and a sequence number together with another MIC. The sequence number is the sequence number that will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
  4. The STA sends a confirmation to the AP.
As soon as the PTK is obtained it is divided into three separate keys:
  1. EAPOL-Key Confirmation Key (KCK) - The key used to compute the MIC for EAPOL-Key packets.
  2. EAPOL-Key Encryption Key (KEK) - The key used to encrypt the EAPOL-Key packets.
  3. Temporal Key (TK) - The key used to encrypt the actual wireless traffic.

The Group Key Handshake

The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.

To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:

  1. The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA and protects the data from being tampered using a MIC.
  2. The STA acknowledges the new GTK and replies to the AP.

Security in pre-shared key mode

Like WPA, 802.11i has a pre-shared key mode (PSK, also known as personal mode), designed for home and small office networks that cannot afford the cost and complexity of an 802.1X authentication server. Each user must enter a passphrase to access the network. The passphrase is typically stored on the user's computer, so it need only be entered once. The weak passphrases users typically employ create a major vulnerability to password cracking attacks. Passphrases must be at least 8 characters, however at least 20 characters is recommended, and contain numbers and special characters. The IEEE 802.11i standard allows strong PSKs to be entered as 63 character hexadecimal strings. Passphrases should be changed whenever an individual with access is no longer authorized to use the network or when a device configured to use the network is lost or compromised.

Devices implementing 802.11i

In general, the use of WPA2 needs firmware or driver support of both devices, the wireless host (router or access point) and the wireless client (adapter).

Usually, the wireless host can be enabled to support WPA2 by a firmware upgrade, available at the manufacturer's site. The client needs an update of the wireless adapter driver, and maybe part of the operating system as well.

Mac OS X

With the release of the 4.2 update to their AirPort software, Apple now supports WPA2 on all AirPort Extreme-enabled Macintoshes, the AirPort Extreme Base Station, and the AirPort Express (firmware upgrades included in AirPort 4.2).

Windows XP

Support of WPA2 needs an operating system update (KB893357, see external link below), and upgrade of wireless adapter drivers. There is a link to Intel drivers below.

Linux

Support of WPA2 is available. Drivers are needed to support WPA as well as the userspace utility, wpa_supplicant.

A Gnome initiative called Network Manager allows users to roam between wireless (WPA2, WPA, WEP and open/unencrypted standards) and wired networks.

See also

External links