1. WLAN Security Managing Authentication and Encryption with WPA and WPA2
2. Wi-Fi Protected Access (WPA)
WPA introduced in late 2003
Pre-standard implementation of IEEE 802.11i WLAN security
Addresses currently known security problems with WEP
Allows software upgrade on already deployed 802.11 equipment to improve security
Components of WPA
Authenticated key management using 802.1X: EAP authentication, and PSK authentication
Unicast and broadcast key management
Standardized TKIP per-packet keying and MIC protocol
Initialization vector space expansion: 48-bit initialization vectors
Migration modecoexistence of WPA and non-WPA devices (optional implementation that is not required for WPA certification)
3. WPA Authentication Modes Encryption uses TKIP, AES optional Encryption uses TKIP, AES optional Local access control Centralized access control Shared secret used for authentication RADIUS used for authentication and key distribution Authentication server not required Authentication server required Personal (PSK Authentication) Enterprise (802.1X Authentication) 4. WPA Authentication Process 5. Purpose of Each WPA Phase
RADIUS-based key distribution
Server moves (not copies) Pairwise Master Key (PMK) to access point
AES cryptographically more robust than RC4 (and requires more computational power)
AES is implemented in hardware
14. WPA/WPA2/802.11i Comparison Enterprise Enterprise SOHO No test, specification Test devices for compliance Test devices for compliance Allows ad hoc Ad hoc not supported Ad hoc not supported 128-bit AES encryption cipher 128-bit AES encryption cipher 128-bit RC4 w/ TKIP encryption cipher 802.1X authentication 802.1X authentication/PSK 802.1X authentication/PSK 802.11i WPA2 WPA 15. 802.11i Key Caching and Preauthentication
802.11i allows credentials to be cached on an AP, and a client to preauthenticate on several APs
16. Cisco Centralized Key Management 17. Summary
WPA creates a new framework for authentication and encryption.
With WPA, authentication can still be PSK-based, like WEP, but can also be 802.1X-based.
WPA encryption is still RC4, but enhanced to make it harder to crack.
WPA2 uses AES-CCMP for encryption, known to be unbreakable.
802.11i is a protocol, and WPA2 certifies its implementation.
Cisco Centralized Key Management is a Cisco feature allowing caching of credentials to improve roaming efficiency.