Wi-Fi Protected Access
Encyclopedia
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance
to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy)
.
The WPA protocol implements the majority of the IEEE 802.11i
standard. The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the preparation of 802.11i. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP encryption replaces WEP's 40-bit or 128-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP is a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet and thus prevents collisions. TKIP could be implemented on pre-WPA wireless network interface card
s that began shipping as far back as 1999 through firmware
upgrades. However, since the changes required in the wireless access point
s (APs) were more extensive than those needed on the network cards, most pre-2003 APs could not be upgraded to support WPA with TKIP. Researchers have since discovered a flaw in TKIP that relied on older weaknesses to retrieve the keystream from short packets to use for re-injection and spoofing
.
WPA also includes a message integrity check
. This is designed to prevent an attacker from capturing, altering and/or resending data packets. This replaces the cyclic redundancy check
(CRC) that was used and implemented by the WEP standard. CRC's main flaw was that it did not provide a sufficiently strong data integrity guarantee for the packets it handled. MIC solved these problems. MIC uses an algorithm to check the integrity of the packets using the Integrity Check Value ICV, and if it does not equal, drops the packet.
The later WPA2 certification mark indicates compliance with the full IEEE 802.11i standard. This advanced protocol will not work with some older network cards.
Version
Target users (authentication key distribution)
Note that WPA-Personal and WPA-Enterprise are both applicable to WPA and WPA2.
Encryption protocol
So at current, the router or access point of a typical home user would support WPA in WPA-PSK mode with TKIP encryption. As routers are upgraded, they will support WPA2 in WPA-PSK mode using CCMP encryption.
, a new AES
-based encryption mode with strong security. Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.
mode (PSK, also known as Personal mode) is designed for home and small office networks that don't require the complexity of an 802.1X authentication server. Each wireless network device encrypts the network traffic using a 256 bit key
. This key may be entered either as a string of 64 hexadecimal
digits, or as a passphrase
of 8 to 63 printable ASCII characters. If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2
key derivation function
to the passphrase, using the SSID as the salt
and 4096 iterations of HMAC
-SHA1.
Shared-key WPA remains vulnerable to password cracking
attacks if users rely on a weak passphrase
. To protect against a brute force attack
, a truly random passphrase
of 13 characters (selected from the set of 95 permitted characters) is probably sufficient.
To further protect against intrusion, the network's SSID should not match any entry in the top 1000 SSIDs as downloadable rainbow table
s have been pre-generated for them and a multitude of common passwords.
In November 2008 Erik Tews and Martin Beck - researchers at two German technical universities (TU Dresden and TU Darmstadt) - uncovered a WPA weakness which relied on a previously known flaw in WEP that could be exploited only for the TKIP algorithm in WPA. The flaw can only decrypt short packets with mostly known contents, such as ARP
messages. The attack requires Quality of Service
(as defined in 802.11e) to be enabled, which allows packet prioritization as defined. The flaw does not lead to key recovery, but only a keystream that encrypted a particular packet, and which can be reused as many as seven times to inject arbitrary data of the same packet length to a wireless client. For example, this allows someone to inject faked ARP packets which make the victim send packets to the open Internet. This attack was further optimized by two Japanese computer scientists Toshihiro Ohigashi and Masakatu Morii. Their attack doesn't require Quality of Service
to be enabled. In October 2009, Halvorsen with others made further progress, enabling attackers to inject larger malicious packets (596 bytes, to be more specific) within approximately 18 minutes and 25 seconds. In February 2010, a new attack was found by Martin Beck that allows an attacker to decrypt all traffic towards the client. The authors say that the attack can be defeated by deactivating QoS
, or by switching from TKIP to AES-based CCMP.
The vulnerabilities of TKIP are significant in that WPA-TKIP was, up until the proof-of-concept discovery, held to be an extremely safe combination. WPA-TKIP is still a configuration option upon a wide variety of wireless routing devices provided by many hardware vendors.
) types to its certification programs for WPA- and WPA2- Enterprise certification programs. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security
) was certified by the Wi-Fi alliance.
the certification program includes the following EAP types:
802.1X clients and servers developed by specific firms may support other EAP types. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks.
certification since September 2003.
The protocol certified through Wi-Fi Alliance's WPA program (and to a lesser extent WPA2) was specifically designed to also work with wireless hardware that was produced prior to the introduction of the protocol which usually had only supported inadequate security through WEP
. Many of these devices support the security protocol after a firmware
upgrade. Firmware upgrades are not available for all legacy devices.
Furthermore, many consumer Wi-Fi device manufacturers have taken steps to eliminate the potential of weak passphrase choices by promoting an alternative method of automatically generating and distributing strong keys when users add a new wireless adapter or appliance to a network. The Wi-Fi Alliance
has standardized these methods and certifies compliance with these standards through a program called Wi-Fi Protected Setup
.
Wi-Fi Alliance
The Wi-Fi Alliance is a trade association that promotes Wireless LAN technology and certifies products if they conform to certain standards of interoperability. Not every IEEE 802.11-compliant device is submitted for certification to the Wi-Fi Alliance, sometimes because of costs associated with...
to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy)
Wired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...
.
The WPA protocol implements the majority of the IEEE 802.11i
IEEE 802.11i-2004
IEEE 802.11i-2004 or 802.11i, implemented as WPA2, is an amendment to the original IEEE 802.11. The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with...
standard. The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the preparation of 802.11i. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP encryption replaces WEP's 40-bit or 128-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP is a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet and thus prevents collisions. TKIP could be implemented on pre-WPA wireless network interface card
Wireless network interface card
A wireless network interface controller is a network interface controller which connects to a radio-based computer network rather than a wire-based network such as Token Ring or Ethernet. A WNIC, just like other NICs, works on the Layer 1 and Layer 2 of the OSI Model. A WNIC is an essential...
s that began shipping as far back as 1999 through firmware
Firmware
In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...
upgrades. However, since the changes required in the wireless access point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
s (APs) were more extensive than those needed on the network cards, most pre-2003 APs could not be upgraded to support WPA with TKIP. Researchers have since discovered a flaw in TKIP that relied on older weaknesses to retrieve the keystream from short packets to use for re-injection and spoofing
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
.
WPA also includes a message integrity check
Message authentication code
In cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...
. This is designed to prevent an attacker from capturing, altering and/or resending data packets. This replaces the cyclic redundancy check
Cyclic redundancy check
A cyclic redundancy check is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data...
(CRC) that was used and implemented by the WEP standard. CRC's main flaw was that it did not provide a sufficiently strong data integrity guarantee for the packets it handled. MIC solved these problems. MIC uses an algorithm to check the integrity of the packets using the Integrity Check Value ICV, and if it does not equal, drops the packet.
The later WPA2 certification mark indicates compliance with the full IEEE 802.11i standard. This advanced protocol will not work with some older network cards.
A high-level overview of WPA terminology
On a high level, different WPA versions and protection mechanisms can be distinguished. A distinction can be made based on the (chronological) version of WPA, the target end-user (based on the simplicity of the authentication key distribution), and the encryption protocol used.Version
- WPA: Initial WPA version, to supply enhanced security over the older WEP protocol. Typically uses the TKIP encryption protocol (see further).
- WPA2: Also known as IEEE 802.11i-2004. Successor of WPA, and replaces the TKIP encryption protocol with CCMP to provide additional security. Mandatory for Wi-Fi–certified devices since 2006.
Target users (authentication key distribution)
- WPA-Personal: Also referred to as WPA-PSK (Pre-shared key) mode. Is designed for home and small office networks and doesn't require an authentication server. Each wireless network device authenticates with the access point using the same 256-bit key.
- WPA-Enterprise: Also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK). Is designed for enterprise networks, and requires a RADIUSRADIUSRemote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
authentication server. This requires a more complicated setup, but provides additional security (e.g. protection against dictionary attacks). An Extensible Authentication Protocol (EAP) is used for authentication, which comes in different flavors (for example EAP-TLS, EAP-TTLS, EAP-SIM).
Note that WPA-Personal and WPA-Enterprise are both applicable to WPA and WPA2.
Encryption protocol
- TKIP (Temporal Key Integrity Protocol): A 128-bit per-packet key is used, meaning that it dynamically generates a new key for each packet. Used by WPA.
- CCMPCCMPCounter Mode with Cipher Block Chaining Message Authentication Code Protocol or CCMP is an encryption protocol designed for Wireless LAN products that implement the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard...
: An AES-based encryption mechanism that is stronger than TKIP. Sometimes referred to as AES instead of CCMP. Used by WPA2.
So at current, the router or access point of a typical home user would support WPA in WPA-PSK mode with TKIP encryption. As routers are upgraded, they will support WPA2 in WPA-PSK mode using CCMP encryption.
WPA2
WPA2 has replaced WPA; WPA2 requires testing and certification by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i. In particular, it introduces CCMPCCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol or CCMP is an encryption protocol designed for Wireless LAN products that implement the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard...
, a new AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
-based encryption mode with strong security. Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.
Security and insecurity in pre-shared key mode
Pre-shared keyPre-shared key
In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key...
mode (PSK, also known as Personal mode) is designed for home and small office networks that don't require the complexity of an 802.1X authentication server. Each wireless network device encrypts the network traffic using a 256 bit key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
. This key may be entered either as a string of 64 hexadecimal
Hexadecimal
In mathematics and computer science, hexadecimal is a positional numeral system with a radix, or base, of 16. It uses sixteen distinct symbols, most often the symbols 0–9 to represent values zero to nine, and A, B, C, D, E, F to represent values ten to fifteen...
digits, or as a passphrase
Passphrase
A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Passphrases are often used to control both access to, and operation of, cryptographic programs...
of 8 to 63 printable ASCII characters. If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2
PBKDF2
PBKDF2 is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898...
key derivation function
Key derivation function
In cryptography, a key derivation function derives one or more secret keys from a secret value such as a master key or other known information such as a password or passphrase using a pseudo-random function...
to the passphrase, using the SSID as the salt
Salt (cryptography)
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
and 4096 iterations of HMAC
HMAC
In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
-SHA1.
Shared-key WPA remains vulnerable to password cracking
Password cracking
Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password...
attacks if users rely on a weak passphrase
Password strength
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly...
. To protect against a brute force attack
Brute force attack
In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...
, a truly random passphrase
Random password generator
A random password generator is software program or hardware device that takes input from a random or pseudo-random number generator and automatically generates a password...
of 13 characters (selected from the set of 95 permitted characters) is probably sufficient.
To further protect against intrusion, the network's SSID should not match any entry in the top 1000 SSIDs as downloadable rainbow table
Rainbow table
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less...
s have been pre-generated for them and a multitude of common passwords.
In November 2008 Erik Tews and Martin Beck - researchers at two German technical universities (TU Dresden and TU Darmstadt) - uncovered a WPA weakness which relied on a previously known flaw in WEP that could be exploited only for the TKIP algorithm in WPA. The flaw can only decrypt short packets with mostly known contents, such as ARP
Address Resolution Protocol
Address Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
messages. The attack requires Quality of Service
Quality of service
The quality of service refers to several related aspects of telephony and computer networks that allow the transport of traffic with special requirements...
(as defined in 802.11e) to be enabled, which allows packet prioritization as defined. The flaw does not lead to key recovery, but only a keystream that encrypted a particular packet, and which can be reused as many as seven times to inject arbitrary data of the same packet length to a wireless client. For example, this allows someone to inject faked ARP packets which make the victim send packets to the open Internet. This attack was further optimized by two Japanese computer scientists Toshihiro Ohigashi and Masakatu Morii. Their attack doesn't require Quality of Service
Quality of service
The quality of service refers to several related aspects of telephony and computer networks that allow the transport of traffic with special requirements...
to be enabled. In October 2009, Halvorsen with others made further progress, enabling attackers to inject larger malicious packets (596 bytes, to be more specific) within approximately 18 minutes and 25 seconds. In February 2010, a new attack was found by Martin Beck that allows an attacker to decrypt all traffic towards the client. The authors say that the attack can be defeated by deactivating QoS
Quality of service
The quality of service refers to several related aspects of telephony and computer networks that allow the transport of traffic with special requirements...
, or by switching from TKIP to AES-based CCMP.
The vulnerabilities of TKIP are significant in that WPA-TKIP was, up until the proof-of-concept discovery, held to be an extremely safe combination. WPA-TKIP is still a configuration option upon a wide variety of wireless routing devices provided by many hardware vendors.
EAP extensions under WPA- and WPA2- Enterprise
In April of 2010, the Wi-Fi alliance announced the inclusion of additional EAP (Extensible Authentication ProtocolExtensible Authentication Protocol
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
) types to its certification programs for WPA- and WPA2- Enterprise certification programs. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
) was certified by the Wi-Fi alliance.
the certification program includes the following EAP types:
- EAP-TLS (previously tested)
- EAP-TTLS/MSCHAPv2
- PEAPProtected Extensible Authentication ProtocolThe Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol within an encrypted and authenticated Transport Layer Security tunnel...
v0/EAP-MSCHAPv2 - PEAPv1/EAP-GTC
- PEAP-TLS
- EAP-SIMEAP-SIMExtensible Authentication Protocol Method for GSM Subscriber Identity Module, or EAP-SIM,is an Extensible Authentication Protocol mechanism for authentication and...
- EAP-AKAEAP-AKAExtensible Authentication Protocol Method for UMTS Authentication and Key Agreement, or EAP-AKA,is an Extensible Authentication Protocol mechanism for authentication and...
- EAP-FAST
802.1X clients and servers developed by specific firms may support other EAP types. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks.
Hardware support
Most newer certified Wi-Fi devices support the security protocols discussed above out-of-the-box: compliance with this protocol has been required for a Wi-FiWi-Fi Alliance
The Wi-Fi Alliance is a trade association that promotes Wireless LAN technology and certifies products if they conform to certain standards of interoperability. Not every IEEE 802.11-compliant device is submitted for certification to the Wi-Fi Alliance, sometimes because of costs associated with...
certification since September 2003.
The protocol certified through Wi-Fi Alliance's WPA program (and to a lesser extent WPA2) was specifically designed to also work with wireless hardware that was produced prior to the introduction of the protocol which usually had only supported inadequate security through WEP
Wired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...
. Many of these devices support the security protocol after a firmware
Firmware
In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...
upgrade. Firmware upgrades are not available for all legacy devices.
Furthermore, many consumer Wi-Fi device manufacturers have taken steps to eliminate the potential of weak passphrase choices by promoting an alternative method of automatically generating and distributing strong keys when users add a new wireless adapter or appliance to a network. The Wi-Fi Alliance
Wi-Fi Alliance
The Wi-Fi Alliance is a trade association that promotes Wireless LAN technology and certifies products if they conform to certain standards of interoperability. Not every IEEE 802.11-compliant device is submitted for certification to the Wi-Fi Alliance, sometimes because of costs associated with...
has standardized these methods and certifies compliance with these standards through a program called Wi-Fi Protected Setup
Wi-Fi Protected Setup
Wi-Fi Protected Setup is a computing standard for easy and secure establishment of a wireless home network....
.