Wi-Fi protected access
- The original 802.11 specifications included a set of security features for privacy and authentication which, unfortunately, were quite weak.
- For privacy 802.11 defined the Wired Equivalent Privacy (WEP) algorithm. WEP makes use of the RC4 encryption algorithm using a 40-bit key.
- A later revision enables the use of a 104-bit key. For authentication, 802.11 requires that the two parties share a secret key not shared by any other party and defines a protocol by which this key can be used for mutual authentication.
- The privacy portion of the 802.11 standards contained major weaknesses. The 40-bit key is woefully inadequate.
- Even the 104-bit key proved to be vulnerable, due to a variety of weaknesses both internal and external to the protocol supporting WEP.
- These vulnerabilities include the heavy reuse of keys, the ease of data access in a wireless network, and the lack of any key management within the protocol.
- The 802.11i task group has developed a set of capabilities to address the WLAN security issues.
- In order to accelerate the introduction of strong security into WLANs, the Wi-Fi Alliance promulgated
Wi-Fi Protected Access (WPA) as a Wi-Fi standard.
- Also, WPA is a set of security mechanisms that eliminates mos1 802.11 security issues and based on the current state of the 802.11i standard.
- As 802.11i evolves, WPA will evolve to maintain compatibility. IEEE 802.11i addresses three main security areas: authentication, key management, and data transfer privacy. To improve authentication, 802.11i requires the use of an authentication server (AS) and defines a more robust authentication protocol.
- Moreover, The AS also plays a role in key distribution. For privacy, 802.1li provides three different encryption schemes.
- The scheme that provides a long-term solution makes use of the Advanced Encryption Standard (AES) with 128-bit keys.
- However, because the use of AES would require expensive upgrades to existing equipment, alternative schemes based on 104-bit RC4 also defined.
- The figure gives a general overview of the 802.11i operation. First, an exchange between a station and an AP enables the two to agree on a set of security capabilities to used. Then an exchange involving the AS and the station provides for secure authentication. Moreover, The AS is responsible for key distribution to the AP, which in turn manages and distributes keys to stations. Finally, strong encryption used to protect data transfer between the station and the AP.
- Moreover, The 802.11i architecture consists of three main ingredients:
- Authentication: A protocol used to define an exchange between a user and an AS that provides mutual authentication and generates temporary keys to used between the client and the AP over the wireless link.
- Access control: This function enforces the use of the authentication function, routes the messages properly, and facilitates key exchange. So, It can work with a variety of authentication protocols.
- Privacy with message integrity: MAC-level data (E .g., an LLC PDU) encrypted, along with a message integrity code that ensures that the data have not been altered.