5-58
CHAPTER 5: SYSTEM CONFIGURATION
Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the data
encryption method to replace WEP. TKIP avoids the problems of WEP static keys
by dynamically changing data encryption keys. Basically, TKIP starts with a master
(temporal) key for each user session and then mathematically generates other
keys to encrypt each data packet. TKIP provides further data encryption
enhancements by including a message integrity check for each packet and a
re-keying mechanism, which periodically changes the master key.
WPA Pre-Shared Key Mode (WPA-PSK, WPA2-PSK): For enterprise deployment,
WPA requires a RADIUS authentication server to be configured on the wired
network. However, for small office networks that may not have the resources to
configure and maintain a RADIUS server, WPA provides a simple operating mode
that uses just a pre-shared password for network access. The Pre-Shared Key
mode uses a common password for user authentication that is manually entered
on the access point and all wireless clients. The PSK mode uses the same TKIP
packet encryption and key management as WPA in the enterprise, providing a
robust and manageable alternative for small networks.
Mixed WPA and WEP Client Support: WPA enables the access point to indicate
its supported encryption and authentication mechanisms to clients using its
beacon signal. WPA-compatible clients can likewise respond to indicate their WPA
support. This enables the access point to determine which clients are using WPA
security and which are using legacy WEP. The access point uses TKIP unicast data
encryption keys for WPA clients and WEP unicast keys for WEP clients. The global
encryption key for multicast and broadcast traffic must be the same for all clients,
therefore it restricts encryption to a WEP key.
When access is opened to both WPA and WEP clients, no authentication is
provided for the WEP clients through shared keys. To support authentication for
WEP clients in this mixed mode configuration, you can use either MAC
authentication or 802.1X authentication.
WPA2 – WPA was introduced as an interim solution for the vulnerability of WEP
pending the ratification of the IEEE 802.11i wireless security standard. In effect,
the WPA security features are a subset of the 802.11i standard. WPA2 includes
the now ratified 802.11i standard, but also offers backward compatibility with
WPA. Therefore, WPA2 includes the same 802.1X and PSK modes of operation
and support for TKIP encryption. The main differences and enhancements in
WPA2 can be summarized as follows:
Advanced Encryption Standard (AES): WPA2 uses AES Counter-Mode
encryption with Cipher Block Chaining Message Authentication Code
(CBC-MAC) for message integrity. The AES Counter-Mode/CBCMAC Protocol
(AES-CCMP) provides extremely robust data confidentiality using a 128-bit
key. The AES-CCMP encryption cipher is specified as a standard requirement