RE: 802.1x/ WPA

From: Ken Rudd [MSFT] (a-krudd_at_online.microsoft.com)
Date: 02/10/04 

Date: Tue, 10 Feb 2004 13:51:06 GMT

Aaron,

The following security features are included in the WPA standard:

WPA Authentication

802.1x authentication is required in WPA. In the 802.11 standard, 802.1x
authentication was optional.

For environments without a Remote Authentication Dial-In User Service
(RADIUS) infrastructure, WPA supports the use of a preshared key. For
environments with a RADIUS infrastructure, Extensible Authentication
Protocol (EAP) and RADIUS is supported.
*******************************************

WPA Key Management

With 802.1x, the rekeying of unicast encryption keys is optional.
Additionally, 802.11 and 802.1x provide no mechanism to change the global
encryption key used for multicast and broadcast traffic. With WPA, rekeying
of both unicast and global encryption keys is required. For the unicast
encryption key, the Temporal Key Integrity Protocol (TKIP) changes the key
for every frame, and the change is synchronized between the wireless client
and the wireless access point (AP). For the global encryption key, WPA
includes a facility for the wireless AP to advertise the changed key to the
connected wireless clients.

*******************************************

Temporal Key Integrity Protocol (TKIP)

For 802.11, Wired Equivalent Privacy (WEP) encryption is optional. For WPA,
encryption using TKIP is required. TKIP replaces WEP with a new encryption
algorithm that is stronger than the WEP algorithm but that uses the
calculation facilities present on existing wireless devices to perform
encryption operations. TKIP also provides for the following:
- The verification of the security configuration after the encryption
  keys are determined.
- The synchronized changing of the unicast encryption key for each
  frame.
- The determination of a unique starting unicast encryption key for
  each preshared key authentication.

*******************************************

With 802.11 and WEP, data integrity is provided by a 32-bit <integrity
check value> (ICV) that is appended to the 802.11 payload and encrypted
with WEP. Although the ICV is encrypted, you can use cryptanalysis to
change bits in the encrypted payload and update the encrypted ICV without
being detected by the receiver.

With WPA, a method known as <Michael> specifies a new algorithm that
calculates an 8-byte <message integrity code> (MIC) using the calculation
facilities available on existing wireless devices. The MIC is placed
between the data portion of the IEEE 802.11 frame and the 4-byte ICV. The
MIC field is encrypted together with the frame data and the ICV.

Michael also provides replay protection. A new frame counter in the IEEE
802.11 frame is used to prevent replay attacks.

*******************************************

AES Support

WPA defines the use of Advanced Encryption Standard (AES) as an additional
replacement for WEP encryption. Because you may not be able to add AES
support through a firmware update to existing wireless equipment, support
for AES is optional and is dependant on vendor driver support.

*******************************************

Supporting a Mixture of WPA and WEP Wireless Clients

To support the gradual transition of WEP-based wireless networks to WPA, a
wireless AP can support both WEP and WPA clients at the same time. During
the association, the wireless AP determines which clients use WEP and which
clients use WPA. The disadvantage to supporting a mixture of WEP and WPA
clients is that the global encryption key is not dynamic. This is because
WEP-based clients cannot support it. All other benefits to the WPA
clients, such as integrity, are maintained.

*******************************************

Changes Required to Support WPA
-------------------------------

WPA requires software changes to the following:
- Wireless access points
- Wireless network adapters
- Wireless client programs

*******************************************

Changes to Wireless Access Points

Wireless access points must have their firmware updated to support the
following:
- The new WPA information element To advertise their support of WPA,
  wireless APs send the beacon frame with a new 802.11 WPA information
  element that contains the wireless AP's security configuration
  (encryption algorithms and wireless security configuration information).
- The WPA two-phase authentication Open system, then 802.1x (EAP with
  RADIUS or preshared key).
- TKIP
- Michael
- AES (optional)

To upgrade your wireless access points to support WPA, obtain a WPA
firmware update from your wireless AP vendor and upload it to your wireless
AP.

*******************************************

Changes to Wireless Network Adapters

Wireless network adapters must have their firmware updated to support the
following:
- The new WPA information element Wireless clients must be able to
  process the WPA information element and respond with a specific
  security configuration.
- The WPA two-phase authentication
- Open system, then 802.1x (EAP or preshared key).
- TKIP
- Michael
- AES (optional)

To upgrade your wireless network adapters to support WPA, obtain a WPA
update from your wireless network adapter vendor and update the wireless
network adapter driver.

For Windows wireless clients, you must obtain an updated network adapter
driver that supports WPA. For wireless network adapter drivers that are
compatible with Windows XP (Service Pack 1) and Windows Server 2003, the
updated network adapter driver must be able to pass the adapter's WPA
capabilities and security configuration to the Wireless Zero Configuration
service.

Microsoft has worked with many wireless vendors to embed the WPA firmware
update in the wireless adapter driver. So, to update you Windows wireless
client, all you have to do is obtain the new WPA-compatible driver and
install the driver. The firmware is automatically updated when the wireless
network adapter driver is loaded in Windows.

*******************************************

Changes to Wireless
Client Programs

Wireless client programs must be
updated to permit the configuration of WPA authentication (and preshared
key) and the new WPA encryption algorithms (TKIP and the optional AES
component).

For wireless clients that are running Windows XP service pack 1 (SP1) and
later or Windows Server 2003 and that are using a wireless network
adapter that supports the Wireless Zero Configuration service, you must
obtain and install the Windows WPA Client. The Windows WPA Client updates
the wireless network configuration dialog boxes to support new WPA options.

To obtain the WPA client program, visit the following Microsoft Web site:

        Download the Windows XP i386 package
        
http://microsoft.com/downloads/details.aspx?FamilyId=009D8425-CE2B-47A4-ABEC
-274845DC9E91&displaylang=en

For wireless clients running Windows 2000 (or clients running Windows XP
SP1 or Windows Server 2003 and using a wireless network adapter that does
not support the Wireless Zero Configuration service), you must obtain and
install a new WPA-compliant configuration tool from your wireless network
adapter vendor.

*******************************************

Related Intel Information
-------------------------

For information about an Intel issue with this update, visit the following
Intel Web site:

        http://www.intel.com/support/network/wireless/pro2100/sb/cs-006131-prd94
        4.htm:
        http://www.intel.com/support/network/wireless/pro2100/sb/cs-006131-prd94
        4.htm

The third-party products that are discussed in this article are
manufactured by companies that are independent of Microsoft. Microsoft
makes no warranty, implied or otherwise, regarding the performance or
reliability of these products.

Ken Rudd
Microsoft Enterprise Support
Windows Small Business Server Team

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

|
| Does WPA encryption and 802.1x work together at all? If
| not is it excpected to be an update?
|

Relevant Pages

  • Re: Industry Standard Security and guest wifi access best practice
    ... It's always "wireless isolation" or "AP ... These are wireless clients but LAN ... least use WPA with a simple published pass-phrase in order to encrypt ... decrypt encrypted wireless traffic. ...
    (alt.internet.wireless)
  • Re: Anyone got 802.1x working on a wireless network?
    ... including that I had to get "generic" drivers from Intel for one ... getting 802.1x authentication working for my wireless. ... GPOs configured as per MS technet article for WPA, TKIP, etc. ... The next piece of frustration is with wireless NICs from other ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless: Key Confusion
    ... Wi-Fi Protected Access (WPA) is used to resolve the problems in WEP ... encryption and data integrity methods. ... encryption between the wireless client and wireless AP ...
    (microsoft.public.windows.server.networking)
  • Re: Newbie With Encryption Query
    ... If I have two laptops and set the encryption on ... WEP, WEP2 and WPA. ... I assume this should allow different clients to connect ...
    (uk.telecom.broadband)
  • Re: DI-524 router having problems acquiring network address
    ... I also changed from WPA to WPA2-PSK. ... is that when I try to get a connection, the wireless card gets stuck on ... That's an encryption key mismatch failure. ... test ALL the various encryption modes to see which ones work and which ...
    (alt.internet.wireless)
Quantcast