WPA2 is better than WPAThis article is a discussion of why 802.11i (WPA2) provides stronger wireless security than WiFi Protected Access (WPA) and WEP, why there is a need for a new standard and why you should use it.

We’ve already looked at why WPA is better than WEP, so why have a new 802.11i security standard? Isn’t WPA good enough?

WPA has, rightly, been admired as a masterpiece of retro engineering. It addresses the weaknesses of WEP and the result is a very secure security system that is backwardly compatible with most existing WiFi compliant equipment. WPA is a practical solution that will provide more than adequate security for most wireless network applications.

However WPA is in the end a compromise solution. It still relies on the RC4 encryption algorithm and TKIP (Temporary Key Integrity Protocol). Although unlikely, the possibility of new weaknesses being discovered still exists.

A completely new security system, avoiding the design flaws of WEP entirely, represents the best long term, scalable solution to wireless LAN security. To this end the standards committee decided to design a new security system from the ground up. This is the new 802.11i standard, also known as WPA2 by the WiFi Alliance.

What is 802.11i?
802.11i uses the concept of a Robust Security Network (RSN). In RSN wireless devices need to support additional capabilities. This requires new hardware and software drivers making a fully compliant RSN network incompatible with existing WEP equipment. In the transitional period both RSN and WEP equipment will be supported, (in fact WPA/TKIP was a solution designed to make use of older equipment) but in the longer term WEP devices will be phased out.

802.11i allows for various network implementations and can use TKIP, but by default RSN uses AES (Advanced Encryption Standard) and CCMP (Counter Mode CBC MAC Protocol) and it is this which provides for a stronger, scalable solution.

What is AES/CCMP?
Advanced Encryption Standard (AES) is the cipher system used by RSN. It is the equivalent of the RC4 algorithm used by WPA. However the encryption mechanism is much more complex and does not suffer from the problems associated with WEP. AES is a block cipher, operating on blocks of data 128bits long.

CCMP is the security protocol used by AES. It is the equivalent of TKIP in WPA. CCMP computes a Message Integrity Check (MIC) using the well known, and proven, Cipher Block Chaining Message Authentication Code (CBC-MAC) method. Changing even one bit in a message produces a totally different result.

One of the worst aspects of WEP was the management of the secret keys. Many administrators found it impractical to manage keys in larger networks. As a result WEP keys were often not changed making it easier for hackers.

RSN defines a hierarchy of limited life keys, similar to TKIP. AES/CCMP requires 512bits to accommodate all the keys, less than TKIP.

Also like TKIP master keys are not used directly, but are used to derive other keys. Fortunately the administrator only needs to provide a single master key.

Messages are encrypted using a secret key (128bits) and a 128bit block of data. The encryption process is complex, but again the administrator does not need to be aware of the intricacies of the computations. The end result is encryption that is much harder to break than even WPA.

Conclusion
802.11i is by far the strongest security system for wireless networks. The purist would argue that anything less is the equivalent of no security at all.

When the 802.11i standard is ratified RSN (WPA2) compatible equipment will begin to appear. 802.11i (WPA2) will be the most robust, scalable, and secure solution and will appeal particularly to enterprise users where key management and administration has been a major headache.

802.11i has been designed using proven technologies. Security has been designed from scratch in full consultation with the best cryptographers and stands every chance of being the solution that wireless networks need. Although no security system can ever be considered totally unbreakable, 802.11i security is a dependable solution and seems unlikely to be breached. It suffers none of the problems of older systems.

802.11i is a wireless security system that you can depend on. You can use WPA to accommodate older equipment and as that reaches the end of its useful life you can upgrade to a fully compliant RSN network.

So what can happen if someone breaks into your network? Well for starters, it acts as a gateway for hackers to break into your system. On top of that, they can install sniffers (which allow them to steal such things as passwords and other sensitive information), adware, spyware, trojans, viruses, worms, backdoors, rootkits, and other malware as well as pursue wireless jamming attacks, encryption attacks, DoS attacks, and other various attacks. In short, given enough time, the sky is the limit on what a hacker could do when they get inside your AP.

At this point, many may say to themselves “Well, I have nothing of value on my computer, so I don”t care if they hack into it”. This couldn”t be any farther from the truth. If hackers compromise your computer, they”ll turn it into something called a “zombie” (in other words, their slave), which will do anything the hacker wants it to. This could be anything from helping crack (or decipher) passwords, to breaking into websites, to even breaking into other computers.

Here”s the kicker: if the hacker uses your computer to break into something and gets caught, guess who faces the consequences? Well, it was your computer that did the attacking, so it will be your fault, no matter if you knew about the attack or not. Whether it leads to fines or even jail time, you are stuck with a mess trying to prove that you are innocent, all while the hacker carries on with his life and pursues more targets.

Knowing about the consequences that can come from insecure AP”s, there are many things you can do to prevent outsiders from trying to break in. Ideally, you”ll use a “Defense in Depth” methodology, which means setting up multiple layers of security to try and deter hackers from breaking in. Now, some of these things discussed will not really add much in the way of security, but it is additional security nonetheless. Hackers love easy targets, so every layer of security you add makes it more difficult for them to break in, and thus acts as a deterrent. That being said, use the following security measures on your personal AP:

• Hide your SSID broadcast. Your SSID is simply the name of your AP. Without it, hackers will not know the difference between your AP and other ones in the vicinity.
• Change the name of your SSID. This may not sound like much but, the name can tell a hacker a lot about your AP. Using the default name probably means you are also using the default password, which can easily be found on the internet.
• Use MAC address filtering. A MAC address is simply an address burned into each wireless card. Using this filtering means that only the entered MAC addresses can access your AP.
• Enable Encryption. Use the WPA or WPA2 (if available) security mode as well as the AES algorithm. This makes it way more troublesome for hackers to eavesdrop your communications.
• Use both hardware and software firewalls. Chances are there is a firewall embedded right in your AP, so make sure it is enabled as well as firewalls on the networked computers.
• Keep learning about new wireless security threats. Technology keeps evolving, so it is in your best interest to research computer protection articles and other related news sources. Invest in computer security tools. While it is important to use layered security on your AP, it is even more important to do the same for your computer in case the hacker breaks through.

When it comes to wireless networks, deterrence can be one of the most powerful things working for you, providing you implement a Defense in Depth methodology like described above. With the large amount of weak and insecure AP”s that are live today, layered security will play a vital role in whether or not outsiders try to break into your wireless network. In the end, taking the time to secure your AP now could be the difference of legal repercussions or identity theft down the road.

What is WPA encryption?
WiFi Protected Access (WPA) is a newer security standard adopted by the WiFi Alliance consortium. Adhering to WiFi compliance ensures interoperability between different manufacturer’s equipment.

WPA delivers a higher level of security that further beyond anything that WEP can offer and bridges the gaps between WEP and 802.11i networks. WPA has the advantage that the firmware in older equipment may be upgradeable, without new hardware. This is not true for WPA2.

How does WPA work?
WPA uses Temporal Key Integrity Protocol (TKIP). TKIP is designed to allow WEP to be upgraded. This means that all the main building blocks of WEP are present, but corrective measures have been added to address security problems.

The weaknesses in WEP have been well publicized. Cracking methods are now available to comprimise a WEP password in less than 90 seconds. TKIP’s improvements are described below.

How WPA improves on WEP
IV values can be reused/IV length is too short. The length of the IV has been increased from 24bits to 48bits. Rollover of the counter is eliminated. Reuse of keys is less likely.

In addition IVs are now used as a sequence counter, the TSC (TKIP Sequence Counter), protecting against replaying of data, a major vulnerability in WEP.

Weak IV values are susceptible to attack
WPA avoids using known weak IV values. A different secret key is used for each packet, and the way the key is scrambled with the secret key is more complex.

Master keys are used directly in WEP
Master Keys are never used directly in WPA. A hierarchy of keys is used, all derived from the Master. Cryptographically this is a much more secure practice.

Key Management and updating is poorly provided for in WEP
Secure key management is built-in to WPA, so key management isn’t an issue with WPA.

Message integrity checking is ineffective
WEP message integrity proved to be ineffective. WPA uses a Message Integrity Check (MIC) called, Michael! Due to the hardware constraints the check has to be relatively simple. In theory there is a one in a million chance of guessing the correct MIC. In practice any changed frames would first need to pass the TSC and have the correct packet encryption key even to reach the point where Micheal comes into operation. As further security Michael can detect attacks and performs countermeasures to block new attacks.

Conclusion
WPA (TKIP) is a great solution, providing much stronger security than WEP, addressing all the weaknesses and allowing compatibility and upgrades with older equipment.