The Cable Guy - May 2005
Wi-Fi Protected Access 2 (WPA2) Overview
The original IEEE 802.11 standard provided the following set of security features to secure wireless LAN communication:
Two different authentication methods: Open system and shared key
The Wired Equivalent Privacy (WEP) encryption algorithm
An Integrity Check Value (ICV), encrypted with WEP, which provided data integrity
Over time, these security features proved to be insufficient to protect wireless LAN communication in common scenarios. To address the security issues of the original IEEE 802.11 standard, the following additional technologies are used:
The IEEE 802.1X Port-Based Network Access Control standard is an optional method for authenticating 802.11 wireless clients. IEEE 802.1X provides per-user identification and authentication, extended authentication methods, and, depending on the authentication method, encryption key management dynamic, per-station or per-session key management and rekeying.
Wi-Fi Protected Access (WPA) is an interim standard adopted by the Wi-Fi Alliance to provide more secure encryption and data integrity while the IEEE 802.11i standard was being ratified. WPA supports authentication through 802.1X (known as WPA Enterprise) or with a preshared key (known as WPA Personal), a new encryption algorithm known as the Temporal Key Integrity Protocol (TKIP), and a new integrity algorithm known as Michael. WPA is a subset of the 802.11i specification.
The IEEE 802.11i standard formally replaces Wired Equivalent Privacy (WEP) and the other security features of the original IEEE 802.11 standard. WPA2 is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as being compatible with the 802.11i standard. The goal of WPA2 certification is to support the additional mandatory security features of the 802.11i standard that are not already included for products that support WPA. Like WPA, WPA2 offers both Enterprise and Personal modes of operation.
Windows Vista, Windows XP with SP3, and Windows Server 2008 support WPA2. For WPA2 support in Windows XP with SP2, install the Wireless Client Update for Windows XP with Service Pack 2. This article describes the features of WPA2 security and the support for WPA2 included with Windows XP SP3 and the Wireless Client Update for Windows XP with SP2.
Features of WPA2 Security
The following features of WPA2 security are supported in Windows XP SP3 and the Wireless Client Update for Windows XP with SP2:
For WPA2 Enterprise, WPA2 requires authentication in two phases; the first is an open system authentication and the second uses 802.1X and an Extensible Authentication Protocol (EAP) authentication method. For environments without a Remote Authentication Dial-In User Service (RADIUS) infrastructure such as small office/home office (SOHO) networks, WPA2 Personal supports the use of a preshared key (PSK).
WPA2 key management
Like WPA, WPA2 requires the determination of a mutual pairwise master key (PMK) based on the EAP or PSK authentication processes and the calculation of pairwise transient keys through a 4-way handshake.
For more information, see Wi-Fi Protected Access Data Encryption and Integrity.
Advanced Encryption Standard
WPA2 requires support for the Advanced Encryption Standard (AES) using the Counter Mode-Cipher Block Chaining (CBC)-Message Authentication Code (MAC) Protocol (CCMP). AES Counter Mode is a block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key. The CBC-MAC algorithm produces a message integrity code (MIC) that provides data origin authentication and data integrity for the wireless frame. A Packet Number field included in the WPA2-protected wireless frame and incorporated into the encryption and MIC calculations provides replay protection. AES encryption meets the Federal Information Processing Standard (FIPS) 140-2 requirement.
Additional Features of WPA2 for Fast Roaming
When a wireless client authenticates using 802.1X, there are a series of messages sent between the wireless client and the wireless access point (AP) to exchange credentials. This message exchange introduces a delay in the connection process. When a wireless client roams from one wireless AP to another, the delay to perform 802.1X authentication can cause noticeable interruptions in network connectivity, especially for time-dependent traffic such as voice or video-based data streams. To minimize the delay associated with roaming to another wireless AP, WPA2 wireless equipment can optionally support PMK caching and preauthentication.
As a wireless client roams from one wireless AP to another, it must perform a full 802.1X authentication with each wireless AP. WPA2 allows the wireless client and the wireless AP to cache the results of a full 802.1X authentication so that if a client roams back to a wireless AP with which it has previously authenticated, the wireless client needs to perform only the 4-way handshake and determine new pairwise transient keys. In the Association Request frame, the wireless client includes a PMK identifier that was determined during the initial authentication and stored with both the wireless client and wireless AP's PMK cache entries. PMK cache entries are stored for a finite amount of time, as configured on the wireless client and the wireless AP.
To make the transition faster for wireless networking infrastructures that use a switch that acts as the 802.1X authenticator, the WPA2/WPS IE Update calculates the PMK identifier value so that the PMK as determined by the 802.1X authentication with the switch can be reused when roaming between wireless APs that are attached to the same switch. This practice is known as opportunistic PMK caching.
For information about controlling PMK caching behavior with registry values, see The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available.
With preauthentication, a WPA2 wireless client can optionally perform 802.1X authentications with other wireless APs within its range, while connected to its current wireless AP. The wireless client sends preauthentication traffic to the additional wireless AP over its existing wireless connection. After preauthenticating with a wireless AP and storing the PMK and its associated information in the PMK cache, a wireless client that connects to a wireless AP with which it has preauthenticated needs to perform only the 4-way handshake.
WPA2 clients that support preauthentication can only preauthenticate with wireless APs that advertise their preauthentication capability in Beacon and Probe Response frames.
For information about controlling preauthentication behavior with registry values, see The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available.
Supporting a Mixture of WPA2, WPA and WEP Wireless Clients
WPA2 certified wireless equipment is also compatible with WPA and WEP. You can have a mixture or WPA2, WPA, and WEP wireless devices operating in the same environment.
Changes Required to Support WPA2
WPA2 support requires changes to the following:
Wireless network adapters
Wireless client software
Changes to wireless APs
With WPA, wireless network devices could be upgraded through a firmware update because the WPA security features leveraged the existing computational facilities designed for WEP. With WPA2, however, a wireless AP that does not have the computational facilities to perform the more complex calculations for AES CCMP cannot be upgraded through a firmware update and must be replaced. These types of wireless APs are typically older wireless APs manufactured before inclusion of support for the 802.11g standard. Newer wireless APs, such as those that support the 802.11g standard, might be upgradeable with a firmware update.
Check with your wireless AP vendor documentation or Web site to determine if your wireless APs require replacement or a firmware update to support WPA2. If only a firmware update is needed, obtain the update from your wireless AP vendor and install it on your wireless APs.
For information about wireless APs that have been WPA2 certified, see the Wi-Fi Alliance Web site.
Changes to wireless network adapters
Like wireless APs, whether you must replace wireless network adapters depends on whether they have the computational facilities to perform AES CCMP. Check with your wireless network adapter vendor documentation or Web site to determine if your wireless network adapters require replacement or a firmware update in order to support WPA2. If only a firmware update is needed, obtain the update from your wireless adapter vendor and install it on your wireless network adapters.
For wireless clients running Windows XP with Service Pack 2, you must obtain an updated network adapter driver that supports WPA2. The updated network adapter driver must be able to pass the adapter's WPA2 capabilities to Windows XP Wireless Auto Configuration.
For information about wireless network adapters that have been WPA2 certified, see the Wi-Fi Alliance Web site.
Changes to wireless client programs
Wireless client software must be updated to allow for the configuration of WPA2 authentication options. The WPA2/WPS IE Update for computers running Windows XP with SP2 includes support for WPA2 and modifies the following
The Choose a wireless network dialog box
The Association tab for the properties of a wireless network.
When you are connected to a WPA2-capable wireless network, the type of network is displayed as WPA2 in the Choose a wireless network dialog box. The following figure shows an example.
If your browser does not support inline frames, click here to view on a separate page.
On the Association tab for the properties of a wireless network, the Network Authentication drop-down box has the additional options: WPA2 (for WPA2 Enterprise) and WPA2-PSK (for WPA2 Personal). These options will be present only if the wireless network adapter and its driver support WPA2.
For More Information
For more information about WPA2 and support for 802.11 wireless LAN technologies in Windows, consult the following resources:
For a list of all The Cable Guy articles, click here.