Wi-Fi Protected Access Authentication (Compact 2013)
3/26/2014
Wi-Fi Protected Access (WPA) is a security standard for IEEE 802.11.
Warning
During development of the Institute of Electrical and Electronics Engineers (IEEE) 802.11i wireless networking standard, wireless vendors agreed on an interoperable interim standard known as Wi-Fi Protected Access (WPA). WPA has been superseded by Wi-Fi Protected Access 2 (WPA2).
A device driver that will support Wi-Fi Protected Access (WPA) must meet the requirements described in the following sections.
Driver Requirements
For vendors who have implemented a driver and want to update it for WPA, the following object identifiers (OIDs) must be used:
In addition, the following new OIDs must be added:
To find out if the driver can support WPA, use the OID_802_11_AUTHENTICATION_MODE OID to set the authentication mode to Ndis802_11AuthModeWPA, and then query the current authentication mode. If the setting fails or the returned value is not Ndis802_11AuthModeWPA, you can assume that the driver does not support the WPA extensions.
Furthermore, the authentication event must be supported.
A WPA network interface card (NIC) must support Temporal Key Integrity Protocol (TKIP) encryption and the Michael Message Integrity Check (MIC) algorithm, and it may support Advanced Encryption Standard (AES) encryption and integrity.
Configuration Options
The following table shows various configuration options and the expected system behavior. If "yes" appears in either the "Manual key required?" column or the "IEEE 802.1x enabled?" column in the table, the Network Driver Interface Specification (NDIS) specifies the OID_802_11_ADD_KEY, in both cases, to configure the correct key into the NIC. The last column in the table, "Configure key before joining network?", describes whether a key must be configured before the device can join the network.
Infrastructure mode |
Authentication mode |
Encryption status |
Manual key required? |
IEEE 802.1x enabled? |
Configure key before joining network? |
|---|---|---|---|---|---|
Extended Service Set (ESS) |
Open |
None |
No |
No |
No |
ESS |
Open |
WEP |
Optional |
Optional |
Yes |
ESS |
Shared |
None |
Yes |
No |
Yes |
ESS |
Shared |
WEP |
Optional |
Optional |
Yes |
ESS |
WPA |
WEP |
No |
Yes |
No |
ESS |
WKE |
TKIP |
No |
Yes |
No |
ESS |
WPA |
AES |
No |
Yes |
No |
ESS |
WPA-PSK (pre-shared key) |
WEP |
Yes |
Yes |
No |
ESS |
WPA-PSK |
TKIP |
Yes |
Yes |
No |
ESS |
WPA-PSK |
AES |
Yes |
Yes |
No |
Independent Basic Service Set (IBSS) |
Open |
None |
No |
No |
No |
IBSS |
Open |
WEP |
Yes |
No |
Yes |
IBSS |
Shared |
None |
Yes |
No |
Yes |
IBSS |
Shared |
WEP |
Yes |
No |
Yes |
IBSS |
WPA-None |
WEP |
Yes |
No |
Yes |
IBSS |
WPA-None |
TKIP |
Yes |
No |
Yes |
IBSS |
WPA-None |
AES |
Yes |
No |
Yes |
Warning
An improper combination of infrastructure, authentication, and encryption modes must not generate a MediaSense connect event and must generate a MediaSense disconnect event if the media is already associated with the connection. For example, do not combine IBSS, WPA-None, and assignment of a value to WEP.
The following list shows the support that various OIDs provide for WPA:
- OID_802_11_AUTHENTICATION_MODE supports WPA, WPA-PSK, and WPA-None for setting and querying.
- OID_802_11_ENCRYPTION_STATUS supports Encryption1 and Encryption2 for setting and querying.
- OID_802_11_BSSID_LIST returns the NDIS_802_11_BSSID_LIST_EX structure.
- OID_802_11_ASSOCIATION_INFORMATION supports querying the association.
- OID_802_11_ADD_KEY supports single group key set and one pairwise key (may use Group Key 0).
- OID_802_11_ADD_KEY supports four group keys, with an index from 0 through 3.
- OID_802_11_ADD_KEY supports setting bit 28 to 0.
- OID_802_11_TEST supports the generation of a MEDIA_SPECIFIC_EVENT event.
All OIDs provide the following support in WPA:
- Detect Michael Message Integrity Check (MIC) algorithm failures for group keys and for pairwise keys and generate a MEDIA_SPECIFIC_EVENT event.
- Do not send non-802.1x data packets until a group key is installed.
- Send a WPA information element in an associate/re-associate request message.
- Do not require a key to associate to an access point (AP) with the privacy bit set in the AP capability.
- Support TKIP 48 bit and Michael.
The OS checks for a WPA driver by using the following process.
- Set OID_802_11_AUTHENTICATION_MODE with Ndis802_11AuthModeWPA. The call must succeed.
- Query OID_802_11_AUTHENTICATION_MODE. The call must succeed and must return Ndis802_11AuthModeWPA as the value of the OID.
- Determine the highest supported cipher by using the following process:
- In the following order, set: OID_802_11_ENCRYPTION_STATUS, Ndis802_11Encryption3Enabled, Ndis802_11Encryption2Enabled and Ndis802_11Encryption1Enabled.
- Query OID_802_11_ENCRYPTION_STATUS.
If successful, the query returns a value that matches the value that was set. If it is not successful, the loop is broken and the last cipher verified successfully is assumed to be the highest supported cipher. - The highest supported cipher is typically either TKIP or AES.
- Set OID_802_11_ADD_KEY with a random key of length 32 and with an index of 0xc0000001. The result must be ERROR_INVALID_PARAMETER, which corresponds to NDIS_STATUS_INVALID_DATA from the driver.
- Query OID_802_11_ASSOCIATION_INFORMATION. The call must succeed—do not check the returned value in any way.
If all these tests pass, the NIC is marked as "WPA capable." The driver can then set preferred networks with the extended authentication modes and encryption types. This check happens when the card is inserted.