802.11 wireless technologies have transformed computer
networking, allowing portable computer users to roam freely and remain
connected and making it possible to place desktop computers in locations where
it’s difficult to run network cabling. However, wireless networking presents
security issues. Because the data goes over the airwaves, it’s easy to
intercept; any “war driver” with the right equipment can detect and
plug into an unprotected wireless network.

That means encryption is essential, but the most common
encryption scheme for wireless, the Wired Equivalent Privacy (WEP) protocol
suffers some serious shortcomings. Now there’s a better option: Wi-Fi Protected
Access (WPA). In this article, we’ll discuss WPA’s
advantages over WEP, how WPA works, and how to implement it on your Windows
network.

How WPA came about

An unencrypted wireless network is wide open to the world.
Don’t let the specifications for the typical range of wireless transmissions
fool you into thinking you’re safe. War drivers (hackers who cruise around with
their laptops, looking for open wireless networks) can use high gain antennas
to extend that range. Assuming you don’t want any and everyone connecting to
your wireless network, you need to encrypt the communications.

Most Wireless Access Points (WAPs) and wireless Network
Interface Cards (NICs) support WEP encryption. WEP offers some protection, but
it is notorious for its weaknesses. One problem is that the encryption key
length is only 40 bits. The shorter the key, the easier it is to crack. The
same key is used by everyone on the network.

The RC4 stream cipher algorithm that WEP uses is vulnerable
to attackers who may be able to decipher the transmission and recover the plain
text if they are able to intercept two ciphertexts that are encrypted with the
same key. To protect against these vulnerabilities, WEP uses an Initialization
Vector (IV) to create a different RC4 key for each packet. The problem is that
the IV is only 24 bits, which means the same key stream will almost certainly
be reused if there is a lot of traffic going through the WAP. All the attacker
has to do is be patient and keep collecting ciphertexts; eventually he’ll have
two that were encrypted with the same key (these are called IV Collisions).

Because of WEP’s vulnerabilities,
many companies and government agencies that need high security have banned
wireless technology. Other organizations wanted the convenience of wireless
communications but worried about security breaches. It was essential, if
wireless networking was to go to the next level, that better encryption methods
be developed.

WPA was developed by the WiFi Alliance in conjunction with
the IEEE as an interim wireless security solution that works with existing
hardware, in anticipation of the 802.11i wireless security standards that were
recently ratified, but are not compatible with all legacy hardware. For those
who aren’t ready to upgrade all of their wireless hardware and who need more
security than WEP can provide, WPA is the answer.

WPA can be thought of as a “bridge” protocol,
since it is backward-compatible with WEP and designed to be forward-compatible
with 802.11i, also called WPA v.2.

How WPA works

WPA has two big advantages over WEP:

  • WPA uses stronger encryption than WEP
  • WEP provides for user authentication in the
    enterprise environment

Stronger encryption

Encryption is improved through the use of the Temporal Key
Integrity Protocol (TKIP). TKIP uses a “temporal key” that has 128
bits. This 128 bit key is mixed with the MAC address of the wireless sender.
Then the mixed key is mixed again with an IV value (which, at 49 bits, is
double the length of WEP’s) to create a unique key
that is used to encrypt one packet. WPA creates dynamic session keys, with
different keys per user, per session and per packet. This overcomes the WEP
vulnerability we described above.

Note that WPA, like WEP, uses RC4 instead of the Advanced
Encryption Standard (AES). This is because although AES is a stronger
algorithm, it can’t be implemented with most legacy NICs, and the goal of WPA’s developers was a more secure protocol that would work
with existing hardware.

The word temporal means
“brief, only lasting a short time.” TKIP keys are called “temporal
keys” because they’re changed often, to prevent the same keys from being
used again. TKIP includes a rekeying mechanism to prevent this problem. Each
packet has a different key that contains a 48 bit serial number as the IV. This
number gets incremented for each new packet in sequence. There are no IV collisions
with TKIP.

Having the numbers in sequence also helps to protect against
replay attacks, because if a hacker tried to replay packets from a previous
wireless connection, the numbers would be out of sequence and the attack would
be detectable. To ensure the integrity of the data, TKIP uses an 8 byte Message
Integrity Code (MIC) at the end of each message. The method used to generate
this MIC is called Michael.

User authentication

In addition to stronger encryption, WPA provides a way for
enterprises to authenticate wireless users with a RADIUS server. The
authentication protocol that’s used is the Extensible Authentication Protocol
(EAP).

The RADIUS server also allows you to set user access
policies to control wireless access to your network. For example, you can set
time limits on wireless sessions or place restrictions on days and times that
users can connect.

WPA provides for mutual authentication–both client (“supplicant”
in wireless parlance) and server are authenticated.

What about small business or home networks that want to use
WPA but don’t have RADIUS servers? In that case, WPA can use a pre-shared key.

Implementing WPA on your Windows network

So you’re convinced that you need to switch from WEP to WPA
to protect your wireless network? What steps do you need to take to accomplish
this? Basically, you must:

  • Ensure that your WAPs support WPA.
  • Ensure that the wireless NICs on your client
    computers support WPA.
  • Ensure that the operating system on your client
    computers supports WPA.
  • Ensure that the wireless client software on the
    client computers support WPA.

Verifying hardware support

First, make sure that the WAP supports WPA. You might need
to update the WAP’s firmware. Contact the WAP vendor
or check the vendor’s Web site. If you’re buying a new WAP, check the label on
the box. If it was certified by the Wi-Fi Alliance after August 2003, it is
required to support WPA.

Next, ensure that the client computers’ wireless NICs support Wireless Zero Configuration. You might need to
upgrade the driver. Contact the NIC vendor or check the vendor’s Web site.

Verifying software support

Once you know the hardware supports WPA, consider the
operating system. If your wireless client computers are running Windows XP with
Service Pack 2, you’ll have the easiest time of it. The Windows WPA client
software is installed as part of SP2. If the clients run XP with SP1, the
easiest route is to update them to SP2. However, you might not be able to do
that if they are running applications that have conflicts with SP2. In that
case, you can download the Support Patch for Wi-Fi Protected Access from the Microsoft
Download Center
.

Microsoft also offers a wireless update rollup package for
Windows XP that corrects some problems with WPA. You can read about it in Microsoft
KB Article 826942
.

You can use WPA with either XP Professional or XP Home
Edition. If you’re using an operating system prior to XP, you’ll need to get a
third party client. For example, you can download the Odyssey WLAN client from Funk Software.

Configuring the WAP

Configuration of your WAP will depend on the hardware you
have. You’ll need to access the WAP’s configuration
utility (usually done through a Web page) and set up WPA options. You may have
the following options to choose from:

  • Whether to use a pre-shared key or an
    authentication server. If your network doesn’t have a RADIUS server, you’ll
    have to use a pre-shared key. If you select to use a pre-shared key, you’ll
    need to enter it. This should be a strong key (password). The same key will
    need to be entered in the client configuration. If you select to use an
    authentication server, you’ll need to identify the RADIUS server to be used for
    authentication and accounting.
  • Whether to use the TKIP algorithm or AES. AES is
    more secure, but may not work with legacy hardware because most
    older hardware doesn’t have the processing power to use it.

Configuring the client software

After you install the WPA patch for XP, you’ll need to
reboot. The patch installs as Hotfix (SP2) Q815485. If you need to uninstall it
for some reason, you can use the Add/Remove Programs applet to remove the
hotfix.

To configure WPA in Windows XP, perform the following steps:

  1. Click
    Start | Control Panel and click the Network applet.
  2. Right-click the wireless connection and select Properties.
  3. Click
    the Wireless Networks tab.
  4. Select
    the wireless network name (SSID) that corresponds to the WAP that you
    configured for WPA.
  5. Click
    the Configure button.
  6. In
    the Network Authentication drop-down box, select WPA if you are using a RADIUS
    server for authentication, or WPA-PSK if you are using a pre-shared key.
  7. In
    the Data Encryption drop-down box, select TKIP or AES (the selection must
    correspond to the algorithm you configured on the WAP).
  8. If
    you are using a pre-shared key, enter it in the Network Key text box and again
    in the Confirm Network Key text box. Note that the key will not be displayed as
    you type but will be replaced by asterisks.
  9. Click
    OK to close the dialog box.

You should now be able to connect to your WAP securely using
WPA.

Configuring the RADIUS server

If you want to use EAP authentication with WPA, you’ll need
to configure a RADIUS authentication server. You’ll also need a certification
server to issue digital certificates. You can do this with a Windows 2000
Server or Server 2003 computer on an Active Directory network, which comes with
IAS (Internet Authentication Service) and the CA (Certification Authority)
service. You’ll need to install IAS and Certificate services, as they are not
installed by default.

Install IAS through the Add/Remove Programs applet in
Control Panel by starting the Windows Components Wizard, clicking Network
Services and clicking Details, then selecting Internet Authentication Service.
You may need to insert the Windows Server installation CD. Certificate Services
is also installed as a Windows Component.

You can install the CA on the same server on which you
install IAS.

You’ll need to add your WAP as a RADIUS client on the IAS
server and then use the New Remote Access Policy Wizard to create a policy for
wireless access.

To add a remote access policy, open the IAS console and
expand the Internet Authentication Service node, then right click Remote Access
Policies. Click New Remote Access Policy. This starts the wizard. Select “wireless
access” as the access method. If you’re using certificate authentication,
you need to install a user certificate on your wireless clients.

For fault tolerance, you may want to create both a primary
and a backup IAS server. You’ll need to copy the configuration of the primary
IAS server to the backup IAS server. To save your IAS configuration, use the
command line tool netsh. Type netsh aaaa
show config > (path\file.txt)
.

Ditching WEP

Wireless communications have a “bad rep” when it
comes to security, but you can make your wireless network more secure by
replacing WEP, the standard encryption protocol, with WPA. Once you know the
history of WPA and its advantages over WEP, you can configure your Windows
network to use WPA both with and without an authentication server.