User's Manual
Appendix D Wireless LANs
B222s User’s Guide
238
called Rij ndael. They both include a per- packet key m ixing function, a Message I ntegrit y Check
( MI C) nam ed Michael, an ext ended init ialization vect or (I V) wit h sequencing rules, and a re- keying
m echanism .
WPA and WPA2 regularly change and rot ate the encrypt ion keys so t hat t he sam e encrypt ion key is
never used twice.
The RADI US server dist ribut es a Pairwise Master Key ( PMK) key to t he AP t hat t hen sets up a key
hierarchy and m anagem ent system , using the PMK to dynam ically generate unique dat a encrypt ion
keys t o encrypt every dat a packet t hat is wirelessly com m unicat ed between the AP and the wireless
clients. This all happens in t he background aut om at ically.
The Message I nt egrity Check ( MI C) is designed t o prevent an at t acker from capt uring data packets,
alt ering them and resending t hem . The MI C provides a strong m athem atical function in which t he
receiver and the t ransm itter each com put e and t hen com pare t he MI C. I f t hey do not m atch, it is
assum ed t hat t he dat a has been t am pered wit h and the packet is dropped.
By generating unique dat a encrypt ion keys for every data packet and by creating an int egrity
checking m echanism ( MI C) , w it h TKI P and AES it is m ore difficult to decrypt data on a Wi- Fi
network than WEP and difficult for an intruder t o break int o t he network.
The encrypt ion m echanism s used for WPA( 2) and WPA( 2) -PSK are t he sam e. The only difference
bet ween t he t wo is that WPA(2) - PSK uses a sim ple com m on password, instead of user- specific
credentials. The com m on- password approach m akes WPA( 2) -PSK suscept ible t o brut e- force
passw ord- guessing at t acks but it’s still an im provem ent over WEP as it em ploys a consist ent ,
single, alphanum eric password to derive a PMK which is used t o generate unique t em poral
encrypt ion keys. This prevent all wireless devices sharing t he sam e encrypt ion keys. ( a weakness of
WEP)
User Authentication
WPA and WPA2 apply I EEE 802.1x and Extensible Aut hent icat ion Prot ocol ( EAP) t o authenticate
wir eless client s using an ext ernal RADI US dat abase. WPA2 reduces t he num ber of key exchange
m essages from six to four (CCMP 4-way handshake) and short ens the tim e required t o connect t o a
network. Ot her WPA2 authentication feat ures t hat are different from WPA include key caching and
pre- aut hent icat ion. These t wo features are opt ional and m ay not be support ed in all w ireless
devices.
Key caching allows a wireless client t o st ore t he PMK it derived through a successful aut hent icat ion
wit h an AP. The w ireless client uses t he PMK when it t ries t o connect t o t he sam e AP and does not
need t o go wit h t he aut hent icat ion process again.
Pre- aut hent icat ion enables fast roam ing by allowing t he wireless client ( already connect ing t o an
AP) t o perform I EEE 802.1x aut hent icat ion wit h anot her AP before connecting to it .
Wireless Client WPA Supplicants
A wireless client supplicant is the soft ware t hat runs on an operat ing system instructing t he wireless
client how to use WPA. At t he t im e of writing, the m ost widely available supplicant is t he WPA pat ch
for Windows XP, Funk Soft ware's Odyssey client .
The Windows XP pat ch is a free dow nload t hat adds WPA capabilit y t o Windows XP's built- in " Zero
Configurat ion" wireless client. However, you m ust run Windows XP t o use it.