This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. NETW 05A: APPLIED WIRELESS SECURITY i & Wi-Fi Protected Access By Mohammad Shanehsaz Spring 2005

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation i IEEE standards board approved the i security standard on Thursday, June 24, approved802.11i security standard The new i standard, or WPA2, supports the 128-bit Advanced Encryption Standard (AES)802.11i This new standard specifies use of Temporal Key Integrity Protocol (TKIP) and 802.1x/EAP with mutual authentication 802.1x authentication and key-management features for the various Wi-Fi flavors. AES supports 128-bit, 192-bit and 256-bit keys. Any wireless LAN equipment complying with this standard will require a hardware upgrade due to AES encryption

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Wi-Fi Protected Access (WPA) Wi-Fi Protected Access was co-developed by the Wi-Fi Alliance and IEEE Task Group 1 as an interim security solution while i task group addresses the details involved with securing wireless LANs WPA was designed to run on existing hardware as a security upgrade firmware patch The goals were strong data encryption through TKIP and mutual authentication through 802.1x/EAP solution WPA v1.0 was a subset of the IEEE i standard WPA2 is the name chosen by the Wi-Fi Alliance to identify IEEE i standard gear.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Wi-Fi Protected Access (WPA) WPA v1.0 did not include the following i items: Secure IBSS (Independent Basic Service Set ad-hoc mode) Secure fast handoff Secure de-authentication and disassociation Advanced Encryption Standard

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. WPA Pre-Shared Key (PSK) WPA PSK runs in SOHO environment where there is no authentication server and no EAP framework Allows the use of manually entered keys or passwords and is designed to be easily implemented All the home user needs to do is enter a password in their AP or home wireless gateway and each PC associated to the WI-Fi wireless networks, WPA takes over automatically from that point Password keeps out eavesdroppers and starts TKIP encryption process

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. WPA Mixed Mode Deployment Useful in large networks with many clients with several types of authentications and encryption solutions in place during transition between legacy and leading edge security standards Supports clients running both Wi-Fi protected access and original WEP security

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Deployment and Limitations As part of the Wi-Fi product certification, the Alliance will initially allow vendors to ship units with WPA disabled, but easily enabled and configured Now WPA is included as a mandatory part of Wi-Fi certification testing, devices must ship with WPA enabled, a user will have to configure a master key or authentication server

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Limitations TKIP is built around WEP Government deployments require that encryption technology be certified to comply with the Federal Information Processing Standard (FIPS) 140 standard published by National Institute of Standards and Technology (NIST) These restrictions push manufacturers toward standardization on security solutions that implement data encryption through the use of 3DES or AES

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Resources CWSP certified wireless security professional, from McGraw-Hill