125 lines
4.6 KiB
HTML
125 lines
4.6 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of WPA_BACKGROUND</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>WPA_BACKGROUND</H1>
|
|
Section: (8)<BR>Updated: 01 March 2021<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<P>
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
wpa_background - Background information on Wi-Fi Protected Access and IEEE 802.11i
|
|
<A NAME="lbAC"> </A>
|
|
<H2>WPA</H2>
|
|
|
|
<P>
|
|
|
|
The original security mechanism of IEEE 802.11 standard was
|
|
not designed to be strong and has proven to be insufficient for
|
|
most networks that require some kind of security. Task group I
|
|
(Security) of IEEE 802.11 working group
|
|
(<A HREF="http://www.ieee802.org/11/)">http://www.ieee802.org/11/)</A> has worked to address the flaws of
|
|
the base standard and has in practice completed its work in May
|
|
2004. The IEEE 802.11i amendment to the IEEE 802.11 standard was
|
|
approved in June 2004 and published in July 2004.
|
|
<P>
|
|
|
|
Wi-Fi Alliance (<A HREF="http://www.wi-fi.org/)">http://www.wi-fi.org/)</A> used a draft version
|
|
of the IEEE 802.11i work (draft 3.0) to define a subset of the
|
|
security enhancements that can be implemented with existing wlan
|
|
hardware. This is called Wi-Fi Protected Access<TM> (WPA). This
|
|
has now become a mandatory component of interoperability testing
|
|
and certification done by Wi-Fi Alliance. Wi-Fi provides
|
|
information about WPA at its web site
|
|
(<A HREF="http://www.wi-fi.org/OpenSection/protected_access.asp).">http://www.wi-fi.org/OpenSection/protected_access.asp).</A>
|
|
<P>
|
|
|
|
IEEE 802.11 standard defined wired equivalent privacy (WEP)
|
|
algorithm for protecting wireless networks. WEP uses RC4 with
|
|
40-bit keys, 24-bit initialization vector (IV), and CRC32 to
|
|
protect against packet forgery. All these choices have proven to
|
|
be insufficient: key space is too small against current attacks,
|
|
RC4 key scheduling is insufficient (beginning of the pseudorandom
|
|
stream should be skipped), IV space is too small and IV reuse
|
|
makes attacks easier, there is no replay protection, and non-keyed
|
|
authentication does not protect against bit flipping packet
|
|
data.
|
|
<P>
|
|
|
|
WPA is an intermediate solution for the security issues. It
|
|
uses Temporal Key Integrity Protocol (TKIP) to replace WEP. TKIP
|
|
is a compromise on strong security and possibility to use existing
|
|
hardware. It still uses RC4 for the encryption like WEP, but with
|
|
per-packet RC4 keys. In addition, it implements replay protection,
|
|
keyed packet authentication mechanism (Michael MIC).
|
|
<P>
|
|
|
|
Keys can be managed using two different mechanisms. WPA can
|
|
either use an external authentication server (e.g., RADIUS) and
|
|
EAP just like IEEE 802.1X is using or pre-shared keys without need
|
|
for additional servers. Wi-Fi calls these "WPA-Enterprise" and
|
|
"WPA-Personal", respectively. Both mechanisms will generate a
|
|
master session key for the Authenticator (AP) and Supplicant
|
|
(client station).
|
|
<P>
|
|
|
|
WPA implements a new key handshake (4-Way Handshake and
|
|
Group Key Handshake) for generating and exchanging data encryption
|
|
keys between the Authenticator and Supplicant. This handshake is
|
|
also used to verify that both Authenticator and Supplicant know
|
|
the master session key. These handshakes are identical regardless
|
|
of the selected key management mechanism (only the method for
|
|
generating master session key changes).
|
|
<A NAME="lbAD"> </A>
|
|
<H2>IEEE 802.11I / WPA2</H2>
|
|
|
|
<P>
|
|
|
|
The design for parts of IEEE 802.11i that were not included
|
|
in WPA has finished (May 2004) and this amendment to IEEE 802.11
|
|
was approved in June 2004. Wi-Fi Alliance is using the final IEEE
|
|
802.11i as a new version of WPA called WPA2. This includes, e.g.,
|
|
support for more robust encryption algorithm (CCMP: AES in Counter
|
|
mode with CBC-MAC) to replace TKIP and optimizations for handoff
|
|
(reduced number of messages in initial key handshake,
|
|
pre-authentication, and PMKSA caching).
|
|
<A NAME="lbAE"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<P>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+wpa_supplicant">wpa_supplicant</A></B>(8)
|
|
<A NAME="lbAF"> </A>
|
|
<H2>LEGAL</H2>
|
|
|
|
<P>
|
|
|
|
wpa_supplicant is copyright (c) 2003-2019,
|
|
Jouni Malinen <j@w1.fi> and
|
|
contributors.
|
|
All Rights Reserved.
|
|
<P>
|
|
|
|
This program is licensed under the BSD license (the one with
|
|
advertisement clause removed).
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="1"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="2"><A HREF="#lbAC">WPA</A><DD>
|
|
<DT id="3"><A HREF="#lbAD">IEEE 802.11I / WPA2</A><DD>
|
|
<DT id="4"><A HREF="#lbAE">SEE ALSO</A><DD>
|
|
<DT id="5"><A HREF="#lbAF">LEGAL</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:18 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|