A user or client, also called an end station, must authenticate before associating with an Access Point (AP), or broadband Wi-Fi router, and gaining access to the Wi-Fi Local Area Network (LAN). The IEEE 802.11 standard defines two link-level types of authentication: Open System and Shared Key.
Open System Authentication
Open system authentication simply consists of two communications. The first is an authentication request by the client that contains the station ID (typically the MAC address). This is followed by an authentication response from the AP/router containing a success or failure message. An example of when a failure may occur is if the client's MAC address is explicitly excluded in the AP/router configuration.
Shared Key Authentication
Shared key authentication relies on the fact that both stations taking part in the authentication process have the same "shared" key or passphrase. The shared key is manually set on both the client station and the AP/router. Three types of shared key authentication are available today for home or small office WLAN environments.
Wired Equivalent Privacy (WEP)
WEP is not recommended for a secure WLAN due to its inherent weaknesses. One of the main security risks is a hacker can capture the encrypted form of an authentication response frame, using widely available software applications, and use the information to crack WEP encryption. The process consists of an authentication request from the client, clear challenge text from the AP/router, encrypted challenge text from the client and an authentication response from the AP/router. Two levels for WEP keys/passphrases:
- 64-bit: 40 bits dedicated to encryption and 24 bits allocated to Initialization Vector (IV). It may also be referred to as 40-bit WEP.
- 128-bit: 104 bits dedicated to encryption and 24 bits allocated to Initialization Vector (IV). It may also be referred to as 104-bit WEP.
WPA (Wi-Fi Protected Access)
WPA was developed by the Wi-Fi Alliance (WFA) prior to full ratification of IEEE 802.11i, but it complies with the Wi-Fi security standard. It is a security enhancement that strongly increases the level of data protection and access control (authentication) to a Wi-Fi network. WPA enforces IEEE 802.1X authentication and key-exchange and only works with dynamic encryption keys.
Users might see different naming conventions for WPA in a home or small-office environment. Examples are WPA-Personal, WPA-PSK, WPA-Home, etc. In any event, a common pre-shared key (PSK) must be manually configured on both the client and AP/router.
WPA2 (Wi-Fi Protected Access 2)
WPA2 is a security enhancement to WPA. The two are not interoperable so a user must ensure the client station and AP/router are configured using the same WPA version and pre-shared key (PSK).
Encryption (privacy) is the WLAN security component that complements authentication. IEEE 802.11provides three cryptographic algorithms: Wired Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard-Counter-Mode/CBC-MAC Protocol (AES-CCMP).
WEP is the cipher specified in the original IEEE 802.11 standard. As described above, it can be employed for both authentication and encryption. Strictly speaking from an encryption perspective, WEP is an RC4 encapsulation algorithm that creates cryptographic data from plaintext data. This process is accomplished by concatenating (linking together) the initialization vector (IV) and a private encryption key (passphrase) to form a per-packet key (seed). A new IV is selected for every packet but the encryption key is unchanged.
WEP has widely known disadvantages. The first concerns a relatively small number of possible IV values before they must be recycled in WEP. While a 24-bit (16.7million) IV may seem more than sufficient, this number can be exhausted quickly on a busy network. The same concept holds true for a short 40-bit key, even 104-bit, key that can be compromised by hackers using data capture software.
TKIP was created as part of IEEE 802.11i for enhanced Wi-Fi security. It is also based on the RC4 encapsulation algorithm. TKIP enhances encryption through dynamic key management, which requires a different key for every transmitted data packet. One must be aware encryption is necessary for network security but only offers a data privacy function.
TKIP goes one step further by providing protection against data modification through a 64-bit Message Integrity Check (MIC). This prevents a would-be attacker from intercepting a message, flipping data bits, flipping the corresponding Integrity Check Value (ICV) bits to match, recreating the Cyclical Redundancy Check (CRC), and forwarding the packet to its destination. The process just described is TKIP's implementation of replay protection. Stations are required to disassociate from the AP/router and rekey when a MIC failure first occurs. IEEE 802.11i requires any station detecting two MIC failures within 60 seconds to stop all communication for 60 seconds.
AES-CCMP is the most advanced Wi-Fi security protocol available to the public. IEEE 802.11i requires using CCMP to provide all four security services: authentication, confidentiality, integrity and replay protection. CCMP utilizes the 128-bit AES encryption algorithm for confidentiality and the other CCMP protocol components for the remaining three functions.