About Wi-Fi Protected Access (WPA V1 and WPA V2)
Note
To
achieve the strongest encryption protection for your VNS, it is recommended that you use
WPA v.1 or WPA v.2.
WPA v1 and WPA v2 add authentication to WEP encryption and key management. Key features of WPA privacy include:
- Specifies 802.1x with Extensible Authentication Protocol (EAP)
- Requires a RADIUS or other authentication server
- Uses RADIUS protocols for authentication and key distribution
- Centralizes management of user credentials
The encryption portion of WPA v1 is Temporal Key Integrity Protocol (TKIP). TKIP includes:
- A per-packet key mixing function that shares a starting key between devices, and then changes their encryption key for every packet (unicast key) or after the specified re-key time interval (broadcast key) expires
- An enhanced Initialization Vector (IV) of 48 bits, instead of 24 bits, making it more difficult to compromise
- A Message Integrity Check or Code (MIC), an additional 8-byte code that is inserted before the standard WEP 4-byte Integrity Check Value (ICV). These integrity codes are used to calculate and compare, between sender and receiver, the value of all bits in a message, which ensures that the message has not been tampered with.
The encryption portion of WPA v2 is Advanced Encryption Standard (AES). AES includes:
- A 128-bit key length, for the WPA2/802.11i implementation of AES
- Four stages that make up one round. Each round is iterated 10 times.
- A per-packet key mixing function that shares a starting key between devices, and then changes their encryption key for every packet or after the specified re-key time interval expires.
- The Counter-Mode/CBC-MAC Protocol (CCMP), a new mode of operation for a block cipher that enables a single key to be used for both encryption and authentication. The two underlying modes employed in CCM include:
- Counter mode (CTR) that achieves data encryption
- Cipher Block Chaining Message Authentication Code (CBC-MAC) to provide data integrity
The following is an overview of the WPA authentication and encryption process:
- The wireless device client associates with Wireless APs.
- Wireless AP blocks the client's network access while the authentication process is carried out (the controller sends the authentication request to the RADIUS authentication server).
- The wireless client provides credentials that are forwarded by the controller to the authentication server.
- If the wireless device client is not authenticated, the wireless client stays blocked from network access.
- If the wireless device client is authenticated, the controller distributes encryption keys to the AP and the wireless client.
- The wireless device client gains network access via the AP, sending and receiving encrypted data. The traffic is controlled with permissions and role applied by the controller.