THOMSON Gateway Configuration Manual page 39

Chapter 3
Security
WPA Pre-Shared Key (WPA-PSK)
WPA offers a special mode where there is no 802.1x authentication infrastructure, permitting the use of a
passphrase as a pre-shared key. WPA capable access points can act as authenticators and authentication
servers at the same time. This gives non-enterprise users the ability to reduce costs and complexity by
eliminating the need for a separate authentication server.
Every station may have its own pre-shared key tied to its MAC address, but most of the manufacturers
implement only one pre-shared key for the whole wireless network. The configuration of this mode is very
similar to WEP, in which a user only needs to introduce a passphrase. A weakness has already been found on
this WPA operation mode. If the pre-shared key is configured with a weak passphrase, an attacker can capture
the authentication messages and then make an off-line recovery of the passphrase. Users using WPA-PSK are
encouraged to use complex and long passphrases to protect their passphrases.
Temporal Key Integrity Protocol (TKIP)
The Temporal Key Integrity Protocol (TKIP) is responsible for generating the encryption key, encrypting the
message and verifying its integrity. Although the actual encryption is performed using the same RC4 cipher
algorithm as WEP, specific enhancements are added to create stronger encryption key and ensure that it
changes with every packet and is unique for every wireless station.
TKIP encryption keys are stronger than those of WEP because they posses the following features:
>
They are 256-bit long.
>
They are generated using a more sophisticated procedure.
While WEP encryption keys are, according to the 802.11 standard, either 64 or 128-bit long, TKIP encryption
keys are 256-bit long. WEP generates the encryption key using the shared secret key and the IV (Initialization
Vector) as an input. TKIP adds the transmitter's MAC address to the list of the input parameters, which implies
that all senders will have different encryption keys. Furthermore, TKIP increases the size of the IV from 24-bit
(used by WEP) to 48-bit and mandates that it is used as a counter (also called TSC – TKIP Sequence Counter),
which guarantees that it will only be reused once for every 2
Like in WEP, the shared secret key is one of the input parameters for the encryption key generation, and WPA
mandates its length to be 128 bits (vs. 40 or 104 bits in WEP). TKIP automatically changes this key, by default,
every 10 000 packets. The original shared secret key is called the Pairwise Master Key (PMK) or Master Key,
while keys resulting from its periodic changes are called Temporal Keys.
Message Integrity Code (MIC)
Message Integrity Code (MIC) is a keyed hashing function that protects the data packet integrity. This is an 8-
byte value, which is calculated across the entire non-encrypted raw data packet before being encrypted and
transmitted. The main purpose is to detect any kind of badly intended packet modification.
The hashing function used by MIC is a new hashing function especially designed for low processing power
devices, such as the hardware in the wireless network interface. Because of this processing power limitation,
the protection provided is equivalent to a 20-bit key, which is considered by the current cryptographic
standard as a low protection. To compensate for this low protection, WPA resorts to countermeasures to
protect the wireless network from data packets modification attack.
When the wireless network detects an altered data packet, it will trigger the following countermeasures:
>
The wireless links of the compromised stations are disabled for 60 seconds.
>
Every compromised station is forced to request new session keys.
E-DOC-CTC-20060609-0001 v2.0
48
packets.
33