Wep; Wpa; Wpa2 - ASCOM VoWiFi System System Description

System Description
Ascom VoWiFi System
2.3.3

WEP

WEP is a security method built into the 802.11 protocol. It uses a shared key system, this
means to configure a key (basically a password) in the AP. In order for a wireless client to
connect to the network they must know the key and type it into their software.
The WEP standard allows for 64-bit and 128-bit security keys (also referred to as 40-bit or
104-bit) to be entered in both APs and mobile devices. With WEP encryption, the
transmitting device encrypts each packet with a WEP key, and the receiving device uses that
same key to decrypt each packet. The encryption method used is RC4 Cipher. A problem with
WEP is that key management is not specified by the standard and therefore often
neglected.
WEP is simple and it also provides link encryption which keeps the data safer from people
snooping on it. To remove access from someone the only way to do it is to change the
shared key. This means breaking everybody else that is using the WLAN and new keys have
to be distributed.
WEP has shown to have security weaknesses and is therefore not recommended.
2.3.4

WPA™

To improve 802.11 security, as an intermediate solution to WEP insecurities until the IEEE
organization ratified the 802.11i standard, the Wi-Fi Alliance® created an interim security
standard called Wi-Fi Protected Access (WPA). WPA is designed for securing data and that
access to the networks will be restricted to authorized users. WPA is 802.1X in combination
with TKIP (Temporal Key Integrity Protocol).
TKIP is a more secure protocol than WEP and provides several enhancements, for example; a
key mixing function, a message integrity check, and a re-keying mechanism that rotates
keys faster to prevent sniffer programs from decoding the keys.
WPA comes in two versions; WPA Enterprise and WPA Personal.
WPA Enterprise is designed for use with an 802.1X authentication server. Before getting
access to the network the mobile device must provide credentials to a security server
(RADIUS server). The security server authenticates the credentials to verify that the mobile
device is known by, and authorized to access the network.
WPA Personal is a Pre-Shared Key version (WPA-PSK), intended for use in SOHO (small
office/home office) wireless networks that cannot afford the cost and complexity of an
802.1X authentication server.
2.3.5

WPA2™

While WPA is a subset of 802.11i, the Wi-Fi Alliance® refers to their approved, interoperable
implementation derived from 802.11i as WPA2.
WPA2 specifies security mechanisms for WLANs and supersedes the previous security
specification, WEP. WPA2 details stronger encryption, authentication, and key management
strategies for wireless data and system security and is better suited to voice.
Some of the components in WPA2 Enterprise are 802.1X, TKIP and the AES-based CCMP.
802.1X specifies how authentication data is passed between a mobile device, the AP and a
RADIUS server. TKIP and AES are protocols and algorithms that improves the security of
keys. The AES-based CCMP is an encryption protocol used to provide data confidentiality,
origin authentication and replay protection.
An important element of the authentication process is the 4-way handshake method for
exchanging cipher keys. The key exchange is performed at every BSS transition (roaming or
7 September 2011 / Ver. G
TD 92313EN
13