Encryption; Authentication - D-Link DCH-M225 User Manual

Appendix C - Wireless Security
WPA typically provides data encryption using TKIP (Temporal Key Integrity Protocol), which dynamically generates a new 128-bit key for each data
packet that is transmitted between networks. WPA also has an integrity checking feature, designed to prevent a hacker from altering and re-sending
the data packets.
WPA2 uses CCMP, for Counter Cipher Mode with Block Chaining Message Authentication Code Protocol, which uses a higher standard known as
AES (Advanced Encryption Standard). Therefore CCMP provides stronger security than TKIP. It was designed to provide data confidentiality, user
authentication, and access control. WPS also uses a form of AES.
With both WPA and WPA2, there are two types of authentication. For home or small office environments, WPA-Personal and WPA2-Personal are
widely used. Enterprise networks for business use WPA-Enterprise and WPA2-Enterprise.
WPA-Personal, also called WPA-PSK (for Pre-shared key) / WPA2-Personal or WPA2-PSK:
Was designed for home and small office networks, and does not require an authentication server. Instead, each network device authenticates with
the AP (access point) using the same key generated from an alpha-numeric password or passphrase. The password must be between 8-64 characters,
and should not be a commonly known phrase.
WPA-Enterprise, also known as WPA-802.1X / WPA2-Enterprise or WPA2-802.1X:
Was designed for enterprise networks, and requires a RADIUS authentication server. The server uses a set of protocols to implement secure access
for devices attempting to communicate with the network.
Although this is a more complicated setup, it provides the best security through EAP, for Extensible Authentication Protocol. EAP is actually a general
framework, or architecture, for creation of keying material for message authentication. For example, when EAP is implemented in an 802.1X-enabled
Network Access Server (NAS) device, EAP methods are used to generate a secure private key that can be used for wireless encryption. This will
ensure that only authorized network devices can access the network.
The WPS protocol uses EAP message exchanges for authentication. There are two methods:
1. Push-Button-Method means the user simply pushes a button on the access point or router, and within a minute or two pushes a button on the
new wireless client device, in order to connect it to the wireless network.
2. The PIN method uses a Personal Identification Number that must be read from either a sticker, wireless configuration card, or the display on the
wireless device. Support for this mode is mandatory for access points. However, there is some concern that the messages sent between the AP
and the wireless client when attempting to validate the PIN could make the network vulnerable to attack. Most companies have fixed this issue
with updated firmware.
D-Link DCH-M225 User Manual

Encryption

Authentication

55