Wireless Computing

Introduction to Wireless

Wireless Technologies


Network Security



Valid XHTML 1.0!

802.11 Security Solutions

Security Basics - 802.11 - 802.11 Solutions - Bluetooth

Due to WEP's weaknesses both in authentication and in encryption, the IEEE is currently working to ratify a new standard, 802.11i, that will address both these critical issues in wireless network security. Although drafts of the standard have already been written and are being circulated within the engineering community, vendors have sought at least temporary security fixes to boost their network security until the new standard is released.

WiFi Protected Access (WPA) is a standard created by the WiFi alliance that contains a subset of the technologies outlined in the 802.11i draft, and is the standard in place for current wireless network technology.


To upgrade the cryptographic technology, WPA has put forth the Temporal Key Integrity Protocol (TKIP) as a solution that fixes the major problems with WEP. Upgrading to TKIP will not require hardware changes, as the cryptographic algorithm used will still be RC4, as in WEP. In TKIP, the wireless access point and the device will share a 128-bit key, called the temporal key. This temporal key is mixed with the transmitter’s MAC address, which results in a Phase 1 key, which is mixed with a 48-bit initialization vector to produce keys that are unique from packet to packet. The RC4 algorithm uses this key to encrypt this single data packet. The shared temporal key is also periodically changed to provide further security. TKIP also provides additional preservation of data integrity with a message integrity code that uses a one-way hash that is much more secure than the WEP integrity check value that could be updated by an attacker without even knowing the WEP key.

Temporal key derivation: This is different in concept because it does not use the secret master key to directly encrypt data packets, but instead, uses it to seed a derivation of transient encryption keys to feed into the per-packet hash function. In 802.11b, the secret key is used directly as the encryption key. Temporal keys must be recalculated in time before the IV space can be exhausted; with a 48-bit IV, this allows for a huge number of packets before a new temporal key is necessary.

However, TKIP is only an interim solution to the encryption problem. TKIP provides immediate aid to businesses that need to maintain security on their wireless networks without upgrading their hardware, but 802.11i is working on producing a standard encryption scheme that makes use of the 128-bit advanced encryption standard (AES). This scheme, called the counter mode cipher block chaining with message authentication codes protocol (CCMP) is essentially a replacement for the WEP functionality. CCMP has a 48-bit IV that seeds both the key derivation process and the message integrity code for the CCMP packets. CCMP will be phased in more slowly with TKIP as the immediate encryption solution, because the implementation of CCMP requires new hardware to handle the robust AES encryption-processes.

While TKIP and CCMP will address the encryption problems that WEP had, there is still a need for a satisfactory authentication process.


The new 802.11i standard will incorporate an authentication protocol similar to an already-existing standard, called 802.1x. 802.1x is a port-based authentication system that is used in wired Ethernet systems, which means that modifications will need to be made in order to provide all the authentication methods needed for WLANs. Some of these methods include: mutual authentication, key management and dictionary attack resistance.

In 802.1x, the initial authentication process allows an association between the wireless client and the access point, although the device is allowed only to send authentication information at this point and is not permitted to access the internal network. 802.1x uses Extensible Authentication Protocol (EAP) in order to handle the authentication requests. The access point then forwards the authentication information to a back-end server through Remote Authentication Dial-In User Service (RADIUS) in order to verify the authentication information. If the client provides the proper information, then the server sends a message to the AP to grant network access to the AP. After first authentication, the authentication process will repeat periodically to verify that the client has not been subverted. A virtue of the EAP is the flexibility it encompasses, since the mechanism can be easily replaced with a stronger authentication process.

Top of page