| • Science | • People | • Locations | • Timeline |
WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user; however, it can also be used in a less secure pre-shared key (PSK) mode. Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV).
One major improvement over WEP is given by the Temporal Key Integrity Protocol ( TKIP), which dynamically changes keys as the system is used. When combined with the much larger IV, this defeats the well-known key recovery attacks on WEP.
In addition to authentication and encryption, WPA also provides vastly improved payload integrity. The cyclic redundancy check (CRC) used in WEP is inherently insecure; it is possible to alter the payload and update the message CRC without knowing the WEP key. A far more secure message authentication code (here termed a Message Integrity Check (MIC)) called "Michael" is used in WPA. Further, the MIC used in WPA includes a frame counter, which prevents replay attacks being executed.
In summary, by increasing the size of the keys, the number of keys in use, and adding a secure message verification system, WPA makes breaking into a Wireless LAN far more difficult. The Wi-Fi Alliance have announced that they will use the term WPA2 to refer to the full IEEE 802.11i standard.
The Wi-Fi Alliance has introduced the terms WPA(2)-Personal and WPA(2)-Enterprise for use in their Wi-Fi Interoperability Certificate. WPA(2)-Personal refers to WPA operating in pre-shared key mode while WPA(2)-Enterprise refers to WPA operating with an authentication server. The terms serve to indicate what features and capabilities the certified product has in terms of security.