As previously mentioned, WPA accomplished its goal: Almost any legacy wireless equipment can be upgraded to meet WPA "standards" with little effort. This section provides a very general outline of the problems found in WEP, and what WPA did to correct them. Note that most of these fixes are specifically corrected by the privacy component known as TKIP.
Weak IVs and Collisions
The initialization vector (IV) value is used to provide each packet with a unique key (IV plus pre-shared key). This unique key provides a serious obstacle to any attacker, simply because each packet must be treated as a unique target. Cracking one packet's password only provides access to that one packet.
However, WEP's implementation of the IV is flawed:
- The IV is only 24 bits. As a result, IVs are repeated every few hours. Therefore, over time, an attacker can leverage repeated IV values, known as collisions, to help gain access to the data.
- WEP's algorithm is flawed. This flaw led to the widely known WEP cracking scandal that has surrounded wireless networking for years.
WPA corrected these problems in the following manner:
- WPA increased the size of the IV to 48 bits, which provides at least 900 years of unique passwords and basically eliminates the problem of collision.
- WPA alters the values acceptable as IVs. This fix allows WPA to use the same algorithm as WEP, but plugs the hole by controlling the IV values going into the algorithm. Finally, a new password is generated automatically every 10,000 packets. This is well below the threshold of even the most successful WEP cracking efforts and all but eliminates the threat of a statistical attack.
Integrity Check Value (ICV)
WEP uses an integrity check value (ICV) to ensure that packets are not corrupted during transmission. This integrity check has little to offer in the way of security, however. The algorithm is widely used and easy to fool.
To correct this problem, WPA incorporates an algorithm known as Michael that creates a unique integrity value, using the sender's and receiver's MAC addresses. However, Michael uses a simple encryption scheme that can be cracked using brute-force methods. To compensate for this issue, if Michael detects more than two invalid packets in under a minute, it halts the network for one minute and resets all passwords. But this arrangement opens the doors for a malicious attacker to perform a denial-of-service attack by purposefully injecting faulty packets; to accomplish this goal, however, the attacker must first work through several other layers of protection.
Forgery and Replay
WEP has no protection against forgery or replay attacks. Any attacker can inject any packet into a network. In addition, an attacker can reuse a captured packet in this injection. WPA incorporates protections against these attacks via the 48-bit IV value.
First, the IV is created using the MAC address of the sending network card and a sequential counter value. This technique stops forgery attacks because an attacker must know the MAC and IV values that are encrypted into the packet. Second, the IV includes a sequential counter (TSC). When a packet is received, its counter value must fall within an accepted range or it will be dropped. As a result, replay attacks don't work because the fake TSC probably won't be within the valid range.
WEP offers little in the way of authentication. It's possible to set up a shared authentication system, but enabling this method opens other security risks and is considered dangerous. To compensate, WPA includes support for authentication via 802.1x Extensible Authentication Protocol over LAN (EAPoL), generally with a RADIUS server.
As you can see, WPA has helped to increase the security available to wireless network users. Of course, this statement assumes that the WLAN owner knows about these technologies and uses them. Unfortunately, this is not often the case.