As indicated by its name, WEP serves to provide privacy. However, as I mentioned, its algorithms are flawed. WEP also doesn't include any support for authorization. To correct this problem, WPA has two main components:
- The Temporal Key Integrity Protocol (TKIP) addresses the privacy concerns via enhanced encryption schemes.
- The authentication component uses 802.1x and an authentication server to provide user-level access.
The authentication mechanism comes in two varieties, which is necessary because WPA has to address two very different markets: enterprise and consumer. The following list outlines the general security requirements for each variety.
- Enterprise. Authorization, authentication, and auditing are all essential components for providing a secure resource to an enterprise user. As a result, it's possible to configure WPA to authenticate users, typically via a RADIUS server. (RADIUS is not the standard—just the most common way of implementing the standard.) During this process, the user obtains the primary master key (PMK), which is then used to set up the encryption algorithm used by TKIP. Because the PMK is derived as a result of the authentication process, there's no need for locally stored passwords. In addition, the authentication information is passed via an encrypted channel to protect it against eavesdroppers.
- Consumer. WPA is not just an enterprise solution. It was also created to help secure the SOHO user. However, the consumer environment offers little justification for an authentication server. As a result, WPA had to include some internal method to create the PMK used to initialize the TKIP encryption process. This solution was created by using a pre-shared password that's previously configured in the access point and all nodes.
The attacks discussed in this article affect only the consumer version of WPA, known as WPA Pre-Shared Key (WPA-PSK). The enterprise solution is not susceptible to this particular attack, but that doesn't make it any less dangerous. With the widespread understanding that WEP is flawed, many SOHO users have switched to WPA-PSK without realizing the risks involved.