Wi-Fi Protected Access
||It has been suggested that IEEE 802.11i-2004 be merged into this article. (Discuss) Proposed since July 2014.|
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy).
WPA (sometimes referred to as the draft IEEE 802.11i standard) became available in 2003. The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. WPA2 became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard.
A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup, allows WPA and WPA2 security to be bypassed and effectively broken in many situations. WPA and WPA2 security implemented without using the Wi-Fi Protected Setup feature are unaffected by the security vulnerability.
- 1 WPA
- 2 WPA2
- 3 Hardware support
- 4 Security
- 5 WPA terminology
- 6 EAP extensions under WPA and WPA2 Enterprise
- 7 References
- 8 External links
The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the availability of the full IEEE 802.11i standard. WPA could be implemented through firmware upgrades on wireless network interface cards designed for WEP that began shipping as far back as 1999. However, since the changes required in the wireless access points (APs) were more extensive than those needed on the network cards, most pre-2003 APs could not be upgraded to support WPA.
The WPA protocol implements much of the IEEE 802.11i standard. Specifically, the Temporal Key Integrity Protocol (TKIP) was adopted for WPA. WEP used a 40-bit or 104-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP.
WPA also includes a message integrity check. This is designed to prevent an attacker from capturing, altering and/or resending data packets. This replaces the cyclic redundancy check (CRC) that was used by the WEP standard. CRC's main flaw was that it did not provide a sufficiently strong data integrity guarantee for the packets it handled. Well tested message authentication codes existed to solve these problems, but they required too much computation to be used on old network cards. WPA uses a message integrity check algorithm called Michael to verify the integrity of the packets. Michael is much stronger than a CRC, but not as strong as the algorithm used in WPA2. Researchers have since discovered a flaw in WPA that relied on older weaknesses in WEP and the limitations of Michael to retrieve the keystream from short packets to use for re-injection and spoofing.
WPA2 has replaced WPA. WPA2, which requires testing and certification by the Wi-Fi Alliance, implements the mandatory elements of IEEE 802.11i. In particular, it introduces CCMP, a new AES-based encryption mode with strong security. Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.
WPA was specifically designed to work with wireless hardware that was produced prior to the introduction of the WPA protocol which had only supported inadequate security through WEP. Some of these devices support the security protocol only after a firmware upgrade. Firmware upgrades are not available for some legacy devices.
Wi-Fi devices certified since 2006 support both the WPA and WPA2 security protocols. WPA2 may not work with some older network cards.
Pre-shared key mode (PSK, also known as Personal mode) is designed for home and small office networks that don't require the complexity of an 802.1X authentication server. Each wireless network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters. If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.
Shared-key WPA and WPA2 remain vulnerable to password cracking attacks if users rely on a weak password or passphrase. To protect against a brute force attack, a truly random passphrase of 20 characters (selected from the set of 95 permitted characters) is probably sufficient. Brute forcing of simple passwords can be attempted using the Aircrack Suite starting from the four-way authentication handshake exchanged during association or periodic re-authentication.
To further protect against intrusion, the network's SSID should not match any entry in the top 1000 SSIDs as downloadable rainbow tables have been pre-generated for them and a multitude of common passwords.
WPA short packet spoofing
In November 2008 Erik Tews and Martin Beck, researchers at two German technical universities (TU Dresden and TU Darmstadt), uncovered a WPA weakness which relies on a previously known flaw in WEP that can be exploited only for the TKIP algorithm in WPA. The flaw can only decrypt short packets with mostly known contents, such as ARP messages. The attack requires Quality of Service (as defined in 802.11e) to be enabled, which allows packet prioritization as defined. The flaw does not lead to recovery of a key, but only to recovery of a keystream that was used to encrypt a particular packet, and which can be reused as many as seven times to inject arbitrary data of the same packet length to a wireless client. For example, this allows someone to inject faked ARP packets, making the victim send packets to the open Internet.
Two Japanese computer scientists, Toshihiro Ohigashi and Masakatu Morii, further optimized the Tews/Beck attack; they showed that, when using a man-in-the-middle position, the attack doesn't require Quality of Service to be enabled. In October 2009, Halvorsen with others made further progress, enabling attackers to inject larger malicious packets (596 bytes in size) within approximately 18 minutes and 25 seconds.
In February 2010 Martin Beck described a vulnerability which allows an attacker to decrypt all traffic towards the client, though he did not implement and test it. In May 2013 Mathy Vanhoef and Frank Piessens built on the ideas of Martin Beck and implemented three additional attacks. They demonstrated how fragmentation can be used to inject an arbitrary amount of packets, and showed in practice how to decrypt all traffic sent to a client. Their attacks do not require QoS to be enabled and do not require a man-in-the-middle position. The authors say using a short rekeying interval can prevent some attacks but not all, and strongly recommend switching from TKIP to AES-based CCMP.
The vulnerabilities of TKIP are significant in that WPA-TKIP had been held to be an extremely safe combination; indeed, WPA-TKIP is still a configuration option upon a wide variety of wireless routing devices provided by many hardware vendors.
WPS PIN recovery
A more serious security flaw was revealed in December 2011 by Stefan Viehböck that affects wireless routers with the Wi-Fi Protected Setup (WPS) feature, regardless of which encryption method they use. Most recent models have this feature and enable it by default. Many consumer Wi-Fi device manufacturers had taken steps to eliminate the potential of weak passphrase choices by promoting alternative methods of automatically generating and distributing strong keys when users add a new wireless adapter or appliance to a network. These methods include pushing buttons on the devices or entering an 8-digit PIN.
The Wi-Fi Alliance standardized these methods as Wi-Fi Protected Setup; however the PIN feature as widely implemented introduced a major new security flaw. The flaw allows a remote attacker to recover the WPS PIN and, with it, the router's WPA/WPA2 password in a few hours. Users have been urged to turn off the WPS feature, although this may not be possible on some router models. Also note that the PIN is written on a label on most Wi-Fi routers with WPS, and cannot be changed if compromised.
Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force attacks making them feasible with modern hardware. In 2012 the complexity of breaking MS-CHAPv2 was reduced to that of breaking a single DES key, work by Moxie Marlinspike and Marsh Ray. Moxie advised: "Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else."
Hole196 is a vulnerability in the WPA2 protocol that abuses the shared Group Temporal Key (GTK). It can be used to conduct man-in-the-middle and denial-of-service attacks. However, it assumes that the attacker is already authenticated against Access Point and thus in possession of the GTK.
Different WPA versions and protection mechanisms can be distinguished based on the (chronological) version of WPA, the target end-user (according to the method of authentication key distribution), and the encryption protocol used.
- Initial WPA version, to supply enhanced security over the older WEP protocol. Typically uses the TKIP encryption protocol (see further).
- Also known as IEEE 802.11i-2004, is the successor of WPA, adds support for CCMP which is intended to replace TKIP encryption protocol. Mandatory for Wi-Fi–certified devices since 2006.
Target users (authentication key distribution)
Also referred to as WPA-PSK (Pre-shared key) mode, this is designed for home and small office networks and doesn't require an authentication server. Each wireless network device authenticates with the access point using the same 256-bit key generated from a password or passphrase.
Also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup, but provides additional security (e.g. protection against dictionary attacks on short passwords). An Extensible Authentication Protocol (EAP), of which there are various kinds, is used for authentication.
Note that the WPA-Personal and WPA-Enterprise modes are available with both WPA and WPA2.
Wi-Fi Protected Setup
This is an alternative authentication key distribution method intended to simplify and strengthen the process, but which, as widely implemented, creates a major security hole (see above).
- TKIP (Temporal Key Integrity Protocol)
- The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet. Used by WPA.
- CCMP (Counter Cipher Mode with block chaining message authentication code Protocol)
- An AES-based encryption mechanism that is stronger than TKIP. Used by WPA2. Among informal names are "AES" and "AES-CCMP". According to the 802.11n specification, this encryption protocol must be used to achieve the fast 802.11n high bitrate schemes, though not all implementations enforce this. Otherwise, the data rate will not exceed 54 MBit/s.
EAP extensions under WPA and WPA2 Enterprise
In April 2010, the Wi-Fi Alliance announced the inclusion of additional Extensible Authentication Protocol (EAP) types to its certification programs for WPA- and WPA2- Enterprise certification programs. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance.
As of 2010[update] the certification program includes the following EAP types:
- EAP-TLS (previously tested)
- EAP-TTLS/MSCHAPv2 (April 2005 )
- PEAPv0/EAP-MSCHAPv2 (April 2005)
- PEAPv1/EAP-GTC (April 2005)
- EAP-SIM (April 2005)
- EAP-AKA (April 2009 )
- EAP-FAST (April 2009)
802.1X clients and servers developed by specific firms may support other EAP types. This certification is an attempt for popular EAP types to interoperate; their failure to do so as of 2013[update] is one of the major issues preventing rollout of 802.1X on heterogeneous networks.
- "Understanding WEP Weaknesses". Wiley Publishing. Retrieved 2010-01-10.
- Viehbock, Stefan (26 December 2011). "Brute forcing Wi-Fi Protected Setup".
- Meyers, Mike (2004). Managing and Troubleshooting Networks. Network+. McGraw Hill. ISBN 978-0-07-225665-9.
- Ciampa, Mark (2006). CWNA Guide to Wireless LANS. Networking. Thomson.
- "Battered, but not broken: understanding the WPA crack". Ars Technica. 2008-11-06.
- Jonsson, Jakob. "On the Security of CTR + CBC-MAC". NIST. Retrieved 2010-05-15.
- "WPA2 Security Now Mandatory for Wi-Fi CERTIFIED Products" "WPA2 Security Now Mandatory for Wi-Fi CERTIFIED Products". Wi-Fi Alliance. Retrieved 2013-02-28.
- "Wi-Fi Protected Access White Paper". Wi-Fi Alliance. "WPA is both forward and backward-compatible and is designed to run on existing Wi-Fi devices as a software download."
- "Wi-Fi Alliance: Glossary". Retrieved 2010-03-01.
- Each character in the passphrase must have an encoding in the range of 32 to 126 (decimal), inclusive. (IEEE Std. 802.11i-2004, Annex H.4.1)
The space character is included in this range.
- van Rantwijk, Joris (2006-12-06). "WPA key calculation — From passphrase to hexadecimal key". Retrieved 2011-12-24.
- "A key generated from a passphrase of less than about 20 characters is unlikely to deter attacks." "... against current brute-strength attacks, 96 bits [of security] SHOULD be adequate." (Weakness in Passphrase Choice in WPA Interface, by Robert Moskowitz. Retrieved March 2, 2004.)
- "WPA2 wireless security cracked". ScienceDaily. doi:10.1504/IJICS.2014.059797. Retrieved 2014-04-30.
- "Exposing WPA2 security protocol vulnerabilities". Inderscience.metapress.com 6 (1/2014). International Journal of Information and Computer Security. 2014-03-13. Retrieved 2014-04-30.
- "Researchers Outline How to Crack WPA2 Security". SecurityWeek.Com. 2014-03-24. Retrieved 2014-04-30.
- "WPA2 wireless security cracked". Phys.org. 2014-03-20. Retrieved 2014-05-16.
- "Exposing WPA2 Paper". InfoSec Community. 2014-05-02. Retrieved 2014-05-16.
- "Wireless Geographic Logging Engine - SSID Stats". WiGLE. Retrieved 2010-11-15.
- "Church of Wifi WPA-PSK Rainbow Tables". The Renderlab. Retrieved 2010-11-15.
- "Practical Attacks against WEP and WPA" (PDF). Retrieved 2010-11-15.
- "A Practical Message Falsification Attack on WPA" (PDF). Retrieved 2010-11-15.
- Halvorsen, Finn M.; Haugen, Olav; Eian, Martin; Mjølsnes, Stig F. (September 30, 2009). "An Improved Attack on TKIP" 5838. pp. 120–132. doi:10.1007/978-3-642-04766-4_9.
- "Enhanced TKIP Michael Attacks" (PDF). Retrieved 2010-11-15.
- Vanhoef, Mathy; Piessens, Frank (May 2013). "Practical Verification of WPA-TKIP Vulnerabilities". Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ASIA CCS '13: 427–436. doi:10.1145/2484313.2484368.
- http://www.kb.cert.org/vuls/id/723755 US CERT Vulnerability Note VU#723755
- "Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate". Moxie Marlinspike. Retrieved 2012-08-03.
- WPA2 Hole196 Vulnerability AirTight Networks
- WPA Too! DEF CON 18 (2010)
- "Data rate will not exceed 54 Mbps when WEP or TKIP encryption is configured".
- "Wi-Fi Alliance: Definition of EAP (Extensible Authentication Protocol)". Wi-Fi Alliance Featured Topics.
- "Wi-Fi Alliance expands Wi-Fi Protected Access Certification Program for Enterprise and Government Users". Wi-Fi Alliance Press Release.
- "Wi-Fi Alliance expands Wi-Fi Protected Access Certification Program for Enterprise and Government Users". Wi-Fi Alliance Featured Topics.
- "Wi-Fi CERTIFIED™ expanded to support EAP-AKA and EAP-FAST authentication mechanisms". Wi-Fi Alliance Featured Topics.
- Official standards document: "IEEE Std 802.11i-2004". IEEE (The Institute of Electrical and Electronics Engineers, Inc.). 23 July 2004. ISBN 0-7381-4074-0.
- Wi-Fi at DMOZ
- Wi-Fi Alliance's Interoperability Certificate page
- Weakness in Passphrase Choice in WPA Interface, by Robert Moskowitz. Retrieved March 2, 2004.