Cryptography Reference
In-Depth Information
a mixing for each packet sent. These simple changes are enough to prevent
several of the attacks on WEP.
• Data origin authentication is provided using a MAC, rather than the easily
manipulated CRC checksum used in WEP. The recommended MAC is a special
lightweight mechanism tailored for WPA known as
Michael
.
While these are both definite improvements over WEP, they are both still
unconventional cryptographic primitives, albeit ones that have been carefully
designed by cryptographic experts.
CONFIDENTIALITY AND DATA ORIGIN AUTHENTICATION IN WPA2
WPA2 represents a complete redesign and uses standard cryptographic mech-
anisms. In particular, WPA2 adopts AES instead of RC4 as the underlying
encryption algorithm.
WPA2 provides confidentiality and data origin authentication together in
one mechanism by deploying AES in a protocol referred to as the
Counter
Mode with CBC-MAC Protocol
(CCMP). CCMP is based on the CCM mode
of operation of a block cipher that we discussed in Section 6.3.6. As indicated
in Section 6.3.6, this avoids the need to provide these services using separate
mechanisms. CCMP includes mechanisms for deriving fresh keys for each
separate CCM 'encryption'. Note that if CCMP is used then it is only necessary
to derive one data key during the WPA2 AKE protocol, instead of separate keys
DEK
and
DMK
.
12.2.6
WLAN security issues
Perhaps themost interesting aspect ofWLANsecurity is that some of the problems
have arisen from errors in cryptographic mechanism design, which is relatively
unusual. As we have repeatedly observed, it is farmore common for vulnerabilities
to arise elsewhere, such as during implementation and key management (see
Section 3.2.4). However, it would seem that WPA2 addresses all of the previous
problems and provides good cryptographic protection. To date there have been
no serious attacks on the cryptography used in WPA or WPA2.
The most vulnerable aspect of WPA2 security remains the potential for the
PMK
derivation in small (home) networks to rely on a weak password or
passphrase. This is a very important issue because all the subsequent session
keys are derived from this pre-shared key, and the mutual entity authentication
process relies on
PMK
only being known by authorised devices and the wireless
access point. If this type of key derivation is being used then all the potential
problems with passwords and passphrases, such as those discussed in Section 8.4.1,
apply to WPA2 security. There is also the potential risk that home users
use default keys that are supplied with their equipment, rather than establish
their own.
