1 user authentication, 2 encryption, 3 wpa(2)-psk application example – ZyXEL Communications ZyXEL ZyAIR NWA-3500 User Manual

Chapter 7 Wireless Security Configuration

ZyXEL NWA-3500 User’s Guide

105

7.4.1 User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate
wireless clients using a RADIUS database. See later in this chapter and the appendices for
more information on IEEE 802.1x, RADIUS, EAP and PEAP.
If you don’t have a RADIUS server you should use WPA-PSK (WPA -Pre-Shared Key) that
only requires a single (identical) password entered into each access point, wireless gateway
and wireless client. As long as the passwords match, a client will be granted access to a
WLAN.

7.4.2 Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message
Integrity Check (MIC) and IEEE 802.1x.
Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and
distributed by the authentication server. It includes a per-packet key mixing function, a
Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with
sequencing rules, and a re-keying mechanism.
TKIP regularly changes and rotates the encryption keys so that the same encryption key is
never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP
that then sets up a key hierarchy and management system, using the pair-wise key to
dynamically generate unique data encryption keys to encrypt every data packet that is
wirelessly communicated between the AP and the wireless clients. This all happens in the
background automatically.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data
packets, altering them and resending them. The MIC provides a strong mathematical function
in which the receiver and the transmitter each compute and then compare the MIC. If they do
not match, it is assumed that the data has been tampered with and the packet is dropped.
By generating unique data encryption keys for every data packet and by creating an integrity
checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi
network than WEP, making it difficult for an intruder to break into the network.
The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference
between the two is that WPA-PSK uses a simple common password, instead of user-specific
credentials. The common-password approach makes WPA-PSK susceptible to brute-force
password-guessing attacks but it’s still an improvement over WEP as it employs an easier-to-
use, consistent, single, alphanumeric password.

7.4.3 WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key

(PSK) must consist of between 8 and 63 ASCII characters (including spaces and
symbols).

2 The AP checks each wireless client's password and allows it to join the network only if

the password matches.