• United States

Little-known WPA tidbits

May 14, 20032 mins
Cellular NetworksNetwork Security

*From the mouths of N+I panelists

A few informational nuggets about the Wi-Fi Protected Access set of security reinforcements for 802.11-based LANs emerged at a NetWorld+Interop 2003 panel session:

* Product implementations of WPA have been certified only for 802.11b products so far. Come August, WPA support and interoperability will be required on all Wi-Fi-certified 802.11a/b/g products.

* WPA-enabled products will continue to support WEP into the foreseeable future for backward compatibility with existing systems and as a security migration step. But if you turn on WPA, WEP will go off.

* For the same migratory reason, Cisco gear will continue to support Cisco LEAP. Like the WPA/WEP scenario, you would not run WPA and Cisco LEAP in a device concurrently, said Bruce Alexander, a wireless expert at Cisco.

The reason is that the WPA implementation specifies a Temporal Key Integrity Protocol (TKIP) function for dynamic encryption key distribution (that the alliance tests for standards compliance and interoperability) and support for an Extensible Authentication Protocol (EAP) algorithm of your choice. In the WPA/802.11i framework, TKIP and EAP are implemented as separate functions.

Logically, you would think that you could support WPA and its associated standard TKIP and choose Cisco LEAP as your EAP algorithm. The catch is that Cisco LEAP bundles a Cisco-proprietary version of TKIP into it (TKIP and LEAP are inseparable). So there is a conflict between the WPA/802.11i TKIP and the older, LEAP-bundled TKIP. The version of TKIP that Cisco supports in its WPA implementation complies with the industry standard as it stands today (as do all other WPA-certified implementations).

* To WPA-enable 802.11 gear already deployed will require loading new firmware on access points and new firmware, drivers, and supplicant on client devices. Alexander predicted that efforts by third parties to offer vendor-neutral technology for WPA upgrades won’t be widely successful. “All firmware is slightly unique,” he said, indicating that it would be difficult for a “packaged” WPA to work with multiple vendors’ designs.