Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Mesh Charts

Click for Mesh Charts

User Authentication

WPA uses 802.1x and Extensible Authentication Protocol (EAP) as the basis of its authentication mechanism. Authentication has a user provide some form of evidence ("credentials") that they should be allowed access to a network and checks that evidence against a database of valid users. Anyone who has ever logged into a network has gone through an Authentication process.

The database and checking parts of the Authentication process mentioned above are usually done by a special server - typically RADIUS - in large "enterprise" networks. But since WPA was intended to also be used by all WLAN owners, it was also given a simpler mode that doesn't require any fancy equipment.

This mode - called Pre-Shared Key (WPA-PSK) - only requires a single password entered into each WLAN node (Access Points, Wireless Routers, client adapters, bridges). As long as the passwords match, a client will be granted access to a WLAN. Figure 1 illustrates the process.

WPA-PSK Authentication

Figure 1: WPA - PSK Authentication
(Diagram from Wi-Fi Alliance Networld+Interop 2003 Media Presentation
Used by permission)


Although WPA's predecessor - WEP - didn't have an Authentication mechanism at all, WEP's main problems came from the cryptographic weakness of its encryption mechanism. As this nicely written explanation by RSA Security points out, WEP's key problem is that the keys for different data packets are too similar.

The TKIP, MIC and 802.1X parts of the WPA equation each play a part in strengthening the data encryption in WPA-enabled LANs. This excerpt from the Wi-Fi Alliance's WPA White Paper provides a good overview of how they play together:

TKIP increases the size of the key from 40 to 128 bits and replaces WEP's single static key with keys that are dynamically generated and distributed by the authentication server. TKIP uses a key hierarchy and key management methodology that removes the predictability which intruders relied upon to exploit the WEP key.

To do this, TKIP leverages the 802.1X/EAP framework. The authentication server, after accepting a user's credentials, uses 802.1X to produce a unique master, or "pair-wise" key for that computing session. TKIP distributes this key to the client and the AP and sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated during that user's session. TKIP's key hierarchy exchanges WEP's single static key for some 500 trillion possible keys that can be used on a given data packet.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, the data is assumed to have been tampered with and the packet is dropped.

By greatly expanding the size of keys, the number of keys in use, and by creating an integrity checking mechanism, TKIP magnifies the complexity and difficulty involved in decoding data on a Wi-Fi network. TKIP greatly increases the strength and complexity of wireless encryption, making it far more difficult - if not impossible - for a would-be intruder to break into a Wi-Fi network.

Couldn't have said it better myself!

It's important to note that the Encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is in WPA-PSK, authentication is reduced to a simple common password, instead of user-specific credentials. Some would argue that this common-password approach makes WPA-PSK too easily breakable via brute-force password-guessing attacks, and they would have a point. But I'd argue that WPA-PSK takes away the present mess of inconsistent WEP key entry and management and replaces it with a consistent, single alpha-numeric password entry system. And that puts it far ahead of WEP as far as I'm concerned, because it's so simple that people might actually use it!

That wraps up the review. Now that you know the theory of WPA, let's see how it works in practice!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2