The confidentiality and integrity pieces are based on TKIP, rather than WEP's weak key management, but WEP's RC4 cipher-stream algorithm is used for data encryption. TKIP uses a 48-bit initialization vector (versus the 24-bit initialization vector in WEP) with sequencing rules, which protects against key reuse and replay attacks. It also has a per-packet, key-mixing function that protects against WEP weak key attacks and a keyed cryptographic checksum that prevents packet forgery attacks. This last feature is based on the new MIC (Message Integrity Code), a 64-bit cryptographic tag that uses minimal CPU.
WPA operates in two modes: PSK (Preshared Key) and Enterprise. WPA-PSK requires a shared pass phrase to establish the wireless network. It's easy to install but not as robust as the Enterprise mode, which uses a key hierarchy to derive pair and group keys for authentication. Even though TKIP uses WEP's RC4 block cipher, WPA is more robust. The Wi-Fi Alliance says the system was designed and scrutinized by renowned cryptographers.
The default confidentiality mode for IEEE 802.11i/ RSN, meanwhile, is based on the AES block cipher. The security protocol built around AES is called Counter Mode-CBC MAC Protocol, or CCMP. AES is to CCMP as RC4 is to TKIP. The biggest difference between RSN/ CCMP and WPA/TKIP is at the lower layers where data is encrypted and decrypted: TKIP uses four temporal keys, whereas AES uses only three. Key management is the same for both protocols.
In most cases, you must upgrade the firmware or software in your APs to support WPA. Going RSN requires new hardware that supports AES. If your AP was purchased after the fourth quarter of 2003, you'll probably need to upgrade your firmware or software for full 802.11i compliance. Most new enterprise wireless APs have the hardware processing power for 802.11i/RSN, but the firmware and software won't be available until after the 802.11i standard is ratified.
To enable WPA on your wireless client devices, you must upgrade the utility software or driver for WPA, as long as the device is made for the upgrade. It's not so simple, though, to make your clients RSN-capable. RSN's processor-intensive AES encryption is too much for most wireless clients, so existing laptops and handhelds must be replaced with newer devices that support RSN.