WLAN Security Monitors: Page 23 of 31

WPA has two modes of operation: Enterprise and PSK (preshared key). Because WPA is a stable intermediate stage in the attempt to separate user authentication from message protection, no effort has been spared in hardening the infrastructure given the hardware restriction. WPA can be boiled down to: 802.1X (port access control) + EAP (upper-layer authentication) + TKIP (key management) + MIC (message integrity and countermeasure)

The difference between WPA and WPA-PSK is that in the PSK version, the need for a RADIUS server to generate a master key for a session is replaced by implementing a common passphrase. Using WPA-PSK is similar to using the static WEP key, except the PSK takes a different approach in key hierarchy and key management. Like any shared-key environment, the WPA-PSK is subject to dictionary attacks, so care must be taken to implement strong key phrases.

MIC protects the integrity of the packet across the media; it includes countermeasures to address packet-integrity breaches detected in WEP. MIC also is derived from the master key, which in the case of WPA-PSK would be the preshared key.

In the 802.11i standard, unlike WPA, key management and message integrity is handled by a single component CCMP (Counter mode/CBC-MAC Protocol) built around AES. The counter mode is used for data encryption and the CBC-MAC (Cipher Block Chaining-Message Authentication Code) ensures message integrity. Here's a view of 802.11i: 802.1X + EAP + [{TKIP +MIC} or CCMP (encryption and message authentication)]

Authentication in the RSN model is addressed by 802.1x and EAP. In an enterprise, a RADIUS server is used to facilitate authentication and provide integration with databases. The RADIUS server generates the session master key and sends it as an attribute along with the EAP-Success message. Master key generation is immaterial of the EAP type used.