Improved security for Wi-Fi (802.11b) wireless networks is supported by a recently released update for Windows XP and Windows Server 2003. The update supports the new Wi-Fi Protected Access protocol, which fixes flaws with the encryption protocol used in current Wi-Fi equipment without requiring new hardware. However, the update does not support all Wi-Fi adapters on the market, and users will still have to get firmware and driver updates from their hardware vendors to benefit from the new protocol.

WPA Provides Transitional Fix

Microsoft's update enables Windows XP and Windows Server 2003 computers to use 802.11b network adapters with the Wi-Fi Protected Access (WPA) security protocol. Developed by the Institute of Electrical and Electronic Engineers (IEEE) and Wi-Fi Alliance, WPA fixes problems in the older Wired Equivalent Privacy (WEP) protocol supported by current Wi-Fi equipment. The WEP protocol provides encryption of wireless traffic to prevent eavesdropping and also provides a weak form of authorization intended to keep unauthorized parties from connecting to a given access point (AP). WEP attempts to accomplish both of these functions using a single secret encryption key shared by one or more users and an access point. (For this reason, WEP provides no user authentication, since multiple users typically know the same key.) Although generally better than no security at all, WEP keys can be easily cracked with readily available tools, thus completely compromising both security goals.

Compounding security problems even further is the common practice of using the same key for multiple APs in larger wireless networks (done to make roaming and administration easier). A compromised WEP key then gives attackers even broader network access, thereby allowing them to eavesdrop on more data or access the network through more APs.

Use of a Virtual Private Network (VPN) over the 802.11b connection will protect data confidentiality should the WEP key be compromised, but VPNs are inconvenient to use and maintain for internal communications and provide no protection against theft of network access or attacks on other network resources.

WPA takes several steps to fix problems in WEP.

802.1x authentication required. WPA requires use of the 802.1x network access authentication protocol. 802.1x is a standard user-authentication protocol for all types of network access, including wireless access. Although better authentication prevents unauthorized individuals from connecting to the network, it alone does not provide full security, since it does nothing to prevent passive collection of traffic for later analysis or prevent other types of active attacks on existing legitimate, authenticated traffic.

Unlike WEP, WPA also takes advantage of the 802.1x protocol’s ability to change the base encryption keys at frequent intervals, which means that even if an encryption key is cracked, only a limited chunk of data can be deciphered.

Temporal Key Integrity Protocol (TKIP). TKIP provides a means of using the existing wireless hardware’s encryption/decryption chips to provide much stronger confidentiality than WEP. Each wireless adapter uses the 802.1x’s rekeying function to change its encryption key at frequent intervals, making it harder to learn the key because less data encrypted with it is available to analyze.

Michael. WPA uses a protocol called "Michael" to add a signed checksum to each packet and then check that it is valid at the receiving end. This helps detect forged packets, which in turn can prevent attackers from gaining access by replaying legitimate traffic or masquerading as legitimate users.

The Wi-Fi Alliance claims that WPA will be compatible with more than 650 different existing 802.11b access points and adapter products. Beginning in May 2003, vendors will begin making firmware upgrades available for their APs and upgraded drivers for their adapters. Even Microsoft’s own wireless Wi-Fi hardware will require an update to get WPA support.

The IEEE is also in the late stages of issuing a new security standard, called 802.11i, that remedies all known vulnerabilities and supports more usage scenarios, but this standard will require new wireless devices. However, the IEEE derived the WPA protocol from the draft 802.11i standard, and designed it to be forward compatible with that standard when it is published.

Microsoft’s WPA Update

WPA firmware and driver updates are what actually replace WEP with WPA, so users who want WPA support will have to go back to the vendors of their wireless access points and adapters to get the software. However, Microsoft's WPA update provides a means of configuring the settings of WPA-capable wireless adapters in Windows XP SP1 (or later) or Windows Server 2003.

The update will only work with adapters that support Microsoft’s Wireless Zero Configuration service. Certified adapters listed on Microsoft’s Windows XP hardware compatibility list definitely support the Wireless Zero Configuration service, but other noncertified adapters do as well, so users will need to check with their adapter vendors. For older versions of Windows or for adapters that do not support the Wireless Zero Configuration service, users will need to get a WPA-compliant configuration tool from their adaptor vendor.

For more on WPA, see www.weca.net/OpenSection/secure.asp#resources.

For more on Microsoft’s WPA solution and to download the software update, see support.microsoft.com/?kbid=815485.