Important:
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
A version of this page is also available for
4/8/2010

Wi-Fi Protected Access (WPA) is an implementation that is based on a subset of the IEEE 802.11i standard. WPA, when used with the Temporal Key Integrity Protocol and the Michael message integrity check (MIC) algorithm, provides enhanced security for wireless networks.

The following table shows the security technologies that are included in the WPA standard:

Security technology Description

WPA Authentication

WPA requires the use of 802.1x authentication.

For wireless networks without a Remote Authentication Dial-In User Service (RADIUS) infrastructure, WPA supports the use of a preshared key. For wireless networks with a RADIUS infrastructure, Extensible Authentication Protocol (EAP) and RADIUS is supported.

WPA Key Management

WPA requires the rekeying of both unicast and global encryption keys. For the unicast encryption key, the Temporal Key Integrity Protocol (TKIP) changes the key for every frame, and the change is synchronized between the wireless client and the wireless access point (AP). For the global encryption key, WPA enables the wireless AP to advertise the changed key to the connected wireless clients.

Temporal Key Integrity Protocol (TKIP)

WPA requires encryption by using TKIP. TKIP replaces WEP with an encryption algorithm that is stronger than the WEP algorithm but uses the calculation technologies present on existing wireless devices to perform encryption operations. TKIP also provides the following services:

  • The verification of the security settings after the encryption keys are determined.

  • The synchronized changing of the unicast encryption key for each frame.

  • The determination of a unique starting unicast encryption key for each preshared key authentication.

Michael

WPA supports the Michael security algorithm. This algorithm calculates an 8-byte Message Integrity Code (MIC) using the calculation technologies available on existing wireless devices. The MIC is placed between the data portion of the IEEE 802.11 frame and the 4-byte ICV. The MIC field is encrypted together with the frame data and the ICV.

Michael also provides replay protection by including a new frame counter in the IEEE 802.11 frame that is used to prevent replay attacks.

AES Support

WPA defines the use of Advanced Encryption Standard (AES) as an additional replacement for WEP encryption. Because AES support may not be added to existing wireless devices through a firmware update, support for AES is optional and is dependant on vendor driver support.

See Also

Other Resources