In response to the problems with WEP, the WiFi Alliance released WiFi Protected Access (WPA). WPA was initially released in two forms: Pre-Shared Key (WPA-PSK) and in conjunction with RADIUS. WPA uses Temporal Key Integrity Protocol (TKIP) to hash the IVs with the WPA key to create the RC4 key that is transmitted. Initially, this appeared to be the fix to the problems with wireless security; however, as vulnerabilities were discovered in WPA when deployed using the Pre-Shared Key, it became apparent that further attention had to be paid to wireless security, and WPA2 was developed to address these issues.
WPA-PSK
WPA with a Pre-Shared Key is the easiest way to deploy WPA on a wireless network. WPA-PSK is sometimes referred to as WPA Personal because it was designed for use primarily in home networks or smaller corporate environments. To use WPA-PSK, a passphrase is set on the access point, and any client that wants to connect to it must transmit the passphrase. WPA-PSK works well unless the passphrase is shorter than 21 characters. If the passphrase is shorter than 21 characters, it can be guessed using a dictionary attack. The disclosure of this vulnerability led many experts to believe that wireless could never be deployed securely, and the WiFi Alliance went back to work to develop yet another security mechanism
for wireless networks.
WPA-RADIUS
WPA can also be used in conjunction with a backend RADIUS server to perform authentication. This mechanism is sometimes referred to as WPA Enterprise because it was designed to be used in large environments in which distributing the PSK to each individual might not be feasible. This mechanism removes the requirement of a Pre-Shared Key and instead uses WPA to transmit authentication information
to the RADIUS server. WPA-RADIUS relies on an Extensible Authentication Protocol (EAP). EAPTLS was initially certified by the WiFi Alliance for use with WPA-RADIUS; however, five additional
EAPs have now been certified:
❑ EAP-TLS/MSCHAPv2
❑ PEAPv0/EAP-MSCHAPv2
❑ PEAPv1/EAP-GTC
❑ EAP-SIM
❑ EAP-LEAP
Currently, no known weaknesses are associated with WPA-RADIUS.
WPA2
WPA2, sometimes called 802.11i, requires the use of the Advanced Encryption Standard (AES) instead of TKIP but operates in the same way as WPA. WPA2 can also be deployed with either a PSK or by using a RADIUS server. No WPA2 vulnerabilities have been discovered to date.