Wi-Fi Protected Access#WPA2

Wi- Fi Protected Access 2 (WPA2) is the implementation of security standards for wireless networks supporting the WLAN standards IEEE 802.11a, b, g and n and is based on the Advanced Encryption Standard ( AES). He represents the successor of WPA, which in turn is based on the now considered to be insecure Wired Equivalent Privacy ( WEP). WPA2 implements the basic functions of the new IEEE 802.11i security standard.

Background

To protect the data transmitted on a wireless network and the participating clients the security standard, Wired Equivalent Privacy ( WEP) has been introduced. Even after a relatively short time, it turned out, this standard as vulnerable to attack. By recording and analyzing large amounts of data the network key can be determined. The built- in WEP authentication does not pose a significant obstacle for attackers

A further leading very extensive standard for security in WLANs (IEEE 802.11i ) at this time was indeed in the works, but adoption was not in sight. Therefore, an interim standard was created on the basis of more or less of adopted parts: WPA. This could return through features such as dynamic keys, reasonable authentication, and radius authentication on wireless networks their safety.

With the progressive development of the IEEE 802.11i standard, which is based on the AES encryption algorithm, efforts were also made to integrate AES in WPA. This led to the WPA2 standard. The manufacturers' association Wi-Fi Alliance began on September 1, 2004 as the first with the certification of wireless devices with WPA2.

For WPA and WPA2 only password attacks are known to date. For this reason, it is strongly recommended to use a sufficiently long password (minimum 20 characters with uppercase and lowercase letters, special characters and numbers ), which is possible not completely out of meaningful words ( see dictionary attack ). Some manufacturers allow by proprietary method the password key to a USB stick to transfer them to the clients to be connected, it must not be changed after the one-time installation. A protected with a sufficiently long password wireless router with WPA2 encryption and WPS disabled true today as virtually unbreakable.

Differences to WPA

WPA2 uses the AES encryption standard when CCMP is used as the protocol. EPA, however, supports only the stream cipher used in WEP RC4, which is, however, used with TKIP. CCMP is to replace in the long run TKIP.

A simple switch from WEP or WPA to WPA2 through a firmware update is possible in many, but not all devices. Part of the hardware is too slow in order to implement the AES encryption software. Remedy then only create new devices with more computing power or special hardware for AES.

Technical parameters

Encoding

The encryption is based on the Advanced Encryption Standard (AES).

Authentication

To authenticate the client to the access point and vice versa can be both a secret text, the pre-shared key ( PSK ), as well as a RADIUS server can be used.

Authentication with a pre- shared key is used often common for small installations such as private users and therefore also referred to as "personal ".

In larger networks, the use of RADIUS enables centralized user administration including accounting. The access point forwards in this case, the authentication request from the client to the RADIUS server and can - depending on the success - access to. WPA and WPA2 via RADIUS allow additional authentication methods through the use of EAP and TTLS. This version of WPA2 is often referred to as " Enterprise ".

Compatibility

WPA2 and WPA are only ever used separately. However, some access points support the simultaneous use of both encodings within a network.

All devices that are to be certified for WPA2 by the Wi- Fi Alliance must meet the IEEE 802.11i standard.

Security

WPA2 meets the strict safety regulations for data exchange to U.S. Government FIPS 140-2. In Germany met According to the Bundesgerichtshof (BGH ) has already the necessary WPA security standard. In the decision, the Supreme Court, however, referred explicitly to the technical level of 2006.

Security measures

In the first place the PSK method, the choice of a secure WPA network key (also called a passphrase or pre-shared key) should be. This should use the maximum key length of 63 characters. Important here is the loose combination of letters, numbers and special characters to make it harder brute-force or dictionary attacks (see also the relevant section in the Article password). However, special characters can cause problems, especially in Apple iOS in the password in some operating systems. Special care is needed with special characters in the international language area (eg ü, ö, ä or §) offered. Depending on the operating system (Microsoft Windows, Mac OS X, Unix) these are completely different coded and are not to be compatible with each other. A regular change the network key also increases security against eavesdropping long-lasting.

Other general safety measures can be found in the section Basic safety measures of the main article Wireless Local Area Network.