Wireless Standards 10-27
fully secure. Beginning March 13, 2006, WPA2 certification is mandatory for all new devices wishing to be certified by the Wi-Fi Alliance as Wi-Fi CERTIFIED.
10.2.2.1 Security in Pre-Shared Key Mode Pre-shared key mode is designed for home and small office networks that don't require the complexity of an 802.1X authentication server. Each user must enter a passphrase to access the network. The passphrase can be from 8 to 63 printable ASCII characters or 64 hexadecimal digits (256 bits). If you choose to use the ASCII characters, a hash function reduces it from 504 bits (63 characters * 8 bits/character) to 256 bits (using also the SSID). The passphrase can be stored on the user's computer at their discretion under most operating systems to avoid re-entry. The passphrase must remain stored in the wireless access point. Security is strengthened by employing a PBKDF2 key derivation function. However, weak passphrases are vulnerable to password attacks. To protect against a brute force attack, a truly random passphrase of at least 20 characters should be used, and 33 characters or more is recommended. Some consumer chip manufacturers have attempted to bypass weak passphrases by automatically generating and distributing strong keys through a software or hardware interface that uses an external method of adding a new wireless adapter or appliance to a network. These methods include pushing a button (Broadcom SecureEasySetup and Buffalo AirStation One-Touch Secure System) and entering a short challenge phrase through software (Atheros JumpStart and ZyXEL OTIST). The Wi-Fi Alliance has standardized these methods and certifies compliance with these standards through a program called Wi-Fi Protected Setup (formerly Simple Config).
10.2.2.2 EAP Extensions Under WPA and WPA2 Enterprise The Wi-Fi alliance has announced the inclusion of additional EAP types to its certification programs for WPA and WPA2. This ensures WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance. The EAP types now included in the certification program include • EAP-TLS (previously tested) • EAP-TTLS/MSCHAPv2 • PEAPv0/EAP-MSCHAPv2 • PEAPv1/EAP-GTC • EAP-SIM Other EAP types can be supported by 802.1X clients and servers. Certification is an attempt for EAP types to interoperate. Their failure to do so is currently one of the major issues preventing the rollout of 802.1X on heterogeneous networks.
Hardware support Most newer Wi-Fi certified devices support the security protocols discussed above, as compliance with this protocol has been required for Wi-Fi certification since September 2003. The protocol certified through the Wi-Fi Alliance's WPA program (and to a lesser extent WPA2) was specifically designed to work with wireless hardware produced prior to the introduction of the protocol. Many of these devices support the security protocol after a firmware upgrade. However, firmware upgrades are not available for all legacy devices