Hardening Wireless LAN Connections, Part 2 - Temporal Key Integrity Protocol
(Page 4 of 8 )
Although 802.1x addresses authentication problems with WEP, it does not address the security problems related to the weak encryption keys used by WEP and the ability for a hacker to determine what the WEP key is. TKIP fixes this. TKIP uses 256-bit long encryption keys that are generated through a more sophisticated procedure to provide a much stronger encryption key. TKIP functions by adding the client MAC address and a 48-bit IV to a 128-bit temporal key (which is shared among clients) to guarantee that the encryption key is unique. The temporal key is changed every 10,000 packets to further ensure that hackers cannot begin decoding all packets if they are able to ascertain the encryption key, thus strengthening the security of the network.
Message Integrity Check
WPA also uses a MIC that is known as Michael to verify message integrity. A 64-bit message is calculated using the Michael algorithm, which can be used to detect potential tampering of the message or data.
Hardening WPA Using Pre-shared Keys
WPA using pre-shared keys (WPA-PSK) is a very common method of configuring wireless connections. This is due to the fact that using pre-shared keys does not require an investment in any AAA mechanisms such as RADIUS. The drawback is the same as any other use of pre-shared keys—it does not scale as well in large environments as RADIUS does. Also, because the keys are human generated, they are more susceptible to cracking.
Configuring the Cisco Aironet 1200 for WPA-PSK is a multistep process. The first step is to configure TKIP as the cipher and to clear all encryption keys at the Security | Encryption Manager screen, as shown next. When you are finished, click Apply.
The next step is to configure the WPA-PSK settings for the SSID at the Security | SSID Manager screen. First, select the SSID you want to configure. Next, scroll down to the Authenticated Key Management section (shown next), select Mandatory, and check WPA for Key Management. Enter the WPA Pre-shared Key value. When you are finished, click Apply.
For the Linksys WAP54G, you configure the WPA settings at the Security Settings screen (shown next), just like the WEP configuration. Simply select WPA Pre-shared Key from the Security Mode drop-down box. For the WPA Algorithm setting, select TKIP or AES. AES is more secure, but it can have a negative impact on performance and is not supported by all wireless NICs. Next, enter the WPA shared key that should be used. The shared key should conform to your password security policy. Finally, enter the group key renewal time (default 300 seconds) and click Save Settings when you are finished.
You can configure WPA using pre-shared keys on the Dell TrueMobile 2300 at the Basic Settings | Wireless Security screen, shown next. Simply check to enable wireless security and select WPA for the network authentication method. Enter the appropriate WPA pre-shared key and select the proper key format and WPA group rekey interval (default 300). Finally, specify whether to use TKIP or AES (Dell has the same limitations as Linksys). When you are finished, click Save & Apply and then click Save & Restart when prompted.
/ 12 
