Page 448 - From GMS to LTE
P. 448

434  From GSM to LTE-Advanced Pro and 5G

            6.7.2  WPA and WPA2 Personal Mode Authentication
            Owing  to the security problems presented  above, the  IEEE 802.11i working group
              created the 802.1x standard, which offers a solution to all security problems that have
            been found up to this point. As ratification of the 802.11i was considerably delayed, the
            industry went forward on its own and created the Wireless Protected Access (WPA)
            standard. WPA contains all the important features of 802.11i and has been specified in
            such a way as to allow vendors to implement WPA on hardware that was originally
            designed for WEP encryption only.
             The security issues of WEP are solved by WPA with an improved authentication
            scheme during connection establishment and a new encryption algorithm. As has been
            shown in Figure 6.8, a client device performs a pseudo‐authentication and an association
            procedure during the first contact with the network. With WPA, this is followed by
            another authentication procedure and a secure exchange of ciphering keys. The first
            authentication is therefore no longer necessary but has been kept for backward compatibility
            reasons. To inform client devices that a network requires WPA instead of WEP authen-
            tication and encryption, an additional parameter is included in beacon frames. This
            parameter also contains additional information about the algorithms to be used for the
            process. Early WPA devices only implemented the Temporal Key Integrity Protocol
            (TKIP) for encryption. Current devices also support the Advanced Encryption Standard
            (AES), which has become mandatory with the introduction of WPA2. Further details
            are discussed below.
             Figure 6.22 shows the four additional steps that have been introduced by the WPA
            Pre‐Shared Key (PSK) authentication method with which client devices can authenticate
            themselves to the network and vice versa. The method is referred to as PSK authentication,
            as the same key is stored in the client devices and in the AP. During the process, the
            client device and the AP derive a common key pair for the ciphering of user data, which
            is referred to as the session key.




                               Access   Figure 6.22  WPA‐PSK authentication and ciphering key
              Client                    exchange.
                                point
              Open system authentication

                Association procedure

                  802.1x authentication
                  Random value
                  802.1x authentication
                  Reply + random value
                  802.1x authentication
                  Install key
                  802.1x authentication
                  Acknowledge

                  802.1x authentication
                  Install multicast key
                  (already encrypted)
   443   444   445   446   447   448   449   450   451   452   453