The Wi-Fi Alliance recently introduced the Wi-Fi Protected Access (WPA) standard, which provides for
enhanced 802.11 wireless security. One of the strongest portions of this standard is the ability to provide
strong authentication via the 802.1x IEEE protocol for network port authentication. In order to leverage
this protocol, a RADIUS authentication infrastructure must be implemented which is not trivial or cost-free.
As a result, the WPA standard has been created with a WPA-PSK (pre-shared key) mode which provides
for less robust authentication and, as such, does not require a RADIUS infrastructure (WPA-PSK used to
be referred to as WPA-Home). This WPA-PSK authentication comes in the form of a shared secret. This
shared secret is a password that is programmed into both the Access Point (AP) and into each 802.11
wireless computer or device.
This document describes some of the deficiencies and challenges associated with WPA-PSK when used
to secure 802.11 networks. It also illustrates how WSC Guard fills in the gaps to provide a
comprehensive 802.11 security solution.
In eliminating the need for an 802.1x/RADIUS infrastructure, WPA-PSK also eliminates the strong
authentication that comes with these services. Instead, WPA-PSK relies on a pre-shared key.
This pre-shared key is used to kick-off the rotating WEP key required for encryption. Should this
single pre-shared key be compromised by an unauthorized entity, theentire 802.11 wireless
network (WLAN) in question would become vulnerable. Based on this significant vulnerability, the
Wi-Fi Alliance advises:
\u201cThe use of Pre-shared key is recommended for home use only, since the pre-shared key is used as the PMK [pairwise master key] impersonation between stations or a station impersonating an AP is possible.\u201d Wi-Fi Alliance WPA standard, Section 8.2, Version 1.2 -- December 16,2002.
By impersonating the AP, an unauthorized individual will have unencrypted access to all WLAN
data communicated by or to any wireless node. This could include, but is not limited to, data
communicated to and from file servers, storage devices, and internet applications. Aside from
exposing sensitive data to unauthorized eyes, this exploit could result in data manipulation and/or
One of the key advantages of wireless networking is the ability to allow temporary access to
visitors or guests of the WLAN. In order to allow a guest to have access to any portion of a WPA-
PSK WLAN, the shared secret must be given to that guest. The guest then has access to all of
the network resources available to the WLAN such as file servers, shared folders and shared
documents. This is a vulnerability that businesses should avoid if at all possible.
a shared secret but rather leverages unique and individual names and passwords for each
802.11 wireless user. Combined with the WSC Guard internet-accessible RADIUS environment,
subscribers benefit from a highly robust authentication service for their 802.11 WLAN.
This action might not be possible to undo. Are you sure you want to continue?