WPA includes mechanisms from the emerging 802.11i standard for improving
wireless data encryption. WPA has TKIP, which uses the same algorithm as WEP,
but it constructs keys in a different way
. These
technologies are easily implemented using the graphical user interface (GUI) of
the Cisco AP
.
TKIP is also called WEP Key hashing and was initially referred to as WEP2.
TKIP is a temporary solution that fixes the key reuse problem of WEP, as
illustrated in Figure
. WEP
periodically uses the same key to encrypt data. The TKIP process begins with a
128-bit temporal key that is shared among clients and access points. TKIP
combines the temporal key with the client MAC address. It then adds a
relatively large, 16-octet initialization vector to produce the key that will
encrypt the data. This is illustrated in Figure
. This procedure
ensures that each station uses different key streams to encrypt the data. WEP
Key hashing protects weak Initialization Vectors (IVs) from being exposed by
hashing the IV on a per-packet basis.
TKIP uses RC4 to perform the
encryption, which is the same as WEP. A major difference from WEP, however, is
that TKIP changes temporal keys every 10,000 packets. This provides a dynamic
distribution method, which significantly enhances the security of the network.
An advantage of using TKIP is that companies having existing WEP-based
access points and radio NICs can upgrade to TKIP through relatively simple
firmware patches. In addition, WEP-only equipment will still interoperate with
TKIP-enabled devices using WEP. TKIP is only a temporary solution. Most experts
believe that stronger encryption is still needed.