ZyXEL Communications G-220F WPA, Encryption, User Authentication

ZyXEL G-220F User’ Guide

WPA

User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless stations using an external RADIUS database.

Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x.

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless stations. This all happens in the background automatically.

AES (Advanced Encryption Standard) also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decrypt data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs an easier-to- use, consistent, single, alphanumeric password.

Appendix E

88

Contents

User’s Guide Copyright Disclaimer Trademarks Federal Communications Commission (FCC) Interference Statement Notice Caution Certifications ZyXEL Limited Warranty Note Online Registration Customer Support Page Table of Contents Wireless Station Mode Configuration Maintenance Appendix A Appendix B Appendix C Appendix D Appendix E Page List of Figures Page List of Tables Page Preface About This User's Guide Related Documentation User Guide Feedback Syntax Conventions Graphics Icons Key Getting Started 1.1 About Your ZyXEL G-220F 1.1.1.1 Infrastructure 1.1.1.2 Ad-Hoc 1.1.1.3 Access Point Mode 1.2 ZyXEL G-220FHardware and Utility Installation 1.3 Configuration Methods 1.4 Windows XP Users Only 1.5 Accessing the ZyXEL Utility 1.6 Connecting to a Wireless LAN Security Settings 1.7 ZyXEL G-220FModes 1.8 ZyXEL Utility Screen Summary Page Wireless LAN Network 2.1 Wireless LAN Overview 2.2 Wireless LAN Security Overview 2.2.2.1 EAP Authentication 2.2.3.1 User Authentication 2.2.3.2 Encryption 2.2.4 WPA(2)-PSKApplication Example 2.2.5 WPA with RADIUS Application Example 2.3 Authentication Type 2.4Preamble Type 2.5 Introduction to OTIST 2.5.1.1 AP 2.5.1.2 Wireless Client 2.5.3Notes on OTIST Wireless Station Mode Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Access Point Mode Page Page Page Page Page Maintenance 5.1 The About Screen 5.2 Uninstalling the ZyXEL Utility 5.3 Upgrading the ZyXEL Utility Page Page Troubleshooting 6.1 Problems Starting the ZyXEL Utility Program 6.2 Problem Connecting to an Access Point 6.3 Problem with the Link Status 6.4 Problems Communicating With Other Computers Appendix A Product Specifications Page Appendix B Access Point Mode Setup Example Configuring the Computer on Which You Install the ZyXEL G- 220F Sharing Enable Internet Connection Sharing for this connection Configuring the Wireless Station Computer Page Via the Wireless Network System Tray Icon Wireless Network Connection Change advanced settings Related Tasks Wireless Networks Page Via the Control Panel Page Page Activating Wireless Zero Configuration Connecting to a Wireless Network Wireless Networks Wireless Network Connection Properties Refresh network list Refresh Available networks Configure Preferred Connect Security Settings Association Authentication Authentication Properties Smart Card or other Certificate Properties Ordering the Preferred Networks Wireless Networks Move up Move down Page Appendix E Types of EAP Authentication PEAP (Protected EAP) LEAP Dynamic WEP Key Exchange WPA Security Parameters Summary Appendix F Setting up Your Computer’s IP Address Windows 95/98/Me Installing Components Protocol Microsoft manufacturers TCP/IP Configuring IP Address Obtain an IP address automatically Specify an IP address Subnet Mask Windows 2000/NT/XP Network and Dial-up Connections 3Right-click Local Area Connection and then click Properties Internet Protocol (TCP/IP) General Use the following IP Address IP address Subnet mask Default gateway Advanced Macintosh OS 8/9 2Select Ethernet built-in from the Connect via list Using DHCP Server Configure: Macintosh OS Apply Now Page Index