Phase 5 – Connection Termination
7. WLAN Product Certifications
As mentioned in Section 2.1.2, Wi-Fi Protected Access (WPA) and WPA2 are security specifications developed by the Wi-Fi Alliance, a consortium of wireless product vendors that certifies the
interoperability of WLAN products through its Wi-Fi CERTIFIEDTM testing and branding program. This section provides an overview of the Wi-Fi Alliance certification programs, with an emphasis on WPA and WPA2. Organizations planning to deploy RSNs should understand the WPA and WPA2 certifications so that they can procure products with the certification levels that best match their WLAN requirements.
7.1 Wi-Fi Alliance Certification Programs
The Wi-Fi Alliance began conducting interoperability testing in April 2000 and has since awarded its Wi- Fi CERTIFIED label to over 2,500 WLAN products. Product categories include access points and a wide variety of clients, including embedded systems, internal and external wireless network interface cards, Universal Serial Bus (USB) devices, and printers. Table 7-1 reviews the three basic types of
certifications: radio standards, network security, and multimedia content support. Radio standard
certifications involve the electrical engineering aspects of WLAN communications, such as the frequency, power, and modulation of radio signals and the rules by which STAs contend for available channels. The certifications for network security, the subject of this guidance document, cover topics such as
authentication and confidentiality services. Multimedia content support refers to quality of service mechanisms that give priority to streaming audio and video over other data, which helps prevent users from experiencing irregular, intermittent multimedia content delivery. To address quality of service interoperability issues, the Wi-Fi Alliance created its Wi-Fi Multimedia (WMM) certification.
Table 7-1. Wi-Fi Alliance Certification Programs
Certification Type Resulting Certification Label Underlying Standard
A IEEE 802.11a
B IEEE 802.11b
Radio standards
G IEEE 802.11g
WPA IEEE 802.11i (subset)
Network security
WPA2 IEEE 802.11i
Multimedia content support Wi-Fi Multimedia (WMM) IEEE 802.11e (subset)
All Wi-Fi CERTIFIEDTM products must pass interoperability testing with at least one of the radio standards. Otherwise, there would be no assurance that the products could perform their core function of WLAN communications. The network security and multimedia content support certifications supplement the radio standards certification. WPA compliance was initially optional for Wi-Fi CERTIFIEDTM
products, but was subsequently made mandatory. As of March 1, 2006, WPA2 compliance is mandatory; however, there is a grandfather clause for products that were certified WPA-compliant before that date. Wi-Fi Multimedia (WMM) compliance is likely to remain optional for the foreseeable future.
The Wi-Fi Alliance also manages a licensing program for Wi-Fi providers called Wi-Fi Zone.
Organizations participating in the program agree to use Wi-Fi CERTIFIEDTM products only and adhere to certain service standards. Customers that see the Wi-Fi Zone logo at an establishment offering Wi-Fi services are offered assurance that they can connect securely and reliably to the Internet.
7.2 Wi-Fi Alliance Network Security Certifications
WPA and WPA2 are the network security certifications offered by the Wi-Fi Alliance. This section describes these certifications and highlights their differences. It also explains the different certification levels available for both WPA and WPA2: Personal, which uses a pre-shared key for authentication; and Enterprise, which certifies the use of EAP authentication in addition to pre-shared key. This section also provides guidance on selecting the appropriate certification and certification level for particular
environments.
7.2.1 WPA Features
The Wi-Fi Alliance introduced WPA in early 2003 to address serious vulnerabilities inherent in WEP, which was the only available IEEE 802.11 security protection at that time. WPA is essentially92 a subset of IEEE 802.11i that provides a solution to WEP’s major problems. To accomplish this protection, WPA leverages the following core security features from IEEE 802.11i:
+ IEEE 802.1X and EAP authentication
+ Key generation and distribution based on the IEEE 802.11i 4-Way Handshake + TKIP mechanisms including
–
Encapsulation and decapsulation–
Replay protection–
Michael MIC integrity protection.Table 7-2 summarizes the primary features provided by IEEE 802.11i that are not included in the WPA test criteria. Organizations that have deployed WPA-compliant equipment can still support IEEE 802.11i RSNs based on TKIP; however, organizations need to determine if the absence of the features not present in WPA is acceptable in their environment. For government organizations, where FIPS compliance is required, this is not acceptable.
Table 7-2. IEEE 802.11i Features Not Present in WPA
Feature Discussion
IBSS support WPA does not cover RSN peer-to-peer relationships (i.e., those without APs), also known as ad hoc mode, but this configuration is not common in most enterprises.
Secure fast93 handoff (through Pre-Authentication and PMKSA caching)
This capability allows users to move from one BSS to another without having to go through the entire authentication process each time. Organizations whose users are expected to migrate between various BSSs frequently (e.g., more than once an hour) may require secure fast handoff to avoid a situation in which users demand a weakening of security requirements to improve performance when they are mobile.
92 There are some subtle differences between the TKIP in WPA and in IEEE 802.11i, and the 4-Way Handshake. The WPA suites are also identified by a different OUI than the IEEE 802.11i suites.
93 In reality, Pre-Authentication and PMKSA caching are not considered to provide a sufficiently fast handoff to support layer 2 mobility; this was one of the motivations for creating the IEEE 802.11r Task Group, Fast Roaming/Fast BSS Transition.
Feature Discussion
AES-CCMP encapsulation WPA does not require support for AES-CCMP because most Wi-Fi CERTIFIEDTM products did not have the computing resources for AES encryption when WPA was released. In most cases, pre-WPA products can achieve WPA-level security with a software upgrade. However, organizations that require FIPS-validated encryption need to procure WLAN products that use FIPS-validated AES-CCMP modules.
7.2.2
WPA2 Features
Released in September 2004, WPA2 is the Wi-Fi Alliance’s interoperability certification program for the complete ratified version of IEEE 802.11i. If a product holds the WPA2 certification, it complies
completely with the IEEE 802.11 standard as amended by IEEE 802.11i and should work seamlessly with other WPA2-certified products under most operating conditions. Also, WPA2 is backward compatible with WPA, so any WPA2 product should be able to interoperate with a WPA product.94
WPA2 testing validates interoperability with selected EAP methods only, so WPA2 certification does not imply interoperability with all possible EAP methods. Currently, certification involves interoperability testing with the following EAP methods:
+ EAP-TLS
+ EAP-TTLS/MSCHAPv2 + PEAPv0/EAP-MSCHAPv2 + PEAPv1/EAP-GTC
+ EAP Subscriber Identity Module (EAP-SIM).
When a method is listed with a “/”, the first term is the actual EAP method, and the second term is the inner method tunneled within it. The Alliance may add to this list over time. Organizations procuring WPA2 products should either select EAP methods from the tested list or conduct their own
interoperability testing on the equipment with their own authentication infrastructures.
WPA2 certification does not currently exist for products providing AS functionality. When the Alliance conducts its interoperability testing, it uses AAA servers running leading implementations of RADIUS and the tested EAP methods, but does not publicize which these are. If an organization selects a AAA server running a different implementation of RADIUS or the chosen EAP method, then there is no guarantee of interoperability. Conducting independent testing in enterprise environments is advised. Because Federal agencies are required to use encryption algorithms that are FIPS-approved, such as AES, they should procure WPA2 components with FIPS-validated cryptographic modules. WPA equipment is not FIPS-compliant because it utilizes the RC4 algorithm instead of AES. Products can obtain WPA2 certification without being FIPS-validated, so Federal agencies should check for both WPA2 certification and FIPS validation.
7.2.3 Modes of Operation
Both WPA and WPA2 have two modes of operation: Personal and Enterprise. The Personal mode involves the use of a pre-shared key for authentication, while the Enterprise mode uses IEEE 802.1X and EAP for this purpose. Products can be certified for both modes or for Personal mode only. Therefore, organizations that plan to use an authentication server rather than pre-shared keys should look specifically for the Enterprise certification. The use of an authentication server rather than pre-shared keys is
recommended for most situations because of the impracticality of generating, deploying, and periodically replacing pre-shared keys.
7.3 Summary
The Wi-Fi Alliance has established several certification programs to give consumers of WLAN products assurance that their systems comply with IEEE 802.11 specifications and can interoperate with similar equipment from other vendors. The following certifications have been created to test interoperability of IEEE 802.11i implementations:
+ WPA, which addresses a subset of the IEEE 802.11i specification that addresses the weaknesses of WEP
+ WPA2, which extends WPA to include the full set of IEEE 802.11i requirements.
Federal agencies should procure WPA2 products that have been FIPS-validated; WPA products cannot be FIPS-validated because they do not support FIPS-approved encryption algorithms. WPA and WPA2 have both Personal and Enterprise modes of operation. Organizations that plan to deploy authentication servers as part of an IEEE 802.1X and EAP implementation should procure products with the Enterprise level certification; government organizations should also require FIPS conformance or NIST approval.