WPA-PSK: A Limited Solution for Securing a Wireless Network

Introduction

The Wi-Fi Alliance recently introduced the Wi-Fi Protected Access (WPA) standard, which provides for
enhanced 802.11 wireless security. One of the strongest portions of this standard is the ability to provide
strong authentication via the 802.1x IEEE protocol for network port authentication. In order to leverage
this protocol, a RADIUS authentication infrastructure must be implemented which is not trivial or cost-free.
As a result, the WPA standard has been created with a WPA-PSK (pre-shared key) mode which provides
for less robust authentication and, as such, does not require a RADIUS infrastructure (WPA-PSK used to
be referred to as WPA-Home). This WPA-PSK authentication comes in the form of a shared secret. This
shared secret is a password that is programmed into both the Access Point (AP) and into each 802.11
wireless computer or device.

This document describes some of the deficiencies and challenges associated with WPA-PSK when used
to secure 802.11 networks. It also illustrates how WSC Guard fills in the gaps to provide a
comprehensive 802.11 security solution.

WPA-PSK

Security

• In eliminating the need for an 802.1x/RADIUS infrastructure, WPA-PSK also eliminates the strong
authentication that comes with these services. Instead, WPA-PSK relies on a pre-shared key.
This pre-shared key is used to kick-off the rotating WEP key required for encryption. Should this
single pre-shared key be compromised by an unauthorized entity, the entire 802.11 wireless
network (WLAN) in question would become vulnerable. Based on this significant vulnerability, the
Wi-Fi Alliance advises:

“The use of Pre-shared key is recommended for home use only, since the pre-shared key is used
as the PMK [pairwise master key] impersonation between stations or a station impersonating an
AP is possible.” Wi-Fi Alliance WPA standard, Section 8.2, Version 1.2 -- December 16,2002.

By impersonating the AP, an unauthorized individual will have unencrypted access to all WLAN
data communicated by or to any wireless node. This could include, but is not limited to, data
communicated to and from file servers, storage devices, and internet applications. Aside from
exposing sensitive data to unauthorized eyes, this exploit could result in data manipulation and/or
business disruption.

• One of the key advantages of wireless networking is the ability to allow temporary access to
visitors or guests of the WLAN. In order to allow a guest to have access to any portion of a WPA-
PSK WLAN, the shared secret must be given to that guest. The guest then has access to all of
the network resources available to the WLAN such as file servers, shared folders and shared
documents. This is a vulnerability that businesses should avoid if at all possible.

¾ WSC Guard leverages the 802.1x protocol for network port authentication, which does not rely on
a shared secret but rather leverages unique and individual names and passwords for each
802.11 wireless user. Combined with the WSC Guard internet-accessible RADIUS environment,
subscribers benefit from a highly robust authentication service for their 802.11 WLAN.

Wireless Security Corporation. All Rights Reserved 1

 ¾ WSC Guard’s fine-grained access control1 allows for guest users to have access restricted only
to specific WLAN resources (if desired) for additional security.

Management

The shared secret leveraged by WPA-PSK is difficult to manage since it is the same for each and every
802.11 wireless node. In addition, each access point on the WLAN must have the same shared secret in
order for wireless nodes to roam between them. In order to change this shared secret, each client node
must be touched. The practical implications of this are significant:

• Standard security practices call for passwords to be changed on a regular basis. Changing
passwords with WPA-PSK requires reconfiguring the shared secret on each and every wireless
node along with each access point on the WLAN. This can be difficult and time consuming since
wireless users are often not all in the office at the same time.

• One of the key advantages of wireless networking is the ability to allow temporary access to
visitors or guests of the WLAN. In order to allow a guest to have access to any portion of a WPA-
PSK WLAN, the shared secret must be given to that guest. Once the guest departs, this shared
secret must be changed in order to ensure adequate security for the WPA-PSK WLAN. As stated
above, changing the shared secret requires reconfiguring each and every wireless node along
with each access point on the WLAN. Due to the nature of wireless networking, this is a time
consuming and difficult process.

¾ WSC Guard allows the network owner to provide temporary guest access to specific network
resources with an individual user name and password. This alleviates the need to change shared
keys on each and every wireless node when providing a single user with temporary access to the
WLAN.

¾ WSC Guard’s fine-grained access control1 allows for each user to have access rights to specific
network resources. These features ease 802.11 WLAN administration and lower support costs
as a result.

Conclusion

In summary, WPA-PSK lacks a robust 802.11 wireless authentication method and fails to ease network
administration in a multi-node WLAN environment.

By contrast, WSC Guard provides a comprehensive, business-class security solution designed

specifically for 802.11 wireless networking that performs well, and with its subscription-based service
model, reduces the end-user’s costs.

1
Available in a future release

Wireless Security Corporation. All Rights Reserved 2