Just last week, Microsoft released the new WPA2 (Wi-Fi Protected Access version 2) patch for Windows XP SP2, and Microsoft presents a good overview of it in this month's edition of their Cable Guy articles. You can find the actual download for the WPA2 upgrade here.
WPA2 is an industry certification from the Wi-Fi Alliance (formerly known as Wireless Ethernet Compatibility Alliance) that mandates IEEE 802.11i security compliance for any product that wants WPA2 certification. WPA2 certification ensures the interoperability of all hardware and software that operate in 802.11i security mode. WPA2 is the successor to the first WPA standard, which was a watered down version of the draft version of the 802.11i draft standard. While the original WPA standard only mandated that WEP be upgraded to TKIP (a hardened version of WEP) and left AES encryption optional, WPA2 mandates AES encryption capability. In addition to the superior encryption standard, WPA2 also brings us two new features called pre-authentication and PMK (Pairwise Master Key) caching which enable fast roaming. Fast roaming allows a user to move from access point to access point in less than 1/10th of a second, which is the maximum threshold that applications like VoIP can tolerate without a noticeable glitch in audio quality. Without fast roaming, it can take more than a second to re-authenticate a user to a new access point, which can ruin a VoIP session or break certain applications like Citrix.
There are three components that must all be WPA2-capable in order to run a WPA2 network:
- 802.11 wireless access points
- Client Wireless NIC (Network Interface Card)
- Supplicant (the fancy IEEE word for client software)
The Microsoft WPA2 patch addresses the last of these three requirements. The remaining challenge is to get all of your access points and client wireless NICs upgraded to WPA2 capability. The Wi-Fi Alliance has an online database of companies and products that are capable of running WPA2 mode. Even though you're not going to be able to use WPA2 in most situations due to a lack of WPA2-capable drivers and firmware, the Microsoft WPA2 patch is a very important piece of the puzzle and lays the foundation for future upgrades. Without native OS support for WPA2, users are at the mercy of their wireless network card maker to either bundle WPA2 capable software or go out and spend around $40 on third-party software. The lack of native OS support would almost ensure that there will be no widespread deployment of WPA2, causing everyone to default to the WPA standard or, worse, fall back on WEP and leave themselves wide open to attack.
For the time being, most companies are still relying on WEP or Dynamic WEP and are vulnerable. They need to upgrade to WPA as soon as possible, since software and hardware support for it is almost universal. WPA can sometimes operate in the super secure AES mode for some hardware, but not all WPA implementations in hardware and firmware support AES. WPA2 not only ensures AES interoperability, but also makes fast roaming a reality. Now that Microsoft has provided the software, all that is needed is new WPA2 capable firmwares and drivers on access points and client adapters.