Microsoft lays the groundwork for WPA2 and 802.11i

Microsoft lays the groundwork for WPA2 and 802.11i

Summary: Just last week, Microsoft released the new WPA2 (Wi-Fi Protected Access version 2) patch for Windows XP SP2, and Microsoft presents a good overview of it in this month's edition of their Cable Guy articles.  You can find the actual download for the WPA2 upgrade here.


Just last week, Microsoft released the new WPA2 (Wi-Fi Protected Access version 2) patch for Windows XP SP2, and Microsoft presents a good overview of it in this month's edition of their Cable Guy articles.  You can find the actual download for the WPA2 upgrade here.

WPA2 is an industry certification from the Wi-Fi Alliance (formerly known as Wireless Ethernet Compatibility Alliance) that mandates IEEE 802.11i security compliance for any product that wants WPA2 certification.  WPA2 certification ensures the interoperability of all hardware and software that operate in 802.11i security mode.  WPA2 is the successor to the first WPA standard, which was a watered down version of the draft version of the 802.11i draft standard.  While the original WPA standard only mandated that WEP be upgraded to TKIP (a hardened version of WEP) and left AES encryption optional, WPA2 mandates AES encryption capability.  In addition to the superior encryption standard, WPA2 also brings us two new features called pre-authentication and PMK (Pairwise Master Key) caching which enable fast roaming.  Fast roaming allows a user to move from access point to access point in less than 1/10th of a second, which is the maximum threshold that applications like VoIP can tolerate without a noticeable glitch in audio quality.  Without fast roaming, it can take more than a second to re-authenticate a user to a new access point, which can ruin a VoIP session or break certain applications like Citrix.

There are three components that must all be WPA2-capable in order to run a WPA2 network:

  • 802.11 wireless access points
  • Client Wireless NIC (Network Interface Card)
  • Supplicant (the fancy IEEE word for client software)

The Microsoft WPA2 patch addresses the last of these three requirements. The remaining challenge is to get all of your access points and client wireless NICs upgraded to WPA2 capability.  The Wi-Fi Alliance has an online database of companies and products that are capable of running WPA2 mode.  Even though you're not going to be able to use WPA2 in most situations due to a lack of WPA2-capable drivers and firmware, the Microsoft WPA2 patch is a very important piece of the puzzle and lays the foundation for future upgrades.  Without native OS support for WPA2, users are at the mercy of their wireless network card maker to either bundle WPA2 capable software or go out and spend around $40 on third-party software.  The lack of native OS support would almost ensure that there will be no widespread deployment of WPA2, causing everyone to default to the WPA standard or, worse, fall back on WEP and leave themselves wide open to attack.

For the time being, most companies are still relying on WEP or Dynamic WEP and are vulnerable.  They need to upgrade to WPA as soon as possible, since software and hardware support for it is almost universal.  WPA can sometimes operate in the super secure AES mode for some hardware, but not all WPA implementations in hardware and firmware support AES.  WPA2 not only ensures AES interoperability, but also makes fast roaming a reality.  Now that Microsoft has provided the software, all that is needed is new WPA2 capable firmwares and drivers on access points and client adapters.

Topic: Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Does this play in Peoria?

    This is all well and good, but is WPA2 REALLY limited to WiFi - or will it work with WiMAX? The WiMAX steamroller is comming, and didiling around with this WiFi stuff is a waste of time.
    Roger Ramjet
    • WiMAX is not a wireless LAN technology


      For the tenth time, WiMAX is not a wireless LAN technology. It is a wireless ISP technology. There is some overlap in usage when comparing hotspots to WiMAX, but you would never use WiMAX for your wireless LAN environment. It will never serve as your high speed wireless link for your private wireless LAN in your own office.

      Second, WiMAX is a transport mechanism just like 802,11 b/g/a are transport mechanisms. 802.11i is a security mechanism that runs independently on top of transport mechanisms. There is no reason why it can?t be run on WiMAX if the ISPs chooses to do so.

      As for performance, the hotspot will probably blow away the WiMAX network. I saw the Intel demo at Interop 2005 2 weeks ago with only a few users on it and it wasn?t as stable as a current Wi-Fi hotspot connection. From a convenience standpoint, WiMAX will have superior coverage over Wi-Fi hotspots. From a performance standpoint, it will rule over 3g and other cellco wireless ISP technology but be inferior to Wi-Fi. I don?t really care what the burst rate they?re quoting for WiMAX, it will never be faster than Wi-Fi from a sustainable rate standpoint.

      WiMAX and Wi-Fi will each be very important in their own way. They will rarely compete with each other.
      • Here's hoping...

        That WiMAX range can be rolled over into WiFi LAN capability (turning it into WAN capability.) Once bridge technology, like this Cisco Aironet stuff I've been playing with lately (42 km max range, 11 mbps throughput) becomes something that the average consumer has access to, we won't need corporations anymore for our interconnections. I foresee a world full of externally mounted antennas in the future... Gosh I love disruptive technologies.
        • 42 km is line of sight

          You need to be very careful of the numbers that you're quoting. 42 km for the Aironet bridges is for a directional antenna. When you use public spectrum 802.11 Wi-Fi technologies, the FCC limits your power output to 100 mW. WiMAX is not public spectrum and the power output is relatively high. The WiMAX stuff is omni-directional coverage with a 10 mile effective radius.

          As for wireless bridging, you?re much better off using something from Canon with their optical beam technology. Those things go more than 100 mbps and the price is about the same as the high-end Aironet bridges. You also don?t need to worry about RF interference.
          • RE: Line of Sight

            Actually the gear won't work without reasonable (close) line of sight in any event. Optical beam technology certainly wouldn't work without near perfect line of sight. This Aironet gear only operates at 100 mW (or less.) With the proprietary Cisco protocol, you can achieve speeds of up to 11 mbps at a range of over 15 miles... Max range is stated in the documentation as 42 km, (19 miles) but likely the transfer rates would decrease to 5 or 2 mbps. In a field test the other day, a fellow engineer achieved a green light association from one of our test locations, across rolling terrain, 8 km away from the test location (base station) just by holding a 360 radial antenna over his head... This Cisco gear is good. I can guarantee Canon's gear would not have worked in that situation. And this gear is not the higher end Aironet gear - it's relatively inexpensive. Which brings us back to my point - good wireless bridge/AP technology, with appropriate configuration and good antenna work, could invalidate the necessity of being beholden to the telecomm companies for internetworking. May that day come soon.
          • Avoid telecomm any time you can

            You should always run your own private wireless bridges when possible and save lots of money.

            Note that this is strictly line-of-site technology we're talking about. It cannot provide blanket coverage of a few miles radius like WiMAX.
      • Thank you

        Finally I've found some info to let me know the basic differenc from this two tecnologies....
        It took me a while thought...
        thats why I keep reading your blog