Share via


Wireless Networking Encryption

5/10/2007

Windows XP Embedded with Service Pack 2 supports both the Wired Equivalent Privacy (WEP) protocol and the Wi-Fi Protected Access (WPA) standard. By using WEP or WPA in your wireless network connections, you can reduce the risk of unauthorized access to your data as it is being transmitted.

To support wireless networking encryption on your device, add the following components to your run-time image:

  • Wireless Zero Configuration and Primitive: Wzcsvc!ALink to authenticate and configure wireless network devices.
  • Network Provisioning Service to configure the wireless profile and WPA settings.

To learn more about the components, see the Component Help Reference in the Windows XP Embedded Studio Help.

Wired Equivalent Privacy (WEP)

The Wired Equivalent Privacy (WEP) protocol encrypts data before it is transmitted across a wireless network. Only devices that have a valid WEP key can decrypt the data.

Wi-Fi Protected Access (WPA)

WPA is an implementation that is based on a subset of the IEEE 802.11i standard. WPA, when used with the Temporal Key Integrity Protocol and the Michael Message Integrity Check (MIC) algorithm, provides enhanced security for wireless networks.

To use WPA on your device:

  • Your wireless network must support WPA. The access points must be configured for WPA.
  • Your wireless cards must support WPA. You may need to upgrade your wireless card drivers.
  • You must configure the WPA settings in your run-time image by using the Wireless Provisioning Services (WPS) API. The WPS API and WPA require the Wireless Zero Configuration and Network Provisioning Service components.

The following table shows the security features that are included in the WPA standard.

Security feature Description

WPA Authentication

WPA requires the use of 802.1x authentication.

For wireless networks without a Remote Authentication Dial-In User Service (RADIUS) infrastructure, WPA supports the use of a preshared key. For wireless networks with a RADIUS infrastructure, Extensible Authentication Protocol (EAP) and RADIUS are supported.

WPA Key Management

WPA requires the rekeying of both unicast and global encryption keys. For the unicast encryption key, Temporal Key Integrity Protocol (TKIP) changes the key for every frame, and the change is synchronized between the wireless client and the wireless access point (AP). For the global encryption key, WPA includes a feature that enables the wireless AP to advertise the changed key to the connected wireless clients.

Temporal Key Integrity Protocol (TKIP)

WPA requires encryption by using TKIP. TKIP replaces WEP with an encryption algorithm that is stronger than the WEP algorithm but that uses the calculation features which are present on existing wireless devices to perform encryption operations. TKIP also provides the following services:

  • The verification of the security configuration after the encryption keys are determined.
  • The synchronized changing of the unicast encryption key for each frame.
  • The determination of a unique starting unicast encryption key for each preshared key authentication.

Michael

WPA supports the Michael security algorithm. This algorithm calculates an 8-byte Message Integrity Code (MIC) that uses the calculation features available on existing wireless devices. The MIC is placed between the data portion of the IEEE 802.11 frame and the 4-byte ICV. The MIC field is encrypted together with the frame data and the ICV.

Michael also provides replay protection by including a new frame counter in the IEEE 802.11 frame that is used to prevent replay attacks.

AES Support

WPA defines the use of Advanced Encryption Standard (AES) as an additional replacement for WEP encryption. Because AES support may not be added to existing wireless devices through a firmware update, support for AES is optional and is dependant on vendor driver support.

For more information about WPA security and about supporting WPA, see this Microsoft Web site.

For more information about improving wireless security, see this Microsoft Web site.

See Also

Concepts

Network Security Components

Other Resources

Best Practices for Security
Network Security Considerations
Local Security Considerations