WPA Authentication (Windows Embedded CE 6.0)
1/6/2010
This topic describes the additional requirements for developing a device driver that will support Wi-Fi Protected Access (WPA), the new wireless security standard.
WPA is an improved security system for 802.11. **For vendors who have already implemented a driver and want to update it for WPA, the following OIDs must be changed:
- OID_802_11_AUTHENTICATION_MODE
- OID_802_11_ENCRYPTION_STATUS
- OID_802_11_BSSID_LIST
Also, the following new OIDs must be added:
- OID_802_11_ADD_KEY
- OID_802_11_REMOVE_KEY
- OID_802_11_ASSOCIATION_INFORMATION
- OID_802_11_TEST
Support for WPA must be checked by using the OID_802_11_AUTHENTICATION_MODE OID to set the authentication mode to Ndis802_11AuthModeWPA and then querying the current authentication mode. If the set fails or the returned value is not Ndis802_11AuthModeWPA, then you can assume that the driver does not support the WPA extensions.
In addition, the authentication event must be supported.**
A WPA network interface card (NIC) must support Temporal Key Integrity Protocol (TKIP) encryption and Michael message integrity check (MIC) algorithm, and may support Advanced Encryption Standard (AES) encryption and integrity.
The following table shows the various configuration options and the expected system behavior. **If the manual key or 802.1X is above the NDIS OIDs, the OID_802_11_ADD_KEY OID is used in both cases to configure the correct key into the NIC. The "Key configured before joining network" column describes whether a key is required to be configured before joining the network.
Note
An improper combination of infrastructure, authentication, and encryption modes must not generate a MediaSense connect and should generate a MediaSense disconnect if the media is already associated. For example, do not combine IBSS, WPANone, and WEP=.
| Infrastructure mode | Authentication mode | Encryption status | Manual Key required? | IEEE 802.1X enabled? | Key configured before joining network? |
|---|---|---|---|---|---|
ESS |
Open |
None |
No |
No |
No |
ESS |
Open |
WEP |
Optional |
Optional |
Yes |
ESS |
Shared |
None |
Yes |
No |
Yes |
ESS |
Shared |
WEP |
Optional |
Optional |
Yes |
ESS |
WPA |
WEP |
No |
Yes |
No |
ESS |
WPA |
TKIP |
No |
Yes |
No |
ESS |
WPA |
AES |
No |
Yes |
No |
ESS |
WPA-PSK |
WEP |
Yes |
Yes |
No |
ESS |
WPA-PSK |
TKIP |
Yes |
Yes |
No |
ESS |
WPA-PSK |
AES |
Yes |
Yes |
No |
IBSS |
Open |
None |
No |
No |
No |
IBSS |
Open |
WEP |
Yes |
No |
Yes |
IBSS |
Shared |
None |
Yes |
No |
Yes |
IBSS |
Shared |
WEP |
Yes |
No |
Yes |
IBSS |
WPA-None |
WEP |
Yes |
No |
Yes |
IBSS |
WPA-None |
TKIP |
Yes |
No |
Yes |
IBSS |
WPA-None |
AES |
Yes |
No |
Yes |
**The following table shows what OID support is required for WPA.
| OID | Required |
|---|---|
OID_802_11_AUTHENTICATION_MODE supports WPA, WPA-PSK and WPA-None for set and query |
Required |
OID_802_11_ENCRYPTION_STATUS supports encryption1 and encryption 2 for set and query |
Required |
OID_802_11_BSSID_LIST returns NDIS_802_11_BSSID_LIST_EX structure |
Required |
OID_802_11_ASSOCIATION_INFORMATION supports query |
Required |
OID_802_11_ADD_KEY supports single group key set and one pairwise key (may use Group Key 0) |
Required |
OID_802_11_ADD_KEY supports four group keys, index 0 to 3. |
Required |
OID_802_11_ADD_KEY supports bit 28 set to 0 |
Required |
OID_802_11_TEST supports generation of MEDIA_SPECIFIC_EVENT |
Required |
Detect Michael integrity check (MIC) algorithm failures for group keys and for pairwise keys and generate a MEDIA_SPECIFIC_EVENT event. Non-802.1X packets are dropped with the current keys |
Required |
Non-802.1X data packets are not sent until a group key is installed |
Required |
WPA information element in associate/re-associate request message |
Required |
No key is needed to associate to an AP with the privacy bit set in the AP capability |
Required |
TKIP 48 bit and Michael |
Required |
The operating system checks for a WPA driver using the following procedure:
- Set OID_802_11_AUTHENTICATION_MODE with Ndis802_11AuthModeWPA.
The call must succeed. - Query OID_802_11_AUTHENTICATION_MODE.
The call must succeed and must return Ndis802_11AuthModeWPA as the value of the OID. - Determine the highest supported cipher by using the following process:
- Set OID_802_11_ENCRYPTION_STATUS subsequently with Ndis802_11Encryption3Enabled, Ndis802_11Encryption2Enabled and Ndis802_11Encryption1Enabled in that order.
- Query OID_802_11_ENCRYPTION_STATUS.
The query should succeed and the value returned should match the value that has been set. If this does not happen, the loop is broken and the last cipher verified successfully is assumed as the highest supported cipher. - The highest supported cipher should be either TKIP or AES.
- Set OID_802_11_ADD_KEY with a random key of length 32 and with an index of 0xc0000001. The result must be ERROR_INVALID_PARAMETER, which corresponds to NDIS_STATUS_INVALID_DATA from the driver.
- Query OID_802_11_ASSOCIATION_INFORMATION.
The call must succeed - do not check the returned value in any way.
If all these tests pass, the NIC is marked as "WPA capable." Preferred networks can then be set with the extended authentication modes and encryption types. This check happens when as the card is inserted.**