ZyXEL NBG-318S Guia Do Utilizador

Página de 286
 Appendix E Wireless LANs
NBG-318S User’s Guide
263
Key differences between WPA(2) and WEP are improved data encryption and user 
authentication.
              Encryption
Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol 
(TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to TKIP, WPA2 also 
uses Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining 
Message authentication code Protocol (CCMP) to offer stronger encryption. 
Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and 
distributed by the authentication server. It includes a per-packet key mixing function, a 
Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with 
sequencing rules, and a re-keying mechanism.
TKIP regularly changes and rotates the encryption keys so that the same encryption key is 
never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP 
that then sets up a key hierarchy and management system, using the pair-wise key to 
dynamically generate unique data encryption keys to encrypt every data packet that is 
wirelessly communicated between the AP and the wireless clients. This all happens in the 
background automatically.
WPA2 AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit 
mathematical algorithm called Rijndael.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data 
packets, altering them and resending them. The MIC provides a strong mathematical function 
in which the receiver and the transmitter each compute and then compare the MIC. If they do 
not match, it is assumed that the data has been tampered with and the packet is dropped. 
By generating unique data encryption keys for every data packet and by creating an integrity 
checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi 
network than WEP, making it difficult for an intruder to break into the network. 
The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference 
between the two is that WPA-PSK uses a simple common password, instead of user-specific 
credentials. The common-password approach makes WPA-PSK susceptible to brute-force 
password-guessing attacks but it's still an improvement over WEP as it employs an easier-to-
use, consistent, single, alphanumeric password.
              User Authentication
WPA or WPA2 applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to 
authenticate wireless clients using an external RADIUS database. 
If both an AP and the wireless clients support WPA2 and you have an external RADIUS 
server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, 
you should use WPA2 -PSK (WPA2 -Pre-Shared Key) that only requires a single (identical) 
password entered into each access point, wireless gateway and wireless client. As long as the 
passwords match, a wireless client will be granted access to a WLAN. 
If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending 
on whether you have an external RADIUS server or not.
Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is 
less secure than WPA or WPA2.