Enabling WPA On Windows XP

Enabling WPA on Windows XP:
A painful process explained step-by-step
Robert C. Jones, M.D.

LtCol, USAF, Medical Corps
Staff Anesthesiologist
Andrews Air Force Base, Maryland
E-mail: rob — at — notbob — dot — com

Web site: http://www.notbob.com
Note: presentation best viewed as slide show
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV
Update (6 Sep 04)
• This presentation was written prior to

Microsoft’s release of Windows XP service
pack 2; Rob is still evaluating the effect of
SP2 on wireless networking on several
computers, and will update these slides Real
Soon Now. Until then, consider these slides
to refer to Windows XP SP1, and, as always,
please remain calm.
If you have no idea what this
presentation is about…
•…then you need to read my extensive discussion of Wireless
Internet INsecurity here:
http://www.notbob.com/wlani/
•This presentation assumes some knowledge of the basics of
wireless security and some competence with computers (i.e.,
more than just the ability to turn them on)
• Why Windows XP and not Mac, Unix, BSD, Linux, Amiga…?
 People who use Windows (of any kind) need more help
 Most Windows users don’t RTFM: read the fine manual
 Windows XP makes WPA much harder than it has to be
 Windows XP has the largest installed base
•All legal disclaimers in my original talk apply to this addendum
Brief introduction to WPA
•WPA = “WiFi® Protected Access”

•Quick fix to broken initial wireless security
method, WEP (= “Wired Equivalent Protocol”)
•Why is WEP broken?
For the full explanation, see my original talk. Here’s the executive summary:
➳WEP standard implements RSA Security’s RC4 encryption improperly:
http://www.rsasecurity.com/rsalabs/node.asp?id=2009
➳Flaws in key scheduling algorithm Large number of weak keys  encryption easily cracked
➳Initialization vector (IV) is sent in the clear with each chunk– subtract 24 bits of IV from
encryption key length (so advertised “128 bit” security is really only 104 bits…more bits good,
fewer bits bad, so this is bad)
➳As a result, attackers can sniff the information going across your WEP-protected network and
crack the security in hours to days, depending on the age of your access point’s firmware and the
traffic across the network; see this article: http://www.oreillynet.com/pub/a/wireless/excerpt/wirlsshacks_chap1/index.html
Why is WPA better than WEP?
(skip this slide if you don’t care)
•WPA is a subset of the upcoming IEEE 802.11i security standard; designed to be

forward-compatible with 802.11i (Update: Specification finally approved; certified
products due Sep 04: http://www.infoworld.com/article/04/06/25/HNwlan_1.html)
•Security enhancements:
➳TKIP: Temporal Key Integrity Protocol– per-packet key mixing, message integrity
check (MIC; aka “Michael”), and extended initialization vector address most of the
weakness of WEP; much harder to “crack”, but not impossible: http://wifinetnews.com/archives/002453.html
➳AES: Advanced Encryption Standard--optional “enhanced” security cipher based on
Rijndael cipher (gotta love the parrot: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ AES skeptics:
http://www.cryptosystem.net/aes/ ; http://www.schneier.com/crypto-gram-0209.html#1)
➳Enterprise-level, port-based user authentication through 802.1x and EAP (no user
authentication in WEP– only device authentication) [called “WPA Enterprise” by the
WiFi Alliance]
➳Option for SOHO users: PSK (pre-shared key)– eliminates need for RADIUS
authentication server [called “WPA Personal” by the WiFi Alliance]
References:
http://www.wi-fiplanet.com/tutorials/article.php/2148721
http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf
http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_ProtectedAccessWebcast_2003.pdf
WPA on Windows XP
•WPA support requires upgrades to 3 things:
•Your wireless Access Point (AP)
You need firmware that supports WPA
Most APs sold in 2004 should support WPA out of the box
•Your wireless client (the actual card thing in your computer)
Client also called “supplicant” (because you’re begging for access)
You need firmware that supports WPA
Most new 802.11g and a/b/g clients support WPA; many older 802.11b clients
(pre-2003) may not be upgradeable (considered legacy devices)
•Your operating system (Windows XP, in this case)
You need WPA upgrades to Windows XP
Microsoft helpfully does not include the updates in the automatic Windows Update
function; you have to install them yourself manually (for Service Pack 1; WPA
References:
functionality now included in SP2)
http://www.pcmag.com/print_article/0,3048,a=107756,00.asp
http://www.microsoft.com/whdc/device/network/802x/WPA.mspx
WPA by the numbers
•For this talk, we will be using a Linksys

WRT54GS router, a Sony Vaio with a LAN-
Express AS 802.11g mini-PCI card, and
Windows XP Home edition with Service Pack 1
and all critical updates
•Your specific screens may look different, but
the process should be the same with other
wireless routers and client devices
Step 1: Make sure system works without WPA
• Because enabling WPA on your router will cut off

communication with your client device, be sure that everything is
working OK without WPA (i.e., enable WEP with 128 bit
security and make sure that the connection is functional)
• It is always a good idea to have a wired connection to your
router in order to fiddle with settings when (when) your wireless
connection goes down (e.g., when you switch from WEP to
WPA, for example)
• I do not ever recommend running a wireless AP without any
security (in “open” mode), because I am way paranoid when it
comes to network security
Step 2: Enable WPA on router
•Log onto router by opening your internet browser and typing in

the IP address listed in your router’s manual (in this case, for
Linksys, 192.168.1.1):
Never, ever
check this box!
Note: your router’s manual will give you the default password; if you lost it, you can find the
defaults by searching Google for: default router passwords (without quotes); if you changed the
default a long time ago and forgot it, then reset the router using the little button in the back
Step 2: Enable WPA on router (cont’d)
• Note that the firmware version (2.07.1) supports WPA out of the box
• You must choose Pre-shared Key (PSK) for SOHO use (unless you have a RADIUS server)
• You can select TKIP or AES; TKIP is standards-based (AES implementation in WPA not
standardized; will become standardized in 802.11i); UPDATE: some client chips prefer AES
• Group renewal key can be left at whatever default your router manufacturer has set
A few words about picking a good PSK passphrase…

• The “Achilles heel” of SOHO-mode WPA (“WPA-Personal”) is that users might pick weak
passphrases for the PSK
• As all BOFHs know, users are clueless and pick bad passphrases more often than their noses
• Passphrases that are easily guessed include anything in any dictionary, names, birthdays,
phrases, slang, acronyms…the worst password is your account name.
• The bottom line: pick a passphrase which is as random as possible, with a mix of upper and
lower case letters, numbers, and special characters (%^&*#$~@+), and which is at least 20
characters long; for more do’s and don’t’s, see: http://geodsoft.com/howto/password/password_advice.htm
• Here’s a helpful passphrase FAQ : http://131.155.140.135/~galactus/remailers/passphrase-faq.html#210
• For a really good passphrase, check out Diceware: http://world.std.com/~reinhold/diceware.html
• This article discusses the WPA PSK problem in gory detail: http://wifinetnews.com/archives/002452.html
Bond with your inner ostrich…
“Stevan...commits a different faux pas: He uses the same password

everywhere, including access to multiple e-mail accounts, Amazon.com, The
New York Times' Web site and E-ZPass electronic toll statements.
In such cases, should hackers or scammers compromise one account, they

potentially have one's entire online life.
"This is one of these things that if I stop and think about it, it is not good, but
I do my best not to stop and think about it," said (Stevan), an information
technology manager in New York.”
http://www.cnn.com/2004/TECH/ptech/06/01/beyond.passwords.ap/index.html
(obnote: managers are generally clueless feebs when it comes to actual technology, clinical medicine, etc. If
they actually knew technology or medicine, they would be doing something useful with their lives instead of
micromanaging and writing meaningless policies QED. Yeah, pointy haired ex-boss, you’re so vain, I bet you
think this comment’s about you, don’t you?)
“But…my router’s firmware doesn’t give me a WPA option!”

Assuming your AP can support WPA, you need to upgrade your firmware, my friend:
• Linksys: http://www.linksys.com/download/
• Netgear: http://kbserver.netgear.com/kb_web_files/n101190.asp; http://kbserver.netgear.com/main.asp
• Netegriti EM-500AG: http://www.discountechnology.com/products/wistron-802.11abg/EM-500AG.zip
• Buffalo: http://www.buffalotech.com/wireless/_SUPPORT/downloads.php
• D-Link: http://support.dlink.com/faq/view.asp?prod_id=1401 ; http://support.dlink.com/downloads/
• Microsoft: Microsoft Broadband Networking Utility (BNU) should automagically update firmware; if not, go here:
http://www.microsoft.com/hardware/broadbandnetworking/15_Downloads.aspx
• SMC: http://www.smc.com/index.cfm?sec=Products&pg=Product-List&cat=5&site=c
• Zyxel: http://us.zyxel.com/support/download.php
Note: representative sample of AP manufacturers; not in any particular order; if your manufacturer is not on this short list, then try their website!
UPDATE! 17 June 04
After buying a Netegriti (Wistron) EM-500AG a/b/g mini-PCI card for my notebook from
http://www.discountechnology.com , it took quite a bit of struggling to enable WPA.
Turns out that some implementations of WPA require SSID broadcasting to be turned
on for supplicant authentication to work (i.e., you will get a strong signal and see the
connection, but you won’t be able to use the connection to do anything [like surfing the
Net]). Note that this is now safe with WPA in place (vs. during ancient WEP-only
era ca. 2002); WEP + No SSID broadcast <<< safe than WPA + SSID broadcast
Step 3: Enable WPA on Client
start | settings | control panel | system | hardware | device manager | network adapters | your wireless adapter
Any driver prior to

May 2003 will
need to be
upgraded (WPA
standard finalized
May 03)
This card didn’t
work under WPA
with “shared”–
needed to leave in
“auto”
• Your client card manufacturer should tell you whether their latest firmware supports WPA
• Follow the instructions given by your manufacturer to flash the firmware (don’t interrupt
power during flashing! Very bad karma!)
Step 4: Enable WPA on WinXP SP1
Update 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=009d8425-ce2b-47a4-abec-274845dc9e91&displaylang=en ;
download link is on right side of page
Update 2
http://support.microsoft.com/?kbid=826942 ; download
link is halfway down the page
Download and install these two updates; be sure to reboot after each one
(they don’t remind you to do so); again, as of late Aug 04, the brand
new Win XP SP2 update includes WPA functionality (about time!)
Step 4: Enable WPA on WinXP (cont’d)
Make sure Wireless Zero Configuration service is running: start | run | open: services.msc
Start | Settings | Control Panel | Network connections | Right click on wireless adapter | properties
You can try AES if you

want…if it works for
your network, cool…
Here’s a timesaver: copy

your WPA password
onto the Windows
clipboard from your
router’s configuration
screen (ctrl-C), then
paste into the Network
key dialogs (ctrl-V);
note that Windows
prevents you from
copying from within the
Network key field if you
choose to type in the key
This happy icon means that

your connection is working!
(might need to hit refresh
button below “configure” to
Start | Settings | Control Panel | Network connections | Right click on wireless adapter | properties
Note that 802.1x is

mandatory for WPA (can’t
change it…greyed out)
Meaningless for WPA-

personal with PSK, so
leave it as default (as
shown)
Ta Da! Congrats!
• Now your wireless connection is the safest in the

neighborhood…99.9% of attackers will now
leave you alone to go after the low-hanging fruit
of lusers who are still using WEP (or the 70+%
of hoi polloi with no security at all)
What’s Next in Wireless Security?
hint: be sure to view this as a slide show to
see the words behind the pictures
• mid-2004: WPA2 (marketing term for 802.11i with

RSN, as discussed in my original presentation )
– Will require hardware encryption engine on the chipset
– Uses AES via CCMP (Counter-mode CBC-MAC Protocol), which is stronger than TKIP (even at
same 128 bit key length)
– Most newer 802.11g and a/b/g devices should be able to handle AES with firmware upgrade…older
devices (pre-2003) will likely need to be upgraded in hardware (i.e., replaced)
– Detailed support for 802.1x and EAP for strong user authentication
– ? Strong reason to upgrade WPA to WPA2 for average users; certainly mandatory for enterprises
with proprietary secrets, but probably not necessary to secure your MP3s…
excerpt of rijndael (AES) source code

from: http://www.cs.umd.edu/~waa/1x.pdf
“They that can give up essential
liberty to purchase a little
temporary safety, deserve
neither liberty
--Benjaminnor
Franklinsafety.”
“Computers have enabled people to make

more mistakes faster than almost any
invention in history, with the possible
exception of tequila and hand guns.”
--Mitch Ratcliffe
Addendum 1: WPA on Linux
a work in progress (18 June 04)
• I’m in the process of upgrading my notebook to Mandrake Linux

10.0 (from 9.1); my wireless card is the Netegriti EM-500AG; stay
tuned for an update on my experience…
• Excellent Linux WLAN HOWTO:
http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/
• For Atheros-based client cards (including mine), here’s the madwifi
FAQ: http://www.mattfoster.clara.co.uk/madwifi-faq.htm
• The web-based CVS viewer for the madwifi project on SourceForge
is here: http://cvs.sourceforge.net/viewcvs.py/madwifi/madwifi/
• The CVS address for both the madwifi driver and the WPA module
is in the FAQ, Jack:
http://www.mattfoster.clara.co.uk/madwifi-2.htm
• Free WPA supplicant (supports many cards, including Atheros
ar521x): http://hostap.epitest.fi/wpa_supplicant/
Addendum 2: WPA on MacOS X
Can’t forget my MacOS buddies…
• As of this writing, Apple only supports WPA on

AirPort Extreme (802.11g)
• Here’s a page with info on setting up WPA in
MacOS X:
http://www.oreillynet.com/pub/a/wireless/2003/12/18/wap
• The URL for the firmware upgrade is wrong; here’s

the right one:
http://www.apple.com/downloads/macosx/apple/airportex

Enabling WPA On Windows XP

Cargado por

Información del documento

Descripción original:

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Enabling WPA On Windows XP

Cargado por

Copyright:

Formatos disponibles

Enabling WPA on Windows XP:

A painful process explained step-by-step

Robert C. Jones, M.D.

E-mail: rob — at — notbob — dot — com

Note: presentation best viewed as slide show

• This presentation was written prior to

•WPA = “WiFi® Protected Access”

•WPA is a subset of the upcoming IEEE 802.11i security standard; designed to be

•For this talk, we will be using a Linksys

• Because enabling WPA on your router will cut off

•Log onto router by opening your internet browser and typing in

A few words about picking a good PSK passphrase…

“Stevan...commits a different faux pas: He uses the same password

In such cases, should hackers or scammers compromise one account, they

“But…my router’s firmware doesn’t give me a WPA option!”

Any driver prior to

You can try AES if you

Here’s a timesaver: copy

This happy icon means that

Note that 802.1x is

Meaningless for WPA-

• Now your wireless connection is the safest in the

• mid-2004: WPA2 (marketing term for 802.11i with

excerpt of rijndael (AES) source code

“Computers have enabled people to make

• I’m in the process of upgrading my notebook to Mandrake Linux

• As of this writing, Apple only supports WPA on

• The URL for the firmware upgrade is wrong; here’s

También podría gustarte