Поделиться через


WPA Authentication (Windows Embedded CE 6.0)

1/6/2010

This topic describes the additional requirements for developing a device driver that will support Wi-Fi Protected Access (WPA), the new wireless security standard.

WPA is an improved security system for 802.11. **For vendors who have already implemented a driver and want to update it for WPA, the following OIDs must be changed:

  • OID_802_11_AUTHENTICATION_MODE
  • OID_802_11_ENCRYPTION_STATUS
  • OID_802_11_BSSID_LIST

Also, the following new OIDs must be added:

  • OID_802_11_ADD_KEY
  • OID_802_11_REMOVE_KEY
  • OID_802_11_ASSOCIATION_INFORMATION
  • OID_802_11_TEST

Support for WPA must be checked by using the OID_802_11_AUTHENTICATION_MODE OID to set the authentication mode to Ndis802_11AuthModeWPA and then querying the current authentication mode. If the set fails or the returned value is not Ndis802_11AuthModeWPA, then you can assume that the driver does not support the WPA extensions.

In addition, the authentication event must be supported.**

A WPA network interface card (NIC) must support Temporal Key Integrity Protocol (TKIP) encryption and Michael message integrity check (MIC) algorithm, and may support Advanced Encryption Standard (AES) encryption and integrity.

The following table shows the various configuration options and the expected system behavior. **If the manual key or 802.1X is above the NDIS OIDs, the OID_802_11_ADD_KEY OID is used in both cases to configure the correct key into the NIC. The "Key configured before joining network" column describes whether a key is required to be configured before joining the network.

Note

An improper combination of infrastructure, authentication, and encryption modes must not generate a MediaSense connect and should generate a MediaSense disconnect if the media is already associated. For example, do not combine IBSS, WPANone, and WEP=.

Infrastructure mode Authentication mode Encryption status Manual Key required? IEEE 802.1X enabled? Key configured before joining network?

ESS

Open

None

No

No

No

ESS

Open

WEP

Optional

Optional

Yes

ESS

Shared

None

Yes

No

Yes

ESS

Shared

WEP

Optional

Optional

Yes

ESS

WPA

WEP

No

Yes

No

ESS

WPA

TKIP

No

Yes

No

ESS

WPA

AES

No

Yes

No

ESS

WPA-PSK

WEP

Yes

Yes

No

ESS

WPA-PSK

TKIP

Yes

Yes

No

ESS

WPA-PSK

AES

Yes

Yes

No

IBSS

Open

None

No

No

No

IBSS

Open

WEP

Yes

No

Yes

IBSS

Shared

None

Yes

No

Yes

IBSS

Shared

WEP

Yes

No

Yes

IBSS

WPA-None

WEP

Yes

No

Yes

IBSS

WPA-None

TKIP

Yes

No

Yes

IBSS

WPA-None

AES

Yes

No

Yes

**The following table shows what OID support is required for WPA.

OID Required

OID_802_11_AUTHENTICATION_MODE supports WPA, WPA-PSK and WPA-None for set and query

Required

OID_802_11_ENCRYPTION_STATUS supports encryption1 and encryption 2 for set and query

Required

OID_802_11_BSSID_LIST returns NDIS_802_11_BSSID_LIST_EX structure

Required

OID_802_11_ASSOCIATION_INFORMATION supports query

Required

OID_802_11_ADD_KEY supports single group key set and one pairwise key (may use Group Key 0)

Required

OID_802_11_ADD_KEY supports four group keys, index 0 to 3.

Required

OID_802_11_ADD_KEY supports bit 28 set to 0

Required

OID_802_11_TEST supports generation of MEDIA_SPECIFIC_EVENT

Required

Detect Michael integrity check (MIC) algorithm failures for group keys and for pairwise keys and generate a MEDIA_SPECIFIC_EVENT event. Non-802.1X packets are dropped with the current keys

Required

Non-802.1X data packets are not sent until a group key is installed

Required

WPA information element in associate/re-associate request message

Required

No key is needed to associate to an AP with the privacy bit set in the AP capability

Required

TKIP 48 bit and Michael

Required

The operating system checks for a WPA driver using the following procedure:

  1. Set OID_802_11_AUTHENTICATION_MODE with Ndis802_11AuthModeWPA.
    The call must succeed.
  2. Query OID_802_11_AUTHENTICATION_MODE.
    The call must succeed and must return Ndis802_11AuthModeWPA as the value of the OID.
  3. Determine the highest supported cipher by using the following process:
    1. Set OID_802_11_ENCRYPTION_STATUS subsequently with Ndis802_11Encryption3Enabled, Ndis802_11Encryption2Enabled and Ndis802_11Encryption1Enabled in that order.
    2. Query OID_802_11_ENCRYPTION_STATUS.
      The query should succeed and the value returned should match the value that has been set. If this does not happen, the loop is broken and the last cipher verified successfully is assumed as the highest supported cipher.
    3. The highest supported cipher should be either TKIP or AES.
  4. Set OID_802_11_ADD_KEY with a random key of length 32 and with an index of 0xc0000001. The result must be ERROR_INVALID_PARAMETER, which corresponds to NDIS_STATUS_INVALID_DATA from the driver.
  5. Query OID_802_11_ASSOCIATION_INFORMATION.
    The call must succeed - do not check the returned value in any way.

If all these tests pass, the NIC is marked as "WPA capable." Preferred networks can then be set with the extended authentication modes and encryption types. This check happens when as the card is inserted.**

See Also

Concepts

WPA