Wireless Protected Access (WPA) / WPA2 and the Handheld PC

Applies To

• Windows CE 1.0, 1.01
• Windows CE 2.0, SP1
• Handheld PC Professional, SP1
• Handheld PC 2000
• Windows CE 4.0, 4.1, 4.2 .net
• Windows CE 5.0
• Windows CE 6.0

Overview

Wireless Protected Access or WPA was created to overcome the shortcomings of its security forebear the Wireless Encryption Protocol (WEP) standard. Wireless Protected Access version 2 (WPA2) is a revision to the original WPA standard which further enhances security in Wireless networks.

This article discusses the support for the WPA standard on the Handheld PC.

More Info

Wireless Protected Access is a new security protocol aimed exclusively at Wireless Networking technologies implementing the IEEE 802.11x communications protocol.

Hardware Requirements

WPA can be used to bolster network security to a degree far surpassing the WEP standard which preceded it. WPA can be used against many 802.11b networks, and any 802.11g networks.
Like WEP, WPA requires support from the physical hardware used to make-up the network. This includes both the Wireless Access Point (AP/WAP or WiFi Enabled Router) used to create infrastructure connections, and the Wireless Network Interface Cards (Wireless NIC) being used to connect individual systems to the network.

802.11b adapters originally did not provide any support for the WPA standard. Users of 802.11b hardware will need to source firmware updates to discover any form of WPA implementation. 802.11g protocol (backwards compatible with the 2.4 GHz 802.11b standard) devices will natively support a version of WPA, this may be further extended through additional firmware updates.
Additionally the Network Adapter driver layer must also support the implementation of WPA on the card. Along with firmware, drivers can add or extend the support for WPA by and given adapter.

The newer WPA2 security standard generally cannot be implemented through driver/firmware updates requiring new hardware to be rolled out across the network.

Overview of WPA security modes

There are 5 possible modes that can be used on a wireless network to roll out WPA

WPA RADIUS
Used in corporate rollouts of WiFi, RADIUS is designed to allow for secured, user level identification security over WPA encryption. Use of RADIUS requires additional hardware and software support on the Server/AP side and is not commonly found in consumer Wireless Access Points

WPA Pre-Shared Key (PSK)
Requires the use of a Key (password) to access the network. The key is common to all users on the network and secured using WPA encryption. It is possible to use WPA PSK in conjunction with both AES and TKIP if supported by the AP.

WPA TKIP
TKIP or Temporal Key Integrity Protocol is based on the RC4 security algorithm and is closest to the WEP model. Unlike WEP every packet (piece) of network information is encrypted. TKIP elevates network security by dynamically rotating the network key to a random configuration on a user definable time interval, making it much more difficult to break and make use of a breached LAN perimeter.

WPA AES
AES or Advanced Encryption Standard is a replacement for the DES algorithm used by many International government to secure sensitive information. AES provides an additional safeguard for key moving across the Wireless LAN, although requires physically compatible hardware - and cannot be implemented through firmware.

WPA2
WPA2 brings together all of the optional security systems in the original WPA standard and includes the full security requirements needed by the IEEE 802.11i security standard.

Software Requirements

In additional to the requirements from the infrastructure hardware to support WPA, the specification also requires several tiers of software support.
This support comes from communication between the driver and the operating system itself.

1. First layer - The driver must maintain compatibility with the WPA implementation(s) or WPA2 implementation you are using
2. Second layer - Requires the Network Layer in the operating system to support the 802.1x security schema and specifically to provide the functionality between the device driver and the operating system to communicate the WPA security protocol.
3. Third layer - The final layer dictates that the operating system must be capable of handling 128-bit secured key generation, storage and maintenance. The OS must support the use of Public, Private and Public/Private Class shared keys of different encryption types

The table below outlines the support offered through the different Windows CE versions used in the H/PC Community.

While it is technically possible to add some of the WPA software requirements into an operating system through additional software drivers and applications, the functionality and scope of such procedures is limited next to fully native operating system support.
At this time, no hardware manufacturer has attempted to add this support to a Handheld PC release and any such implementation would be limited in operation and exclusive to that particular adapter.
For Windows CE 4.1, third party AEGIS clients are available to facilitate the second layer, and can also be added to CE 4.2 for additional AEGIS support.

For the majority of Handheld PC users WEP 128-bit remains the optimal wireless security standard for use on Wireless Networks.