Differences Between RSN and WPA

WPA and RSN share a common architecture and approach. WPA has a subset of capability focused specifically on one way to implement a network, whereas RSN allows more flexibility in implementation. RSN also supports the AES[1] cipher algorithm in addition to TKIP, whereas WPA focuses on TKIP.[2] Because WEP is more commonly found in corporations today, a natural approach is to implement WPA now, upgrade installed systems as required, and then move towards a full RSN solution over a period of time as new products are deployed. Eventually, as the older products are retired, this will lead to a system based entirely on IEEE 802.11i. In this way, WPA provides for the needs of all the current Wi-Fi LAN users in the most common configurations, while in the long term the full RSN allows more flexibility.

[1] "AES" stands for Advanced Encryption Standard; see Chapter 12 for details.

[2] TKIP stands for Temporal Key Integrity Protocol; see Chapter 11 for details.

RSN and WPA share a single security architecture under which TKIP- or AES-based security protocols can operate. This architecture covers procedures such as upper-level authentication, secret key distribution, and key renewal?all of which are relevant to both TKIP and AES. The RSN architecture is quite different from that of WEP and quite a bit more complicated. However, it provides a solution that is both secure and scalable for use in large networks. One of the huge problems for WEP, from the earliest days, was that it was impractical to manage key distribution once you had more than a few tens of users. That problem has been addressed by both RSN and WPA.

Nobody can ever (legitimately) claim that a security system is unbreakable. However, it is fair to say that the RSN/WPA approach was devised with the involvement of specialist security experts and received far more scrutiny from the cryptographic community than WEP did when it was being developed. WEP received this kind of scrutiny only after it was deployed and the result was humiliation. The design of RSN/WPA has had the full participation of security experts. That doesn't guarantee that it will not be broken next week. But we doubt it will and we wouldn't be wasting time writing this book if we thought otherwise.

Note that most of the discussion about RSN here assumes that you are operating in IEEE 802.11 infrastructure mode and that you have an access point. RSN (but not WPA) can also apply to ad-hoc mode in which there is no access point. Ad-hoc mode is sometimes referred to as IBSS (Independent Basic Service Set) mode. We cover the special issue of IBSS mode in Chapter 13; in this chapter, the discussion assumes that you, like most people, are using infrastructure mode.



    Part II: The Design of Wi-Fi Security