Better ways emerge to protect wireless data

The TKIP is really the heart and soul of WPA security. TKIP replaces WEP encryption. And although WEP is optional in standard Wi-Fi, TKIP is required in WPA. The TKIP encryption algorithm is stronger than the one used by WEP but works by using the same hardware-based calculation mechanisms that WEP uses.

The TKIP protocol actually has several functions. First, it determines which encryption keys will be used and then verifies the client's security configuration. Second, it is responsible for changing the unicast encryption key for each frame. Finally, TKIP sets a unique starting key for each authenticated client that is using a pre-shared key.

Checksums and replay protection
When WEP was initially designed, IEEE took steps to ensure that an encrypted packet could not be tampered with. WEP-encrypted packets include a checksum value at the end of the packet. This value is a 32-bit code that is derived from the rest of the packet. The idea is that if something in the packet's payload changes, the checksum will not match the packet any longer and the packet can be assumed to be corrupt. This 32-bit code is called the Integrity Check Value (ICV).

Although ICV is a good idea, it just isn't secure. There are hacker tools that allow someone to modify a WEP-encrypted packet and to modify the ICV as well. By modifying the ICV to match the modified payload, the receiver will be unable to tell that the packet has been tampered with.

To counteract this type of hacking, WPA supports a security measure called Michael. Michael works similarly to ICV but calculates a Message Integrity Code (MIC) in addition to the ICV. The wireless devices calculate the MIC using the same mechanisms they would normally use to calculate the ICV.

The first major difference is that the MIC is only eight bits, as opposed to the ICV's 32 bits. WPA still uses an ICV in the same way that WEP does, but the MIC is inserted between the data portion of the frame and the ICV.