Product Overview
What is DSA Supplicant?
The Devicescape Agent Supplicant (DSA Supplicant) is a software development package for enabling authentication and security in wireless LAN (WLAN) client devices.
The DSA Supplicant software development package is comprised of a full featured 802.1X supplicant (also referred to as wpa_supplicant), Intermediate Driver (IM) support for WinCE and Windows Mobile, a CLI Interface, and a sample GUI.
DSA Supplicant is fully compliant with IEEE 802.11i, IEEE 802.1X, and Wi-Fi WPA/WPA2 security standards.
DSA Supplicant is distributed in source code, and it is designed to be fully portable to different operating systems and hardware. The source code also includes a version of the OpenSSL library that has been modified to work with EAP-FAST. For convenience, binary versions of DSA Supplicant for running on supported Windows operating systems are also available.
DSA Supplicant is compatible with all WLAN chipsets on the Windows operating system that use the NDIS driver interface, and provides built-in support for most popular Linux WLAN drivers.
The DSA Supplicant documentation package provides a Developer Guide, and API documentation that explains how the supplicant is implemented and how to modify it. The documentation guides you through how to add support for a new driver, port to a different operating system, or build a UI that interacts with the wireless client configuration and management interfaces.
Product Requirements
Developing and testing the Devicescape Agent Supplicant requires the following setup and components:
- A development host with the Devicescape Agent Supplicant software development package installed. The development host is used to edit the DSA Supplicant source package and build the executables for the target.
- A target device on which to load and run the DSA Supplicant executable; for example, a hand-held device running Microsoft Windows Mobile. In the case of Windows XP, DSA Supplicant can be run on the development host itself.
- One or more access points (APs) with which to test wireless client association and connectivity to a network, and security modes.
- An 802.1X authentication server and 802.1X authenticator on the network (if IEEE 802.1X EAP authentication is required). An example of an 802.1X authentication server is a Remote Authentication Dial-in User Server (RADIUS) server, and an example of an 802.1X authenticator is an AP running in WPA-enterprise, WPA2-enterprise or IEEE 802.1X mode. This equipment is not required for WPA-PSK or WPA2-PSK modes.
Optional Libraries
OpenSSL, which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, is required if you use EAP-TLS, EAP-PEAP, and EAP-TTLS. If your client only supports WPA-PSK, you do not need to use OpenSSL and is available at http://www.winpcap.org.
In order to reduce the footprint, OpenSSL can be replaced by small footprint SSL libraries. For more information, see TLS Interface.
The libpcap and libdnet libraries, used for layer 2 packet processing, are not ordinarily included in a Linux build. Instead, the Linux version of DSA Supplicant uses the Linux native method, Linux sockets. The libpcap and libdnet libraries (and the associated layer 2 implementation) are included because they are more portable. A Linux version of DSA Supplicant that uses this method may, therefore, be easier to port to another operating system. For Windows, the WinPCap library is required in WinXP builds.
Product Features
The following features are supported in DSA Supplicant. More detail on each feature is provided after the table.
|
Feature
|
Details
|
|
WPA-PSK
|
WPA-Personal WLAN security (uses pre-shared keys)
|
|
WPA with EAP
|
WPA-Enterprise (For example, with RADIUS authentication server.)
The following authentication methods are supported with an integrated IEEE 802.1X Supplicant:
EAP-FAST
EAP-PSK
EAP-WSC
EAP-TLS
EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
EAP-PEAP/TLS (both PEAPv0 and PEAPv1)
EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
EAP-PEAP/OTP (both PEAPv0 and PEAPv1)
EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)
EAP-TTLS/EAP-MD5-Challenge
EAP-TTLS/EAP-GTC
EAP-TTLS/EAP-OTP
EAP-TTLS/EAP-MSCHAPv2
EAP-TTLS/EAP-TLS
EAP-TTLS/MSCHAPv2
EAP-TTLS/MSCHAP
EAP-TTLS/PAP
EAP-TTLS/CHAP
EAP-SIM
LEAP (Requires special support from the driver for IEEE 802.11 authentication)
The following methods are supported, but since they do not generate keying material, they cannot be used with WPA or IEEE 802.1X WEP keying as an outer authentication method:
EAP-MD5-Challenge
EAP-MSCHAPv2-
EAP-GTC
EAP-OTP
|
|
Key Management
|
Key management for AES (CCMP), TKIP, WEP40 (WEP64), WEP104 (WEP128), WEP128 (WEP152)
|
|
WPA2 (IEEE 802.11i)
|
Same features as WPA-PSK, WPA with EAP and Key Management, with the following additional features:
- Pre-authentication
- PMKSA caching
|
|
IM driver
|
Intermediate Driver, for use in Windows CE and Windows Mobile to provide layer 2 packet access.
|
|
CLI
|
Command Line Interface (if a console window is available)
|
|
Sample GUI
|
Sample Graphical Interface for Linux, Windows XP, Windows CE and Windows Mobile
|
Wi-Fi Protected Access (WPA)
The original security mechanism of IEEE 802.11 standard was not designed to be strong and has proven to be insufficient for most networks that require some kind of security. Task group I (Security) of IEEE 802.11 working group (http://www.ieee802.org/11/) has worked to address the flaws of the base standard as published in the IEEE 802.11i standard specification.
Wi-Fi Alliance (http://www.wi-fi.org/) used a draft version of the IEEE 802.11i work (draft 3.0) to define a subset of the security enhancements that can be implemented with existing WLAN hardware. This is called Wi-Fi Protected Access (WPA). This has now become a mandatory component of interoperability testing and certification done by Wi-Fi Alliance. For more information about WPA, see
(http://www.wi-fi.org/OpenSection/protected_access.asp).
The IEEE 802.11 standard defined Wired Equivalent Privacy (WEP) algorithm for protecting wireless networks. WEP uses RC4 with 40-bit keys, 24-bit initialization vector (IV), and CRC32 to protect against packet forgery. All these choices have proven to be insufficient: key space is too small against current attacks, RC4 key scheduling is insufficient (beginning of the pseudorandom stream should be skipped), IV space is too small and IV reuse makes attacks easier, there is no replay protection, and non-keyed authentication does not protect against bitflipping packet data.
WPA is an intermediate solution for the security issues. It uses Temporal Key Integrity Protocol (TKIP) to replace WEP. TKIP is a compromise on strong security and possibility to use existing hardware. It still uses RC4 for the encryption like WEP, but with per-packet RC4 keys. In addition, it implements replay protection, keyed packet authentication mechanism (Michael MIC).
Keys can be managed using two different mechanisms. WPA can either use an external authentication server (for example, RADIUS) and EAP just like IEEE 802.1X is using or pre-shared keys without need for additional servers. Wi-Fi calls these WPA-Enterprise and WPA-Personal, respectively. Both mechanisms will generate a master session key for the Authenticator (AP) and Supplicant (client station).
WPA implements a new key handshake (4-Way Handshake and Group Key Handshake) for generating and exchanging data encryption keys between the Authenticator and Supplicant. This handshake is also used to verify that both Authenticator and Supplicant know the master session key. These handshakes are identical regardless of the selected key management mechanism, only the method for generating master session key changes.
WPA2/IEEE 802.11i
The design for parts of IEEE 802.11i that were not included in WPA has finished (May 2004) and this amendment to IEEE 802.11 was approved in June 2004. Wi-Fi Alliance is using the final IEEE 802.11i as a new version of WPA called WPA2. WPA2 includes support for a more robust encryption algorithm (CCMP: AES in Counter mode with CBC-MAC) to replace TKIP and optimizations for hand-off (reduced number of messages in initial key handshake, pre-authentication, and PMKSA caching).
Cisco Compatible Extensions (CCX)
DSA Supplicant supports Cisco Compatible Extensions v1, v2, v3, and v4 (CCX) as an option (available only to Cisco Licensees). DSA Supplicant with CCX extensions takes advantage of Cisco's innovations for enhanced security, mobility, quality of service, and network management. If you are a Cisco Licensee and have purchased DSA Supplicant with CCX extensions, please contact your sales representative at Devicescape for information on how to acquire the CCX upgrade Documentation set.
IM Driver
Devicescape provides a binary Intermediate (IM) driver for Windows CE and Windows Mobile operating systems. This architecture is very unobtrusive and does not require Windows Zero Config (WZC) to be disabled in order to function. For more information, see NDIS Intermediate (IM) Driver Interface (dsfilter.dll).
CLI
A Command Line Interface is provided to quickly and easily configure DSA Supplicant. DSA Supplicant can also be configured for remote CLI operation via a UDP connection with another host. For more information, see Using wpa_cli.
Sample GUI
A sample GUI for Linux (QT3 and QT4) and Windows (MFC) is available.For more information, see Sample GUI for Linux Target Device and Building DSA Supplicant, the CLI and the GUI.
