The Wi-Fi Protected Access (WPA) specification addresses 802.11's vulnerabilities. WPA is actually an interim solution agreed upon by wireless vendors until its big brother, 802.11i, is ratified. Both WPA and 802.11i address 802.11's key-management and authentication weaknesses.

In 802.11, 802.1x authentication by wireless clients is optional, but WPA requires 802.1x. WPA lets you use two types of authenticators. For the best security, the authenticator should be a Remote Authentication Dial-In User Service (RADIUS) server using Extensible Authentication Protocol (EAP). But for smaller networks, WPA also supports using the local wireless Access Point (AP) as the authenticator. In this case, wireless AP uses a secret passphrase that you must configure on each wireless AP and client computer. WPA passphrases are easier to use than WEP preshared keys because each manufacturer tends to handle WEP preshared keys differently: Some require you to enter the key in hexadecimal format, others as a password, and so on, which complicates interoperability between wireless components. WPA requires all manufacturers to handle passphrases consistently. However, using WPA passphrases can introduce significant security vulnerabilities unless you use a large variety of random characters and make your passphrases at least 20 characters long.

In standards earlier than WPA (e.g., 802.11 with 802.1x), multicast (such as streaming content) and broadcast packets don't benefit from changing the encryption key after a certain number of packets, but these packets do benefit in WPA. In addition, rekeying for unicast traffic (i.e., typical traffic in which packets are sent to only one recipient) is optional. WPA requires regular rekeying for broadcast, multicast, and unicast traffic to improve security.

To solve other problems with 802.11's WEP encryption, WPA replaces WEP with Temporal Key Integrity Protocol (TKIP), which has better encryption-key handling. To solve weaknesses with 802.11 and WEP's integrity checking, WPA introduces a new method called Michael, which replaces the old 802.11 32-bit integrity check value (ICV) with a 64-bit Message Integrity Code (MIC) and a new frame counter to foil replay attacks. One other significant change in WPA is the introduction of support for Advanced Encryption Standard (AES), which is optional.

Upgrading to WPA shouldn't require new hardware for most companies. Wireless AP vendors such as D-Link Systems, Linksys, and Cisco Systems already offer WPA firmware upgrades for their wireless APs, which you can download, then flash to the wireless AP. To facilitate migration to WPA, WPA-compliant wireless APs temporarily support a mixed environment of WPA and 802.11 clients. Wi-Fi NICs can support WPA if you obtain updated drivers. So far, only Windows versions Windows Server 2003 and Windows XP support WPA, and you need to install the WPA Wireless Security Update. For more information about WPA and to download the WPA Wireless Security Update for XP, see the Microsoft article "Overview of the WPA Wireless Security Update in Windows XP" (