Microsoft KB Archive/893357

= The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available =

Article ID: 893357

Article Last Modified on 11/5/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition

-





SUMMARY
''This article describes the Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update. A link to download this update is included. You can install this update on a computer that is running Windows XP with Service Pack 2. The update supports the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA. Additionally, after you install the update, Windows XP will display previously hidden Service Set Identifiers (SSIDs) in the Choose A Wireless Network dialog box. This functionality makes it easier for you to connect to public Wi-Fi networks to which you have not previously connected.''



INTRODUCTION
The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update for computers that are running Microsoft Windows XP with Service Pack 2 (SP2) is available. This update enhances the Windows XP wireless client software with support for the new Wi-Fi Alliance certification for wireless security. The update also makes it easier to connect to secure public spaces that are equipped with wireless Internet access. These locations are otherwise known as &quot;Wi-Fi hotspots.&quot;



Download information
The following file is available for download from the Microsoft Download Center:

Download the Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 package now. Release Date: April 29, 2005

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites
To install this update, you must be running Windows XP with SP2. For more information about how to obtain the latest Windows XP service pack, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Restart requirement
You must restart the computer after you apply this update.

File information
The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version            Size    File name --  19-Apr-2005  23:54  5.1.2600.2658      14,592  Ndisuio.sys 20-Apr-2005 19:21  5.1.2600.2658   1,705,472  Netshell.dll 20-Apr-2005 19:21  5.1.2600.2658     381,440  Wzcdlg.dll 20-Apr-2005 19:21  5.1.2600.2658      52,736  Wzcsapi.dll 20-Apr-2005 19:21  5.1.2600.2658     474,624  Wzcsvc.dll 19-Apr-2005 23:44  5.1.2600.2658      13,824  Xpsp3res.dll

WPA2
WPA2 is a product certification that is available through the Wi-Fi Alliance. WPA2 certifies that wireless equipment is compatible with the IEEE 802.11i standard. The WPA2 product certification formally replaces Wired Equivalent Privacy (WEP) and the other security features of the original IEEE 802.11 standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA.

The WPA2/WPS IE Update supports the following features of WPA2:
 * WPA2 Enterprise using IEEE 802.1X authentication and WPA2 Personal using a preshared key (PSK).
 * The Advanced Encryption Standard (AES) using the Counter Mode-Cipher Block Chaining (CBC)-Message Authentication Code (MAC) Protocol (CCMP) that provides data confidentiality, data origin authentication, and data integrity for wireless frames.
 * The optional use of Pairwise Master Key (PMK) caching and opportunistic PMK caching. In PMK caching, wireless clients and wireless access points cache the results of 802.1X authentications. Therefore, access is much faster when a wireless client roams back to a wireless access point to which the client already authenticated.
 * The optional use of preauthentication. In preauthentication, a WPA2 wireless client can perform an 802.1X authentication with other wireless access points in its range when it is still connected to its current wireless access point.

You must use the WPA2/WPS IE Update together with the following:
 * Wireless access points that support WPA2.
 * Wireless network adaptors that support WPA2.
 * Windows XP wireless network adaptor drivers that support the passing of WPA2 capabilities to Windows Wireless Auto Configuration.

The WPA2/WPS IE Update modifies the following dialog boxes:
 * When you are connected to a WPA2 capable wireless network, the type of network is displayed as WPA2 in the Choose A Wireless Network dialog box.
 * On the Association tab for the properties of a wireless network, the Network Authentication list has the following additional options:
 * WPA2 - for WPA2 Enterprise
 * WPA2-PSK - for WPA2 Personal

Note These options are not present if the wireless network adaptor driver does not support WPA2.

For more information about WPA2 security features, see the &quot;Wi-Fi Protected Access 2 (WPA2) Overview&quot; topic at the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/bb878054.aspx

Registry values that control preauthentication and PMK caching
The following registry entries in the  subkey control the behavior of preauthentication and PMK caching for the WPA2/WPS IE Update:
 * PMKCacheMode
 * PMKCacheTTL
 * PMKCacheSize
 * PreAuthMode
 * PreAuthThrottle

PMKCacheMode
Value type: REG_DWORD - Boolean

Valid range: 0 (disabled), 1 (enabled)

Default value: 1

Present by default: No

Description: Specifies whether a Windows XP-based wireless client will perform PMK caching. By default, PMKCacheMode is enabled.

PMKCacheTTL
Value type: REG_DWORD

Valid range: 5-1440

Default value: 720

Present by default: No

Description: Specifies the number of minutes that an entry in the PMK cache can exist before being removed. The maximum value is 1440 (24 hours). The default value is 720 (12 hours).

PMKCacheSize
Value type: REG_DWORD

Valid range: 1-255

Default value: 100

Present by default: No

Description: Specifies the maximum number of entries that can be stored in the PMK cache. By default, the PMK cache has 16 entries.

PreAuthMode
Value type: REG_DWORD - Boolean

Valid range: 0 (disabled), 1 (enabled)

Default value: 0

Present by default: No

Description: Specifies whether a Windows XP-based wireless client will try preauthentication. By default, PreAuthMode is disabled.

PreAuthThrottle
Value type: REG_DWORD

Valid range: 1-16

Default value: 3

Present by default: No

Description: Specifies the number of top candidate wireless access points with which the Windows XP-based computer will try preauthentication. The value is based on the ordered list of the most favored wireless access points, as reported by the wireless network adaptor driver. By default, PreAuthThrottle has a value of 3.

Note Changes to any one or more of these registry entry values do not take effect until the next time that you restart the wireless service or the next time that you restart the computer.

Wireless Provisioning Services Information Element (WPS IE)
Wireless Internet service providers (WISPs) first offered wireless access to the Internet without security. This prevented customers from having to configure wireless security settings. Because wireless security has become more important, WISPs want to move to secure public Wi-Fi networks. During the migration, WISPs must be able to support both nonsecure and secure wireless access to the Internet. To be cost effective during migration, WISPs must be able to support and advertise two different logical wireless networks that have two different wireless network names, and that use a single physical network infrastructure.

Note Wireless network names are also known as Service Set Identifiers (SSIDs).

Some wireless access points that are available today can advertise multiple SSIDs and support multiple logical network configurations at the same time. However, because of hardware limitations, the vast majority of the wireless access points that are deployed today in public Wi-Fi hotspots only permit one SSID to be included in the broadcast Beacon and Probe Response frames. This behavior effectively hides secondary SSIDs from wireless client computers. Therefore, it is much more difficult for you to discover and connect to public Wi-Fi network names that you have not previously connected to. Without wireless AP support to advertise multiple SSIDs in broadcast Beacon and Probe Response frames, the additional wireless networks must either be implemented by using an additional set of physical wireless access points, or users must manually configure their wireless clients by using the names of hidden SSIDs. The implementation of an additional set of wireless access points is not cost effective for WISPs. The manual configuration of wireless clients is difficult for customers, and does not scale to a large WISP network.

The WPS IE is a newly defined 802.11 information element that solves the hidden SSID problem for WISPs. The WPS IE also provides a way for wireless access points to advertise additional SSIDs in the broadcast Beacon and Probe Request frames. The WPS IE includes the SSID and additional details, such as:
 * Whether IEEE 802.1X authentication is required.
 * Whether the wireless network can provide provisioning information to the wireless client.

The WPS IE must be included in the broadcast Beacon and Probe Request frames, and must be recognized and processed by wireless client computers. Frequently, you can add WPS IE support to wireless access points through a firmware update. Therefore, you typically do not have to replace existing wireless access points or install additional ones. Verify with your wireless AP vendor documentation or your vendor's Web site to determine whether a firmware update for your wireless AP is available. For a Windows XP with SP2-based wireless client, you must install the WPA2/WPS IE Update.

When you install the WPA2/WPS IE Update on wireless client computers that are running Windows XP with SP2, the wireless components of Windows XP recognize the WPS IE in the broadcast Beacon or Probe Response frames. This functionality makes the previously hidden SSIDs visible to the user in the Choose A Wireless Network dialog box. Windows XP-based wireless client computers without the WPA2/WPS IE Update installed do not recognize the WPS IE and do not display the hidden SSIDs.

To successfully deploy support for the WPS IE, you must have the following:  Wireless access points that support the configuration of additional SSIDs and their advertisement with the WPS IE. For example, Cisco has released firmware updates for its wireless access points to support the new WPS IE. For information, visit the following Cisco Web site:

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin0900aecd801b83b0.html

 Wireless client computers that are running Windows XP with SP2 and the WPA2/WPS IE Update.

After the update is deployed, the use of the WPS IE provides the following benefits:
 * Enables easy and cost-effective migration from nonsecure public Wi-Fi hotspot wireless connections to secure public Wi-Fi hotspot wireless connections. The secure public Wi-Fi hotspots must use 802.1X authentication, encryption, and Wireless Provisioning Services (WPS) to provision wireless settings, using the same set of wireless access points.
 * Lets wireless users easily discover and choose whether they want nonsecured or secured wireless connections. Additionally, wireless users can quickly configure wireless settings.

For more information about WPS, see the &quot;Deploying Wireless Provisioning Services (WPS) Technology&quot; white paper. To download the white paper, visit the following Microsoft Web site:

http://go.microsoft.com/fwlink/?LinkId=42996

Additional changes in the WPA2/WPS IE Update
The following changes are also included in the WPA2/WPS IE Update:  Windows XP now prompts you to validate whether you want to create a nonsecured preferred wireless network. Nonsecured is defined as an Open system authenticated connection that does not use encryption to help protect data. Additionally, when connected to a nonsecured wireless network, the wireless network is displayed with the label Unsecured. These changes were added to make sure that you are aware that you are connecting to a wireless network that is susceptible to security attacks. The Choose A Wireless Network dialog box in Windows XP with SP2 merged infrastructure and ad-hoc networks by using the same wireless network name so that only one appeared in the list of available networks. This issue has been corrected. With the update installed, the Choose A Wireless Network dialog box now displays both types of wireless networks in the available networks list as separate entries. The static provisioning interface API for Wireless Provisioning Services (WPS) has been updated so that you can specify WPA2 as an authentication method. For more information about this API, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms940173.aspx

</li> Previously, there was a one-minute connection delay when you started the computer if you connected to a WPS-provisioned wireless network. This issue has been corrected.</li></ul>

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Keywords: kbqfe kbhotfixserver kbbug kbwinxppresp3fix kbfix kbnetwork atdownload KB893357

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.