ACSC programs and advice are being migrated to cyber.gov.au (see sidebar)

WPA2 Now a DSD Approved Cryptographic Protocol

Download DSD Broadcast: WPA2 Now a DSD Approved Cryptographic Protocol (PDF), June 2012
Published June 2012

Introduction

The intention of this policy broadcast is to inform government agencies that:

  1. Wi-Fi Protected Access 2 (WPA2) is now a DSD Approved Cryptographic Protocol (DACP) when used in accordance with the advice contained in the Wireless Local Area Networks section of the Network Security chapter from the August 2012 and successive versions of the Australian Government Information Security Manual (ISM).
  2. At the time of publication of this policy broadcast, DSD is currently evaluating wireless products for inclusion on the Evaluated Products List (EPL).

Security requirements for wireless networks

Wireless networks carry inherent vulnerabilities not present in traditional wired networks as traffic is broadcast into uncontrolled public spaces. As such, there are additional security requirements that must be taken into consideration when deploying a wireless network. These additional requirements are detailed in the Wireless Local Area Networks section of the Network Security chapter of the Australian Government Information Security Manual (ISM) and the information security paper on Wireless Network Security (and complementary Wireless Network Security - Technical Advice for IT professionals).

When choosing wireless products, agencies should be aware that the security of any WPA2-Enterprise wireless network is dependent on each of the network components and how they interact with each other. WPA2-Enterprise wireless networks typically comprise of three main elements:

  1. Supplicants: software that supports the 802.1X protocol, and is therefore able to authenticate to a wireless access point (WAP) or Ethernet switch.
  2. WAPs: devices that relay data between the supplicant and the Remote Authentication Dial-In User Service (RADIUS) server.
  3. RADIUS servers: back-end management servers used for authentication, authorisation and accounting purposes.

WPA2-Enterprise network schematic

WPA2 recognised as a DACP

In revisions of the ISM prior to the August 2012 release, DSD mandated that agencies using wireless networks to communicate sensitive or classified information use an additional layer of encryption on top of the AES-CCMP encryption provided by WPA2.

As WPA2 has now been recognised as a DSD Approved Cryptographic Protocol (DACP), the requirement for an additional layer of encryption has been removed for the communication of PROTECTED and below information.

However, agencies must use supplicants, WAPs and RADIUS servers that have successfully completed an appropriate evaluation for PROTECTED and above information.

For PROTECTED networks, this entails choosing products that have successfully completed a DSD Cryptographic Evaluation (DCE), while for CONFIDENTIAL and above networks, this entails choosing High Grade Cryptographic Equipment.

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

In August 2018 ACSC launched a new website, cyber.gov.au, to reflect its new organisation.

Cyber security programs and advice are being migrated to cyber.gov.au. Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies