A clear increase in WLAN security can be achieved by using keys that are dynamically negotiated instead of keys with fixed values. As the process to be used for this purpose, the Extensible Authentication Protocol has emerged. As the name suggests, the original purpose of EAP is authentication, that is, the regulated access to a WLAN—the possibility of installing a valid key for the next session is more or less a byproduct. Figure 2 shows the basic process of a session secured by EAP.
In the first phase, the client registers with the access point as usual, and enters the state in which it can now send and receive over the access point in the formerly used WEP—but not with EAP, because in this state the client still doesn't have a key to secure its data traffic from eavesdropping. Instead, the client is in an 'intermediate state' from the point of view of the access point, in which only particular packets from the client are forwarded, and these are only directed to an authentication server. These packets are the EAP/802.1x mentioned previously. The access point packs these packets in RADIUS queries and sends them on to the authentication server. The access point converts the replies coming from the RADIUS server back into EAP packets, and sends them back to the client.
The access point is thus a sort of middle man between client and server. it doesn't have to check the contents of these packets, it just has to check that no other data traffic to or from the client can occur. Over this "tunnel" through the access point, the client and server authenticate one another, that is, the server checks the client's access privilege to the network, and the client checks that it is talking to the right network. "Wild" access points set up by hackers can be recognized in this way.
A whole series of authentication processes exist which can be used in this tunnel. A current process (and one supported by Windows XP) is for instance TLS, in which server and client exchange certificates; another is TTLS, in which only the server supplies a certificate—the client is authenticated using only a username and password.
After the authentication phase, a secure tunnel even without encryption has been set up, in which the access point is connected in the next step. For this, the RADIUS server sends the so-called 'Master Secret', a session key calculated during the negotiation, to the access point. The LAN behind the access point is considered secure in this scenario, so that this transmission can be performed in clear text.
With this session key, the access point now takes over the tunnel and can use it to provide the actual key to the client. Depending on the capabilities of the access point hardware, this can be a true session key, i.e. a key which will only be used for data packets between the access point and precisely this client. Older WEP uses a hardware group key, which the access point will use for communication with multiple clients.
The particular advantage of this procedure is that the access point can regularly change the key over the EAP tunnel, that is, it can perform a so-called rekeying. In this way, keys can be replaced by new ones long before they run the risk of being cracked due to IV collisions. A common 'use time' for such keys might be 5 minutes.