Editing Related-key attack (section)

==Preventing related-key attacks==
One approach to preventing related-key attacks is to design protocols and applications so that encryption keys will never have a simple relationship with each other.  For example, each encryption key can be generated from the underlying key material using a [[key derivation function]].

For example, a replacement for WEP, [[Wi-Fi Protected Access]] (WPA), uses three levels of keys: master key, working key and RC4 key. The master WPA key is shared with each client and access point and is used in a protocol called [[Temporal Key Integrity Protocol]] (TKIP) to create new working keys frequently enough to thwart known attack methods. The working keys are then combined with a longer, 48-bit IV to form the RC4 key for each packet.  This design mimics the WEP approach enough to allow WPA to be used with first-generation Wi-Fi network cards, some of which implemented portions of WEP in hardware. However, not all first-generation access points can run WPA.

Another, more conservative approach is to employ a cipher designed to prevent related-key attacks altogether, usually by incorporating a strong [[key schedule]]. A newer version of Wi-Fi Protected Access, WPA2, uses the [[Advanced Encryption Standard|AES]] [[block cipher]] instead of RC4, in part for this reason. There are [[Advanced Encryption Standard#Security|related-key attacks against AES]], but unlike those against RC4, they're far from practical to implement, and WPA2's key generation functions may provide some security against them.<!-- I'd like to specifically say that WPA2 uses a hash function or something to generate temporal keys but I can't find a citation.-->  Many older network cards cannot run WPA2.