Road to Wi-Fi: No more whining about WEP
Summary
Topics
When researchers first reported serious security problems with Wi-Fi wireless networks last year, the first response of the Wireless Ethernet Compatibility Association was to dismiss the threat as insignificant. But WECA changed its tune quickly after tools such as Air Snort, which lets even the relatively unskilled eavesdrop on Wi-Fi networks, showed up on the Internet.
Now with commendable alacrity, the trade group, renamed the Wi-Fi Alliance, has come up with a new standard that should solve the most pressing problems. While the new system, called Wi-Fi Protected Access, won't ship until early next year, it will still be out many months before the "official" solution, called 802.11i, that the Institute of Electrical & Electronics Engineers is developing. And both businesses and consumers will be able to upgrade most existing hardware to the new standard as soon as it becomes available.
Wi-Fi has been beset by two interrelated problems. One is a serious flaw in the encryption system, called Wired Equivalent Privacy (WEP), used to prevent eavesdroppers from monitoring. While described as offering a choice of 64- or 128-bit encryption--meaning hackers would have to try billions upon billions of possible "keys"--a design flaw meant only about a million keys were possible. That made it easy for computerized analysis to discover the password used to generate the key.
Open standard
The second flaw, the lack of any system for determining that users really were who they claimed to be, meant that it was simple for anyone in possession of the password to get on the network.
Wi-Fi Protected Access attacks both problems. First, it discards WEP and replaces it with a much better-designed encryption system called TKIP. Wi-Fi Alliance President Dennis Eaton, a marketing manager for semiconductor maker Intersil, explains that, unlike the original approach to WEP, TKIP was designed as an open standard with input from leading cryptographers. TKIP is one of two encryption standards proposed for 802.11i. The other, the government's new Advanced Encryption Standard, may be somewhat stronger, but it will run only on future Wi-Fi hardware.
For businesses, Wi-Fi Protected Access also addresses the problem of identifying users more precisely. It takes a standard called 802.1x that has been used in a number of proprietary wireless user-identification schemes from Cisco Systems and others, and creates a standard. Basically, with 802.1x a user is initially allowed to communicate only with a wireless access point. The access point passes the request on to a special login server. Only if that server is satisfied by the person's credentials--a user name plus a password, a biometric such as a fingerprint, or a smart card--does the person gain access to the full network.
A must for certification
This system isn't practical for home users, who have neither the skill nor the equipment to set up a special authentication server. Instead, the home version of Protected Access uses an improved approach to WEP's shared password. The main change is that while the password is still used to gain access to the network, the keys actually used for encryption are generated dynamically, making eavesdropping much harder.
The Wi-Fi Alliance expects the first Protected Access software to be available via download around the end of first quarter 2003. By yearend 2003, it will be mandatory for Wi-Fi certification of networking gear.
In the meantime, Wi-Fi networks should continue to at least run WEP. It's not very good, but it's better than no encryption. And any business communications that are at all sensitive should be conducted using virtual private network hardware or software, which uses strong encryption to protect traffic, wired or wireless, over the public Internet.
Stronger Security Fences for Wi-Fi
First published on November 8, 2002
By Stephen H. Wildstrom
Does your company use WEP encryption? TalkBack below or e-mail us.
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
