October 31, 2002, 9:41 AM — The organization that certifies wireless LAN products under the WiFi name unveiled new specifications Thursday for how vendors should make their products more secure.
The guidelines call for new mechanisms to replacement the current security system, based on WEP (Wireless Encryption Protocol), which has come under fire for being too easy to circumvent. The certification body, Wi-Fi Alliance, plans to lay the mechanisms out as optional features beginning in February and require them for WiFi compliance about six months later, said Dennis Eaton, chairman of the Wi-Fi Alliance.
A task group within the Institute of Electrical and Electronic Engineers Inc. (IEEE) 802.11 working group, which is in charge of the IEEE 802.11b and 802.11a standards on which WiFi products are based, is now working on a tough new security standard called 802.11i. However, it isn't expected to ratify that standard until September 2003, so the Wi-Fi Alliance took a "snapshot" of 802.11i.
"Their work is ongoing, but ... security has been a big issue for WiFi equipment, and the market was really in need of a security solution today," Eaton said.
Fear of snooping from street corners or office parking lots has kept many enterprises from deploying wireless LANs, which can link users to corporate data and the Internet at 11M bps (bits per second) with 802.11b and 54M bps with 802.11a, industry analysts have said.
With WEP, the keys used to encrypt data passing over the network can be cracked just by examining a brief sample of packets, according to Peter Shipley, an independent security consultant in Berkeley, California.
Some vendors, such as Cisco Systems Inc., sell corporate 802.11 systems equipped with other methods of security on top of WEP. However, most consumer-oriented wireless LAN equipment offers only WEP.
The Wi-Fi Alliance's specifications, called WPA (Wireless Protected Access), includes mechanisms from the emerging 802.11i standard for both data encryption and network access control. For encryption, WPA has TKIP (Temporal Key Integrity Protocol), which uses the same algorithm as WEP but constructs keys in a different way. For access control, WPA will use the IEEE 802.1x protocol, a recently completed standard for controlling entry to both wired and wireless LANs.
With WPA, each user will have his or her own encryption key, and that key can be set to change periodically. In enterprises, user authentication will be handled by an authentication server, a system that can be expanded to handle more users much more easily than could WEP. For home networks, a "pre-shared key" mode can be used that does not require an authentication server. It lets a user log in to a network if the pre-shared key on the user's system matches the one on the wireless access point.