WiFi group lays out better wireless security
The organization that certifies wireless LAN products under the WiFi name unveiled new specifications Thursday for how vendors should make their products more secure.
The guidelines call for new mechanisms to replacement the current security system, based on WEP (Wireless Encryption Protocol), which has come under fire for being too easy to circumvent. The certification body, Wi-Fi Alliance, plans to lay the mechanisms out as optional features beginning in February and require them for WiFi compliance about six months later, said Dennis Eaton, chairman of the Wi-Fi Alliance.
A task group within the Institute of Electrical and Electronic Engineers Inc. (IEEE) 802.11 working group, which is in charge of the IEEE 802.11b and 802.11a standards on which WiFi products are based, is now working on a tough new security standard called 802.11i. However, it isn't expected to ratify that standard until September 2003, so the Wi-Fi Alliance took a "snapshot" of 802.11i.
"Their work is ongoing, but ... security has been a big issue for WiFi equipment, and the market was really in need of a security solution today," Eaton said.
Fear of snooping from street corners or office parking lots has kept many enterprises from deploying wireless LANs, which can link users to corporate data and the Internet at 11M bps (bits per second) with 802.11b and 54M bps with 802.11a, industry analysts have said.
With WEP, the keys used to encrypt data passing over the network can be cracked just by examining a brief sample of packets, according to Peter Shipley, an independent security consultant in Berkeley, California.
Some vendors, such as Cisco Systems Inc., sell corporate 802.11 systems equipped with other methods of security on top of WEP. However, most consumer-oriented wireless LAN equipment offers only WEP.
The Wi-Fi Alliance's specifications, called WPA (Wireless Protected Access), includes mechanisms from the emerging 802.11i standard for both data encryption and network access control. For encryption, WPA has TKIP (Temporal Key Integrity Protocol), which uses the same algorithm as WEP but constructs keys in a different way. For access control, WPA will use the IEEE 802.1x protocol, a recently completed standard for controlling entry to both wired and wireless LANs.
With WPA, each user will have his or her own encryption key, and that key can be set to change periodically. In enterprises, user authentication will be handled by an authentication server, a system that can be expanded to handle more users much more easily than could WEP. For home networks, a "pre-shared key" mode can be used that does not require an authentication server. It lets a user log in to a network if the pre-shared key on the user's system matches the one on the wireless access point.
For home users, the eventual goal is to have the new security features activated out of the box, but that won't be possible until some time next year because interoperability issues between vendors need to be worked out, Eaton said. However, the features should be easy for home users to activate, he said.
One network administrator who has experimented with wireless LANs said the new specifications might ease his concerns about security.
Concordia College, in Moorhead, Minnesota, now has a set of wireless-equipped notebook PCs and an access point, which can be moved from one classroom to another as a temporary LAN, said Dennis Duncan, a network manager at the college. WEP is enabled on that LAN, but Duncan has held back on bigger wireless deployments.
"We haven't had any problems, but I know there have been exploits on (WEP)," Duncan said. "Before we did a wide-open wireless environment, like in the library, I'd want to have something better than WEP," he added. Proprietary security tools from a particular vendor probably wouldn't help in the college environment, Duncan said, because students buy their own interface cards, usually low-priced ones without any special features.
WPA's stronger key system and user authentication could make it feasible to roll out more wireless LANs, he said.
"If we could implement that kind of thing, that would be great," Duncan said.
The draft test plan for WPA is expected to be completed Nov. 8 and interoperability testing to begin Nov. 22. Certification is set to begin Feb. 3, according to Eaton.
The Wi-Fi Alliance plans to adopt the full 802.11i standard as version 2 of WPA, and begin certification in early 2004. Among other new features, that standard currently includes two other encryption algorithms, WRAP (Wireless Robust Authenticated Protocol) and CCMP (Counter with Cipher Block Chaining Message Authentication Code Protocol).
Strong, consistent security standards will help the industry mature, said Gerry Purdy, principal analyst at MobileTrax LLC, in Cupertino, California.
"Eventually, it's going to be shown that there's a right way to manage security ... those that comply with that will get consideration (from buyers) and those that don't, won't," he said.