Usage, Expectations, and Strategies for the Future

The World’s Largest 802.11 Event



802.11 Planet
80211 HotSpots

Advertising Info

802 is a registered trademark of the Institute of Electrical and Electronic Engineers, Inc. ( IEEE ). 802.11 Planet is not affiliated with the IEEE

Subscribe Now!'s Weekly Newsletter
html * text
More Free Newsletters

802.11 Glossary
Find an 802.11 Term

wireless channel wireless channel
80211 HotSpots
Pocket PC Wire
Palm Boulevard
Psion Place
Visor Village
Pocket PC City

Free Barter Account
Find a Consultant
Compare Prices
Freelance Projects
Search Marketplace
Web Design
Internet Jobs
Free Business Pubs
EMedia Mag Free Sub
CreditCard Processing
Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ECommerce/ Marketing
ISP Resources
ASP Resources
Wireless Internet
Internet Resources
Internet Lists
Career Resources

Corporate Info
E-mail Offers Tutorials

802.11 Security Beyond WEP
By Jim Geier

As discussed in a previous tutorial, 802.11 wired equivalent privacy (WEP) has weaknesses, making it inadequate for protecting networks containing sensitive information. WEP does a fairly good job of defending against the general public, but there are some good hackers lurking out there who can crack into a WEP-protected network. As a result, you will need to implement advanced security mechanisms beyond the capability of WEP if you feel that unauthorized people will want access to resources on your network.

Effective Security

WEP only provides a method for authenticating radio NICs to access points, not the other way around. As a result, a hacker can "reroute" data through an alternate unauthorized path that avoids other security mechanisms. Instead of one-way authentication, wireless LANs need to implement mutual authentication to avoid this problem.

Encryption alters the bits of each data packet to guard against eavesdroppers from decoding data, such as credit card numbers and user/name passwords. WEP doesn't support key management, which requires users to manually change encryption keys. Because this is a tedious process, keys go unchanged for weeks, months, and even years. This leaves the network wide open to hackers.

For encryption to be effective, the security function must minimize the reuse of encryption keys by changing them often, possibly every frame transmission. This decreases the time available for a hacker to break into the network and makes it very difficult if not impossible to comprise the security of the network.

There are proprietary enhancements to WEP that leading wireless LAN vendors currently implement (such as Agere's 152-bit WEP and US Robotic's 256-bit WEP), and some companies utilize Internet-based security mechanisms (e.g., IPSec) to protect data transmissions from eavesdroppers. For a standardized solution, the 802.11i committee is nearly finished specifying methods that strongly enhance 802.11's ability to safeguard wireless LANs.

802.1X: Framework for Authentication

Combined with an authentication protocol, such as EAP-TLS, LEAP, or EAP-TTLS, IEEE 802.1X provides port-based access control and mutual authentication between clients and access points via an authentication server. The use of digital certificates makes this process very effective. 802.1X also provides a method for distributing encryption keys dynamically to wireless LAN devices, which solves the key reuse problem found in the current version of 802.11. (For details on the operation of 802.1X, refer to a past tutorial.)

Microsoft supports 802.1X in Windows XP, and many vendors offer 802.1X in wireless LAN devices. 802.11i is including 802.1X in the future 802.11 standard, which will probably be available in by the end of 2002.

TKIP: Interim Encryption Solution

The temporal key integrity protocol (TKIP), initially referred to as WEP2, is an interim solution that fixes the key reuse problem of WEP, that is, periodically using the same key to encrypt data. The TKIP process begins with a 128-bit "temporal key" shared among clients and access points. TKIP combines the temporal key with the client's MAC address and then adds a relatively large 16-octet initialization vector to produce the key that will encrypt the data. This procedure ensures that each station uses different key streams to encrypt the data.

TKIP uses RC4 to perform the encryption, which is the same as WEP. A major difference from WEP, however, is that TKIP changes temporal keys every 10,000 packets. This provides a dynamic distribution method that significantly enhances the security of the network.

An advantage of using TKIP is that companies having existing WEP-based access points and radio NICs can upgrade to TKIP through relatively simple firmware patches. In addition, WEP-only equipment will still interoperate with TKIP-enabled devices using WEP. TKIP is a temporary solution, and most experts believe that stronger encryption is still needed.

AES: Long Term Encryption Technique

In addition to the TKIP solution, the 802.11i standard will likely include the Advanced Encryption Standard (AES) protocol. AES offers much stronger encryption. In fact, the U.S. Commerce Department's National Institutes of Standards and Technology (NIST) organization chose AES to replace the aging Data Encryption Standard (DES). AES is now a Federal Information Processing Standard, FIPS Publication 197, that defines a cryptographic algorithm for use by U.S. Government organizations to protect sensitive, unclassified information. The Secretary of Commerce approved the adoption of AES as an official Government standard in May 2002.

An issue, however, is that AES requires a coprocessor (additional hardware) to operate. This means that companies need to replace existing access points and client NICs to implement AES. Based on marketing reports, the installed base today is relatively small compared to what future deployments will bring. As a result, there will be a very large percentage of new wireless LAN implementations that will readily take advantage of AES when it becomes part of 802.11. Companies having installed wireless LANs, on the other hand, will need to determine whether it's worth the costs of upgrade for better security.

Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs (SAMs, 2001), and regularly instructs workshops on wireless LANs.

Got a comment or question? Discuss it in the 802.11 Planet Forums

June 26, 2002

Related Articles
Access Point Vendor Selection Tips
802.11 WEP: Concepts and Vulnerability
AiroPeek NX
New Wi-Fi Chip Enhances SOHO Security

Email this Article
View Printable Version

Copyright 2002 INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.