What's new in wireless security and how are you going to get to it?
Louise McKeag, Techworld
It’s more than two years since the 802.11i draft started doing the rounds but it’s nearly there. 802.11i provides for extra security for WEP, which, as we know all too well from all the scare stores we see every time we open an IT journal, has some serious security weaknesses.
Various additional authentication and encryption protocols have been developed (see
In fact, although pre-standard, Cisco, for one, offers TKIP functionality on its EAP and derivative (LEAP, PEAP) protocols. And a subset of 802.11i (as close as can be approximated to a non-finalised standard) is what makes up the Wi-Fi Alliance’s WPA (Wi-Fi Protected Access), which requires 802.1X with EAP for authentication and TKIP PPK plus MIC for encryption for compliance.
AES Also part of the 802.11i specification, though, will be AES (See PDF file here, the US official encryption standard, set by the National Institute of Standards and Technology, (NIST), as successor to the DES/3DES algorithms. AES is a stronger alternative to WEP’s RC4, with 128, 192 or 256 bit keys. 128 bits has been selected for use in 802.11i.
However, since AES is more resource-intensive, you may find that if you want full 802.11i compliance, you will have to replace your existing wireless hardware. AES is a more long term plan - with WPA and individual vendors’ own implementations of TKIP/EAP satisfying most of our security worries. It’s unlikely everyone’s going to rush to start implementing AES if it means they need to buy new access points, which probably won’t be available till some time after the .11i standard is published anyway.
A bit like the Power Over Ethernet story, it looks like we’ll be using close-to-but-not-quite-standard hardware for quite a while until the next generation of kit is released. Maybe if it hadn’t taken almost two and a half years to get the standard out the door, everyone wouldn’t have come out with their own alternatives that seem to do the job pretty nicely, right now, thank you.
Oh, and one other thing - although 802.11i doesn’t specifically define a version of EAP to use along with TKIP, it’s looking like EAP-TLS is its preferred version. Remembering that EAP-TLS requires digital certificates to be installed, not just on your AAA server but also every client device that requires access, this may be one idea from the standards body that won’t get that far.