The National Institute of Standards and Technology, the US federal agency responsible for defining security standards and practices for the government, will issue new wireless LAN guidelines shortly.

Any decisions it reaches will have a heavy impact on federal agency purchases of WLAN equipment, since agencies are required to follow NIST recommendations. According to William Burr, manager of NIST's security technology group, the agency is focussing on whether to approve the IEEE's 802.11i WLAN security standard for encryption and authentication as a government standard. The IEEE approved 802.11i last July, but Burr says NIST is not keen on some aspects of it.

Specifically, NIST has reservations about the so-called Temporal Key Integrity Protocol (TKIP), which is the key management protocol in 802.11i that uses the same encryption engine and RC4 algorithm that was defined for the Wired Equivalent Privacy protocol (WEP).

The 40-bit WEP, used in many early WLAN products, has been widely criticised for having too short a key length and a poor key management scheme for encryption. TKIP is a "wrapper" that goes around WEP encryption and ensures that TKIP encryption is 128 bits long.

TKIP was designed to ensure it could operate on WLAN hardware that used WEP. In contrast, the 128-bit Advanced Encryption Standard (AES), which NIST already has approved, requires a hardware change for most older WLAN equipment.

"We just don't feel that the TKIP protocol cuts the grade for government encryption," Burr says. He adds that the RC4 encryption algorithm is not a Federal Information Processing Standard (FIPS) and probably won't ever be because network professionals see RC4 as rather weak in terms of message authentication and integrity.


NIST is more inclined to approve AES for WLAN security, and in fact Burr pointed to the NIST document 800-38C, published last summer, for encryption that includes the AES algorithm.

As far as the key management scheme for key exchange and setup is concerned, NIST might introduce a new key-management technology that's been jointly developed with the National Security Agency. "We have to make the decision soon," says Burr, who notes that vendors that make WLAN equipment and their customers in the federal agencies are awaiting NIST's determinations.

"Right now, there's a lot of pressure on to get this worked out since the agencies want to buy wireless networks and the vendors very much want them to," he says. Because NIST's recommendations are binding as a purchasing requirement, several agencies are holding back from WLAN deployments until they hear from NIST.