New Protection for 802.11

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Dewayne Hendricks <dewayne () warpspeed com>
Reply-To: dewayne () warpspeed com
Date: Tue, 05 Nov 2002 13:17:54 -0800
To: Dewayne-Net Technology List <dewayne-net () warpspeed com>
Subject: <[Dewayne-Net]> New Protection for 802.11


New Protection for 802.11

While WLAN admins continue to wait for IEEE 802.11i, the non-profit
Wi-Fi alliance has approved a replacement for the much derided Wired
Equivalent Privacy (WEP) encryption.

by Eric Griffith
80211-Planet Managing Editor
<[November 5, 2002]>
<http://isp-planet.com/fixed_wireless/business/2002/wpa.html>

The non-profit Wi-Fi Alliance, the consortium behind interoperability
standards and testing for 802-11based networks, has announced an
official replacement for the much derided Wired Equivalent Privacy
(WEP) encryption. The new solution, called Wi-Fi Protected Access
(WPA), is a subset of the still unfinished IEEE 802.11i security
specification and will be usable by both home and enterprise wireless
networks.

Why not wait for 802.11i? According to Dennis Eaton, the chairman of
the Wi-Fi Alliance, "the <[IEEE]> Task Group I doing 802.11i is still
on a path to be complete about this time next year with a fully
ratified standard, but that's a little too long. We had to do
something sooner."

That something sooner is WPA, which, according to Eaton, will work
with the majority of 802.11-based products out today once they've
gone through a firmware/software upgrade. WPA is forward compatible
with 802.11i. By the time 11i is ratified around September of next
year, expect to see a WPA version 2.0 with full 802.11i support.
Eventually, the Alliance expects to require Wi-Fi products to shop
with WPA turned on as a default.

The way WPA will work in the enterprise is similar to the setup of
any 802.1X authentication system. The clients and access points must
have WPA enabled for encryption to and from an 802.1X with Extensible
Authentication Protocol (EAP) authentication server of some sort,
such as a RADIUS server, with centralized access management.

"The server provides the scalability for the design, user
credentials, authorization as users request access, and generates the
keys for Temporal Key Integrity Protocol (TKIP) encryption...TKIP is
part WPA," says Eaton. Once the server authenticates the user, the
access point will let that user on to the wired network-up to that
point, the client only talked to the server.

Home network users usually won't have an authentication server, but
the WPA solution still uses 802.1X. They won't get the upper layer
authentication, but can take advantage of Pre-shared Key mode.

"Pre-shared Key is used much like WEP-you key in a pass phrase
<[called the master key]> in both the client and access point," says
Eaton. In the association process, if the password matches, then the
access point allows access to the Internet or wired network. You
still get the advantage of 802.1X, so my key is different from my
wife's key on the same access point, but our key's are refreshed
every time we connect. The pass phrase is the same, but the key is
generated."

WEP, on the other hand, uses a static key that is seldom changed by
users. This cryptographic weakness is responsible for many of the
known security issues in WLANs today-any patient criminal hacker can
eventually figure out the encryption key and get on the network.

WPA takes advantage of the 802.11i specifications requirements for
things like 802.1X and TKIP, but leaves out things that require a
hardware upgrade or aren't ready, such as secure fast handoff, secure
de-authentication and disassociation, and AES-CCMP enhanced
encryption.

The Wi-Fi Alliance is only requiring products going forward to have
WPA built in if they expect to get the Wi-Fi Certification
stamp-older and current WLAN products don't have to get a WPA
upgrade. However, Eaton expects that upgrades to WPA will start
appearing from vendors in the next several months. Whether vendors
provide the upgrade for individual products or not depends upon their
stance and whether they get support for it from the core technology
providers such as the chipset makers. Already announcing support for
WPA with future upgrades are major 802.11 vendors (and Wi-Fi Alliance
members) such as Agere, Atheros, Atmel, Funk Software, Intersil,
Proxim, Resonext, and Texas Instruments.

"We're fully behind it," says Bill Carney, Director of Marketing and
Business Development at Texas Instruments. "It's important security.
Security is the biggest roadblock to adoption."

Companies are free to resubmit older products with WPA implemented to
the Alliance for testing. Interoperability testing such products will
begin in February 2003.

Archives at: 
<http://web.wireless.com/index.php?name=Mailing_List&fn=viewml&mid=4>


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/