News

New security spec for wireless LAN

• By John K. Waters
• November 6, 2002

An industry trade group last week took the wraps off a new 802.11 wireless network security specification based on the Wi-Fi Protected Access (WPA) standard. Created by the Wi-Fi Alliance, WPA provides enterprises with a built-in mechanism to authenticate the identity of users based on the Extensible Authentication Protocol, which runs on Remote Authentication Dial-In User Service network servers.

WPA replaces the static encryption keys that are part of the existing Wired Equivalent Privacy (WEP) security protocol with dynamic keys through use of the Temporal Key Integrity Protocol (TKIP), which is part of the upcoming Institute for Electrical and Electronics' (IEEE) 802.11i Robust Security Network standard. It also includes a message integrity check-sum called ''Michael'' that will help network administrators determine whether an unauthorized user has tried to intercept and decode TKIP keys.

The Wi-Fi Alliance is a non-profit organization that promotes the 802.11 wireless LAN standard. More than 180 companies belong to the organization, and more than 450 products have been certified by it. The Wi-Fi Alliance said in a statement that it plans to make the new technology optional by February of next year, but mandatory about six months later. Most Wi-Fi products will be made WPA-compliant by upgrading software and firmware, representatives at the alliance said.

The WEP encryption method was designed to provide the ''equivalent'' security available in wireline networks for 802.11-enabled WLANs. As defined by the IEEE, WEP encrypts the body of each 802.11 data frame to thwart packet analyzers. WEP could dissuade the casual snooper, but it had some serious drawbacks, primarily stemming from the fact that the secret key used for encrypting the session could easily be retrieved by sniffing a number of encrypted packets sent over air. The IEEE has been promising to solve the flaws of WEP through more advanced encryption methods.

Worries about WLAN security have slowed the rate of enterprise deployments, said Nick Hunn, manager director at TDK Systems Europe. Wi-Fi signals carry beyond the buildings in which the networks are deployed, reaching nearby buildings, parking lots and other public areas.

''The thing to keep in mind,'' Hunn told e-ADT, ''is that it's not difficult to tap into something once it's outside the four walls of the office. It doesn't matter whether it's wireless, modem or ISDN. You've got to say that security should be at a higher level, peer-to-peer behind a VPN. Wireless is not alone in being vulnerable to hacks.''

This quality of the technology has given rise to a practice called ''warchalking,'' which involves marking a series of symbols on sidewalks and walls to indicate nearby wireless access. Savvy computer users with wireless capabilities who spot these symbols can open their laptops and use nearby networks to connect to the Internet. The procedure was inspired, practitioners claim, by the practice of hobos during the Great Depression, who used chalk marks to indicate which homes were friendly. The ''war'' in the name probably comes from ''war dialing,'' a venerable technique in which a hacker programs his or her system to call hundreds of phone numbers in search of poorly protected computer dial-ups. (That name comes from the movie ''War Games,'' in which a character played by Matthew Broderick uses the technique.)

According to Wi-Fi Alliance chair Dennis Eaton, the new WPA standard is actually intended as an interim fix. The idea is to give the 802.11 Task Group I -- the group within the IEEE that is working to correct the deficiencies of WEP -- some breathing room to complete and finalize the full 802.11i amendment to the existing wireless LAN standard. Final ratification of 802.11i is expected sometime in 2004.