WLAN security spec due next year

The IEEE 802.11i standard would plug all known security holes in IEEE 802.11 wireless LANs, also known as Wi-Fi, but probably won't see final approval or shipping products until about a year from now, according to an Intel network architect involved in the drafting of the standard who spoke at the Spring Intel Developer Forum.

However, technical advances already available can make wireless LANs far more secure than they originally were.

To give themselves some protection, many companies could also start by simply using what came with 802.11 to start with, said a Cisco Systems engineer who spoke at the same session.

WEP (Wired Equivalent Privacy), the security mechanism initially built into all standard 802.11 products, encrypts data on the wireless network but was flawed because it reused the same encryption key, Jesse Walker said.

Walker is a network architect at Intel and the editor of the 802.11i standard now in development under the Institute of Electrical and Electronics Engineers (IEEE).

A would-be hacker could figure out that key from a small amount of traffic, he said. WEP also did not stop interlopers from altering data as it crossed the network, he said.

Effective wireless LAN security required several parts, the engineers said.

There had to be mechanisms to make sure the data was really coming from its supposed source, that it couldn't be seen and that it couldn't be modified.

"It's not enough just to have authentication," a technical marketing engineer at Cisco, Sri Sundaralingam, said. "You need to have, along with that strong authentication, a strong encryption mechanism, coupled with data integrity."

Among other improvements, 802.11i will include a system for creating fresh keys at the start of each session.

It also would provide a way of checking packets to make sure they were part of a current session and not repeated by hackers to fool network users, Walker said. To manage keys, it would use RADIUS (Remote Access Dial-In User Service) to authenticate users and the IEEE 802.1x standard.

In advance of the approval of 802.11i, users should be able to give their wireless LANs a subset of the upcoming security features through a software or firmware upgrade to WPA (Wireless Protected Access), a specification adopted by the Wi-Fi Alliance, the industry group that certified Wi-Fi products.

Beginning in August, all Wi-Fi products would be equipped with WPA, Walker said.

Wireless LANs in many companies did not even have basic protection against "war driving," in which interlopers drove by buildings or parked outside and intercepted wireless LAN traffic, Sundaralingam said. In some companies, managers claimed the company had no wireless LANs but employees had set up their own "rogue" access points.

To defend themselves against "war driving", users could simply turn on the WEP encryption that was already built in, and most war drivers would just move on to one of the many wireless LANs that wasn't protected, Sundaralingam said.

Going to the next step, users could implement user authentication and dynamic WEP, with keys that changed, to protect themselves from "script kiddies", teenagers who use packaged hacking tools to infiltrate systems.

Those authentication systems could include Extensible Authentication Protocol-Transport Level Security (EAP-TLS), Protected EAP (PEAP) or Cisco's Lightweight EAP ( LEAP) that Cisco introduced as part of an effort to boost its own products' security beyond WEP for demanding enterprise customers.

For protection against professional hackers, Sundaralingam recommended going the next step to strong encryption systems such as TKIP (Temporal Key Integrity Protocol), which will be used in WPA and 802.11i, or CKIP (Cisco Key Integrity Protocol), a proprietary implementation of the 802.11i recommendations that Cisco developed as a stop-gap measure.

As stronger industry-standard security mechanisms become available, Cisco would offer them but also continue to support its own protocols for some time to serve customers that wanted to use them, Sundaralingam said.

"As a company, we're really happy to see (WPA) gain wide momentum, and very soon it's going to be supported by multiple vendors," he said.