WPA plugs holes in WEP

The wireless LAN industry's first crack at security - 802.11 Wired Equivalent Privacy - has been discredited and rightly so. WEP is so easy to break that it's like having a plastic lock on your office door.

Although WEP can keep casual snoopers from accessing a wireless LAN, companies need and can do much better.

Effective wireless LAN security solutions, such as Cisco's Lightweight Extensible Authentication Protocol (LEAP), have been in use over the past year, but they provide limited interoperability. In most cases, client radio cards and access points must be from the same vendor, something that doesn't fare very well in public hot spots and many companies that don't enforce a standard desktop.

Late last year, the Wireless Fidelity (Wi-Fi) Alliance announced Wi-Fi Protected Access (WPA), a standards-based security mechanism that eliminates most 802.11 security issues.

WPA basics

WPA is based on the current state of the 802.11i standard, which is still under development. Ratification by the IEEE isn't expected until late this year. The Wi-Fi Alliance, realizing that the long wait is stalling the market, launched WPA, which is expected in vendor products this spring.

One advantage of WPA is that it enables the implementation of open wireless LAN security in public areas and universities. These hot spots and academic sites haven't been able to use basic WEP.

A key flaw in WEP is that its encryption keys are static rather than dynamic. That means to update the keys, an IT staffer has to visit each machine, which isn't feasible in an academic setting or even possible in a hot spot. The alternative is to leave the keys unchanged, which makes you vulnerable to hackers.

These public sites haven't been able to use the stronger proprietary mechanisms, such as LEAP, because of the interoperability issue.