Wireless encryption that grows on you

The 802.11 industry is crafting two overlapping forms of encryption, each stronger than the last.

Two new encryption efforts have emerged from the firestorm of complaints over the easily compromised short and static keys used in 802.11's original security standard, the Wi-Fi Equivalent Privacy protocol.

Temporal Key Integrity Protocol (TKIP), developed by the IEEE's 802.11 task group, is one of two major components of the Wi-Fi Alliance's Wi-Fi Protected Access (WPA) specification. Support for TKIP will be available in the first WPA-compliant products, later this year.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The wireless security balancing act Rogue responsibility

Two new encryption efforts have emerged from the firestorm of complaints over the easily compromised short and static keys used in 802.11's original security standard, the Wi-Fi Equivalent Privacy protocol.

Temporal Key Integrity Protocol (TKIP), developed by the IEEE's 802.11 task group, is one of two major components of the Wi-Fi Alliance's Wi-Fi Protected Access (WPA) specification. Support for TKIP will be available in the first WPA-compliant products, later this year.

TKIP, like WEP before it, is based on the RC4 encryption algorithm, says Chris Bolinger, product manager for Cisco's wireless networking group. But TKIP, which will be available as a software/firmware upgrade for access points and Wi-Fi cards already equipped with WEP, has a longer key length and uses dynamic keys that are swapped periodically.

Advanced Encryption Standard (AES) is the other encryption alternative the 802.11 task group is writing into the 802.11i specification. AES, expected to be completed in the second half of this year, provides stronger encryption than TKIP. It is able to fulfill government encryption requirements, which puts it on par with tough algorithms such as Triple-DES.

AES first will reside in hardware chipsets, not software like TKIP, vendors say. That means upgrading to AES likely will involve trashing existing hardware or, at the very least, the antenna portion of the access point and network cards, should the access point be equipped with replaceable antennas. Some recent Cisco Aironet products have replaceable antennas, Bolinger says.

Most observers view TKIP as a stopgap measure until AES is widely available. Still for many companies, TKIP will be a good interim step for the newer equipment that has WEP, at least until purchasing new access points would be slated for reasons such as being part of a normal, scheduled technology refresh cycle, or to gain higher Wi-Fi speeds.

Beware, though, that vendors already are jumping the gun on AES and starting to build products they claim support it. Before you buy Wi-Fi equipment that the vendor says provides AES, make sure the vendor offers an upgrade path, should it have guessed wrong on the final spec and improperly implemented it. Better yet, avoid AES until it's ready for prime time.

Read more about security in Network World's Security section.