NIST mulls new WLAN security guidelines

The National Institute of Standards and Technology, the federal agency responsible for defining security standards and practices for the government, plans to issue new guidelines pertaining to wireless LANs in the near future.

The decisions NIST reaches, possibly as early as this month, will broadly affect federal agency purchases of WLAN equipment, because federal agencies are required to follow NIST recommendations. According to William Burr, manager of NIST's security technology group, the agency is focusing on whether to approve the IEEE's 802.11i WLAN security standard for encryption and authentication as a government standard. The IEEE approved 802.11i last July, but Burr says NIST is not keen on some aspects of it.

Specifically, NIST has reservations about the so-called Temporal Key Integrity Protocol (TKIP), which is the key management protocol in 802.11i that uses the same encryption engine and RC4 algorithm that was defined for the Wired Equivalent Privacy protocol (WEP).

The 40-bit WEP, used in many early WLAN products, was criticized widely in the past two years as having too short a key length and a poor key management scheme for encryption. TKIP is a "wrapper" that goes around WEP encryption and ensures that TKIP encryption is 128 bits long.

TKIP was designed to ensure it could operate on WLAN hardware that used WEP. In contrast, the 128-bit Advanced Encryption Standard (AES), which NIST already has approved, requires a hardware change for most older WLAN equipment.

"We just don't feel that the TKIP protocol cuts the grade for government encryption," Burr says. He adds that the RC4 encryption algorithm is not a Federal Information Processing (FIPS) standard and probably won't ever be because network professionals see RC4 as rather weak in terms of message authentication and integrity.

NIST is more inclined to approve AES for WLAN security, and in fact Burr pointed to the NIST document 800-38C, published last summer, for encryption that includes the AES algorithm.

As far as the key management scheme for key exchange and setup is concerned, NIST might introduce a new key-management technology that's been jointly developed with the National Security Agency.

NIST mulls more WLAN security

The National Institute of Standards and Technology is reevaluating its current wireless LAN security recommendations.
Current federal government guidelines for securing WLANS:
•NIST’s Special Publication 800-48, “Wireless Network Security, 802.11, Bluetooth and Handheld Devices,” published in 2002, calls for the use of WLAN gateways, points out weakness in RC4 encryption used in the Wired Equivalent Privacy protocol.
•SP 800-38C, “Recommendations for Block Cipher Modes of Operation,” published in May 2004 calls for use of 128-bit encryption, such as the Advanced Encryption Standard.
Revised WLAN guidelines under consideration by NIST favor:
•A new key-management scheme from the National Security Agency in lieu of the Temporary Key Integrity Protocol used in 802.11i.
•Transport Layer Security protocol for authentication between WLAN access point and authentication server.

"We have to make the decision soon," says Burr, who notes that vendors that make WLAN equipment and their customers in the federal agencies are awaiting NIST's determinations.

"Right now, there's a lot of pressure on to get this worked out since the agencies want to buy wireless networks and the vendors very much want them to," he says. Because NIST's recommendations are binding as a purchasing requirement, several agencies are holding back from WLAN deployments until they hear from NIST.

"The Department of Agriculture, of instance, is trying to get out a policy for the entire agency for what they should do for wireless networks," Burr says. He adds that the department doesn't want to buy something that might have to be changed after NIST issues its determinations.

The goal is to have WLAN security guidelines in place soon for the NIST-certified independent testing labs that run test evaluations for a range of network equipment under the FIPS review process.

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022