• United States

802.11i security standard goes on the books

Jul 07, 20042 mins
Cellular NetworksNetwork SecurityWi-Fi

* Preauthentication joins AES to bolster WLAN security

The IEEE late last month formally approved the long-awaited 802.11i extension to the 802.11 wireless LAN standard for more robust security. The Wi-Fi Alliance is expected to begin vendor product certification testing in September.

Most portions of 802.11i, informally known as Wi-Fi Protected Access (WPA), are already at work in products. WPA, for example, requires products to rotate encryption keys on a per-packet basis and use the industry-standard 802.1x framework for authentication.

The new pieces of 802.11i now officially on the books are:

* The Advanced Encryption Standard (AES) modes of operation for WLAN use. AES replaces RC4-based encryption and requires hardware upgrades to WLAN systems.

* Peer-to-peer communications security.

* Preauthentication of users for fast, secure roaming.

The third item, preauthentication, benefits security and performance. A scheme called Pairwise Master Key (PMK) Caching sets up a shared key between a client device and its authenticator.

When a client roams between access points, that client’s credentials no longer must be completely reauthenticated – a task that can take more than 100 milliseconds, says Dan Harkins, a member of the 802.11i committee who claims credit for developing the PMK Caching scheme and also works as a security architect at WLAN vendor Trapeze Networks.

In the case of a voice session, for example, a connection would likely be dropped if handoff were to take this long, he says.

Historically, WLANs could support fast or secure roaming, but not both. Over time, many vendors have come up with proprietary ways of achieving both capabilities. Now there’s a standard for doing so.

The preauthentication scheme comes into play when users roam and in cases when signal strength fades and a client simply needs to find another access point with which to associate, Harkins says.

The International Telecommunications Union recommends just a 50-millisecond budget for discovery plus reauthentication. Harkins says PMK Caching can get this time down to 25 milliseconds.