Wireless security: Wait for 802.11i?

Should I implement WPA or wait for 802.11i? What is the difference between the two?

Q: Should I implement WPA or wait for 802.11i?  What is the difference between the two?

– Hardy, Durham N.C.

A: First, let’s address the differences between WPA (Wi-Fi Protected Access) and 802.11i . 

WPA was created by the Wi-Fi Alliance as an interim measure until 802.11i is ratified.  WPA addresses a subset of the 802.11i draft, focusing on the part of the emerging specification that improves the security of WEP. With WPA, enterprises can increase the security of their existing 802.11 WEP environments.  At the same time, WPA prepares these environments for a seamless transition to 802.11i.

802.11i is the IEEE’s draft standard for adding improved security to wireless LANs (WLAN).  It includes two parts – one that addresses improvements to existing 802.11 equipment using the current WEP algorithm, and a second that enables new 802.11 equipment to support the Advanced Encryption Standard (AES) encryption algorithm. It is still under development and is expected to be ratified in mid-2004.

Both WPA and 802.11i provide significantly improved security compared to WEP, through rapid key updates, stronger encryption algorithms, and stronger authentication. 

But all security is not created equal.  While WPA is more secure than WEP, it is less secure than 802.11i. In order of increasing security, I would rate the various 802.11 algorithms as follows: WEP, WPA group key only, WPA pre-shared key, WPA pair-wise key, and 802.11i robust security network (RSN). Group key refers to an environment where all devices share the same key. Pre-shared key refers to a key or pass phrase that is entered on all access points and clients that will be used to create unique pair-wise keys for each mobile client and AP.  Pair-wise keying creates unique keys for every mobile client device, derived from information in the RADIUS authentication. 

So should you implement WPA now?  Absolutely!  If you have a WLAN today, you should definitely move to WPA as soon as possible.  Otherwise, your WLAN could be vulnerable to eavesdroppers or intruders. 

If you are considering deploying your first WLAN, you should only consider WLAN equipment with support for this technology. Pay attention to the type of keying used in the WLAN systems you choose. Because a group keying system lets all mobile clients associated with an access point decrypt the traffic sent to any other mobile client on that same AP, we recommend not choosing something that relies exclusively on this technology.

Is there any reason you should hold off WLAN deployment until 802.11i is available? No, we don’t believe there is.  802.11i will provide stronger security than WPA, because RSN uses the AES algorithm and requires that the access point and mobile client devices support pair-wise keying. But in this wizard’s opinion, a WLAN that is built using WPA pair-wise keys is secure enough to protect most corporate environments.