WLAN industry hits security milestone

You’ve likely heard that the Wi-Fi Alliance at NetWorld+Interop 2003 announced that it has certified the first round of wireless LAN products for support of the Wi-Fi Protected Access enhanced security specification. Six suppliers can now rightfully place an “X” in the box next to those words in the Wi-Fi capabilities label on their product packaging: Atheros, Broadcom, Cisco, Intel, Intersil and Symbol.

WPA-certified (only for 802.11b products at this juncture) consists of a subset of the forthcoming IEEE 802.11i standard, which plugs the notorious security holes in Wired Equivalent Privacy (WEP). However, if you have an existing network with WEP as your only security option, please make sure you enable it (products, by definition of the standard, ship with WEP disabled).  A flimsy lock on your front door won’t keep a bound-and-determined criminal out, but it will deter the casual burglar.

For enterprise-class products, WPA specifies the following functions and technology components:

* User authentication and dynamic encryption-key distribution, two features missing from the original 802.11 standard. These are delivered via support for 802.1x and a choice of Extensible Authentication Protocol (EAP) algorithms. IEEE 802.1x specifies how EAP should be encapsulated in LAN frames. There are many EAP algorithms to choose from, depending on such factors as whether mutual authentication of both the user and the network is required. Some of the EAP flavors that support mutual authentication, albeit with different methods, are EAP-Transport Level Security (TLS), EAP-Tunneled TLS (TTLS) and Protected EAP (PEAP).

* Encryption. A Temporal Key Integrity Protocol (TKIP) engine handles dynamic key distribution. In industry-standard WEP, there was one static encryption key that had to be manually entered. So changing the key across numerous devices was cumbersome and, as a result, was not done too often, leaving traffic vulnerable. TKIP is an interim solution to the major portion of 802.11i that is not required in WPA yet. This is support for a derivative of the Advanced Encryption Standard called (take a breath) Counter Mode with Cipher Block Chaining-Message Authentication Code Protocol, or CCMP.

* Message Integrity Code, a cryptographic checksum that is part of TKIP, to make sure packets have not been altered in transit.

Within your infrastructure, access points run 802.1X and TKIP. The back-end authentication server in the data center runs your choice of EAP algorithm. Client devices run 802.1x, TKIP and an EAP “supplicant.”

For small office/home office environments, WPA specifies the same level of encryption as enterprise-class products, but the authentication process is simplified to what has been termed a pre-shared key (PSK), but is really a simple password mechanism.