Waiting for WPA

Waiting for WPA
The Institute for Electrical and Electronics Engineers (IEEE — the group that
developed the standards for 802.11 networks; see Chapter 2) is working on a
long-term solution to WEP’s weaknesses (which we discuss in the following
section about 802.11i). In the meantime, the Wi-Fi Alliance (the group of vendors
that ensure the compatibility of Wi-Fi gear) has put together its own
interim solution for wireless LAN security called Wi-Fi Protected Access (WPA).
WPA is a new set of forward-compatible encryption and authentication
enhancements for 802.11 networks. Forward-compatible means that WPA will
work with newer systems that are currently being developed by the IEEE.
Other reasons to get excited about WPA include the following features that it
will offer:
More random encryption techniques: WPA has basically been designed
as an answer for all the current weaknesses of WEP, with significantly
increased encryption techniques. One of WEP’s fatal flaws is that its
encryption is not sufficiently random, meaning that an observer can
more easily find patterns and break the encryption. WPA’s encryption
techniques will basically be more random — and thus harder to break.
Automatic key changes: WPA also has a huge security advantage in the
fact that it automatically changes the key (although you, as a user, get to
keep using the same password to access the system). So by the time a
bad guy has figured out your key, your system would have already
moved on to a new one.
More user-friendly: WPA will also be easier for consumers to use
because there’s no hexadecimal stuff to deal with . . . just a plain text
password. The idea is to make WPA much easier to deal with than WEP,
which takes a bit of effort to get up and running (depending on how
good your access point’s configuration software is).
Backward compatibility: The best thing about WPA is that it’s being
designed to be backward compatible, too. Thus, existing Wi-Fi certified
equipment should be able to be upgraded to WPA by just installing a
downloadable software update.
The Wi-Fi alliance expects to begin certifying WPA equipment sometime in
early 2003. (We haven’t seen any yet, but it’s just a matter of time, as we write.)
The future: 802.11i
WPA is a great next step in wireless LAN security (see the preceding section),
but it’s not the end of the road. Well, face it . . . there is no end of the road.
Computers get more powerful, and the bad guys in the black hats who want
to break into the networks get smarter — so no system is going to be immune
to security breakdowns forever. Don’t think of security as something that you
can just figure out and put behind you; security is a
802.1x: The corporate solution
Another new standard that’s being slowly rolled
out into the Wi-Fi world is 802.1x. This isn’t an
encryption system but instead, an authentication
system. An 802.1x system, when built into
an access point, would allow users to connect
to the access point but give them only extremely
limited access (at least initially). In an 802.1x
system, the user would be able to connect to only
a single network port (or service). Specifically,
the only traffic that the user could send over the
network would be to an authentication server,
which would exchange information (such as
passwords and encrypted keys) with the user to
establish that he was actually allowed on the
network. After this authentication process has
been satisfactorily completed, the user is given
full (or partial, depending on what policies the
authentication server has recorded for the user)
access to the network.
802.1x is not something that we expect to see in
any wireless home LAN anytime soon. It’s really
a business-class kind of thing, requiring lots of
fancy servers and professional installation and
configuration. Just thought we’d mention it
because you’ll no doubt hear about it when
you search the Web for wireless LAN security
information.
The next step on this road, after WPA, is 802.11i. This is an entirely new
reconfiguration of wireless LAN security. Unlike WPA, it likely won’t work on
existing access points and network adapters, at least not all aspects of the
system. But sometime down the road, probably in 2004, you should start
seeing new generations of wireless LAN gear that incorporates 802.11i security
systems.
Perhaps the biggest advance that you’ll see when 802.11i hits the streets is
the system’s adoption of the Advanced Encryption Standard (AES). AES uses
very sophisticated encryption techniques and super-long keys (much bigger
than the 128-bit keys used by WEP) that take a really, really long time (even
with really fast computers) to break. With today’s technology, at least the
technology available to regular people, AES is essentially unbreakable.
802.11i also includes other security measures (like support for 802.1x, which
we discuss in a nearby sidebar) that help really tighten up wireless LAN security.
So 802.11i should be worth the wait. In the meantime, use what you have
(WEP), and you’ll be fine.