Beefing Up 802.11b Security

A fix for security flaws in the 802.11a and 802.11b wireless networking standards has moved closer to reality with the release of a draft for a specification that addresses the problem.

A draft of IEEE's 802.11i spec to beef up security on 802.11 wireless networks was finalized January 21 and is now circulating within the engineering community for editing and subsequent approval, says Dennis Eaton, chair of the Wireless Ethernet Compatibility Alliance. The first products to incorporate the technology should be available by summer, Eaton says.

WECA is the industry group that tests and certifies 802.11x wireless products for interoperability. WECA anticipates testing the first 802.11i products by next fall, he says.

Wireless networks based on the 11-megabits-per-second 802.11b standard have become increasingly popular in homes, small offices, and public spaces such as airports and hotels because they dispense with the need for stringing cable. But the specification came under fire last year as encryption experts exposed flaws in its built-in security technology, Wired Equivalent Privacy. The flaws make networks using 802.11b (or its newer, faster, 54-mbps sibling, 802.11a) vulnerable to hackers located within range of these networks.

The 802.11i draft now circulating is for a security algorithm called Temporal Key Integrity Protocol. Developed with the help of some of the encryption experts that exposed WEP's vulnerabilities, TKIP, like WEP, is based on RC4 encryption--but implemented in a different way that addresses those vulnerabilities, Eaton says. Among other things it generates new encryption keys for every 10 kilobytes of data transmitted.

Most, if not all, current Wi-Fi-certified products should be upgradeable to TKIP, Eaton adds. Those that can't be upgraded will still interoperate with products that use TKIP--but only using WEP for security.

The IEEE does not view TKIP as a long-term solution for wireless ethernet security, however. Also in the works is a draft spec for an algorithm based on AES encryption. Considered more robust than TKIP, the AES algorithm would replace WEP and RC4. It would involve hardware optimization, so older 802.11x hardware will not be upgradeable in many cases.

The AES spec is primarily intended for newer hardware. Devices using the AES algorithm would still be able to interoperate with the older devices, but using the weaker security technologies.

Eaton says WECA expects the AES spec to be ratified next fall, with the first products shipping early in 2003 and WECA interoperability testing following that spring.