Examining Alternatives to Patching WEP
January 18, 2002
Viable alternatives to WEP - including the government sanctioned Advanced Encryption Standard (AES) must be considered, or many apps, including m-commerce, may suffer.
How do companies ensure their customer's privacy and corporations rationalize adding wireless networks when the key component of m-commerce security resembles a rowboat with a fast leak? Maybe that's why some people are calling RSA's patch of the Wired Equivalent Privacy (WEP) too little, too late.
On Jan. 7, the IEEE committee overseeing WEP and 802.11 approved the "fast-packet" keying fix RSA and Hifn proposed in December. Wireless security took a major hit during 2001 when researchers revealed signals protected by WEP could be easily intercepted and read, putting in jeopardy the high-flying estimates for mobile commerce.
Rather than encrypting just the initial data sent, RSA and Hifn proposed to encode each packet with an individual code, making it more difficult for malicious hackers to use one packet to read the entire stream of wireless data. But is fixing WEP enough for consumers to feel safe?
Frank Prince, senior wireless analyst at Forrester Research, believes that although the fix to RSA's RC4 algorithm addresses one known problem with WEP security, the patch doesn't solve future troubles.
Frost & Sullivan researcher Jose Lopez said any security solution "should be interoperable and scalable as vulnerable points are likely to multiply."
Wireless LAN developer cyberPIXIE decided in December to include the new government approved Advanced Encryption Standard (AES) in its suite of WLAN products.
The U.S. Commerce Department's National Institutes of Standards and Technology (NIST) chose AES to replace the aging Data Encryption Standard (DES) to protect unclassified personal and financial data. How secure is AES? NIST says that a machine decoding one DES key per second would take 149 trillion years to crack a 128-bit AES Key. The universe is estimated to be less than 20 billion years old.Kimberly Getgen, Marketing Manager at RSA Security, said there is some discussion that AES could be included in future 802.11 standards for wireless LANS.
"The critics are upset that RC4 was selected rather than AES," says Getgen. Noting AES was not available when 802.11 added WEP, Getgen said "So when the committee recently looked to revise the security in WEP they were looking for a solution which could be implemented quickly and easily, allowing WLAN vendors to deliver a patch for vulnerabilities."
Prince said he saw no reason why AES could not be used in wireless devices. He views the early call for AES to be included in m-commerce security as a move which vendors hope will spur further adoption. Already wireless security company Certicom said it will incorporate AES into its proprietary WTLS+ protocols for wireless phones.
AT&T security researcher Avi Rubin thinks the wireless industry should adopt AES. "They should throw everything away" and use AES in next-generation wireless networks, said Avi.
Whatever algorithm is chosen in the next round to bolster WEP's security -- RSA's RC4 or AES -- observers say its implementation will be key. RSA's Getgen says security experts should be involved from the start, something they learned from WEP. Forrester Research's Prince said any fix should be sold as part of an 802.11 system and questions whether IT managers will install a manual fix.
While the initial scare of 'war-driving' hackers and AirSnort WLAN sniffers has subsided, wireless security will remain an issue in 2002. A survey by Information Security Magazine found 75% of network security people "very concerned" about wireless security. Although the Wireless Ethernet Compatibility Alliance reported 73% of North American corporations either already had WLANs or plan deploying them in the next 18 months, security remains the top factor causing some firms to hesitate embracing m-commerce.
Lopez and others believe that as wireless devices mature, so will the level of security. Along with an enhanced WEP, analysts predict more options will become available for protecting the future of mobile commerce.