The Week in Review: Will 802.11 Ever Be Truly Secure?
February 15, 2002
A study from a University of Maryland professor suggests that 802.11 networking will never be secure -- even when planned security enhancements are added to the next-generation 802.11 protocols.
If you've spent any time at all working in the 802.11 space, you know that security is the hottest area of concern for potential implementers of wireless networks. The mantra in industry groups is that security is Job 1, and that while today's 802.11b networks aren't the most secure of tools, future enhancements to the 802.11 standard will significantly enhance security.
One of those enhancements is the Robust Security Network (RSN), which incorporates access control, authentication, and key management in the 802.11 protocol. Will it be enough? No, according to Dr. William A. Arbaugh, an assistant professor of computer science at the University of Maryland's Department of Computer Science.
In a paper released on Feb. 6, "An Initial Security Analysis of the IEEE 802.1x Standard," Arbaugh says that "the current combination of the IEEE 802.1X and 802.11 standards does not provide a sufficient level of security, nor will it ever without significant changes." Strong words, to be sure, based on the supposition that evolving protocols will never be secure enough to provide strong access control and authentication.
Basically, the argument is that once a session is initiated between an authenticated user and an access point, there is no effort to maintain authentication and to maintain a secure connection between the user and the access point. As a result, sessions can be hijacked by someone physically between the user and the access point (when a user is mislead into believing that a session has been ended when it really has not been), or the session can be monitored by a third party basically acting as a false access point. Basic encryption in the form of WEP won't help in either situation, according to Arbaugh.
The security holes can be closed down with some basic design decisions, writes Arbaugh, including the introduction of per-packet authentication. The problems he outlines have been known to IEEE/WiFi folks, and whether or not they are as serious as he posits will be seen over time.
Those of you flying in and out of Seattle-Tacoma International Airport can get a free WiFi network card when you sign up for Boingo Wireless Internet service. You can find the Boingo folks at Gate B4.
Kevin Reichard is executive editor of 80211Planet.com.
Want to discuss these issues with fellow 80211 users? Then visit our discussion forums!