RSA's SecurID goes Wireless

By Eric Griffith

December 19, 2002

RSA Security is bringing its two-factor authentication system to 802.1X solutions for wireless networks.

RSA Security of Bedford, MA, the company behind the RC4 algorithm in Wired Equivalent Privacy (WEP) encryption, is bringing its best known security system to enterprise Wi-Fi. Users of Cisco or Funk Software's 802.1X solutions can now use RSA's SecurID two-factor authentication solution.

John Masotta, senior marketing manager at RSA Security, describes two-factor authentication in terms of using an automatic teller machine (ATM). With the ATM, one factor is the machine reading your bank card; the second factor is entering your personal identification number (PIN), which matches that card. Users of SecurID systems are given a token (a small piece of hardware that fits in a pocket or on a keychain, or a piece of software that runs constantly on a Windows or PDA systems or even on some cellular phones) that generates a random number ever 60 seconds. When trying to access networks, traditionally through dial-up and more recently over Internet based virtual private network (VPN) tunnels, the user is asked for first their user ID, a "weak, static" password, and finally the number that appears on their token at that instant. If the number matches up with what the RSA ACE/Server software says should be their number for that instant, they'll get access to the network.

Masotta admits that "Until now you could use RSA [SecurID] in a wireless LAN, but you were limited to the VPN usage. The VPN company had to support SecurID -- CheckPoint and others are SecurID ready." Realizing that VPNs were not always the best solution for WLANs, Cisco and Funk implemented their 802.1X products (Cisco's Access Control Server and Funk Software's Odyssey and Steel-Belted Radius) to allow the two-factor authentication using SecurID.

"Most of the work was done by the software companies to build it in," says Masotta. "We acted as their engineering guide to make sure it was implemented properly."

Any access point vendor with 802.1X support should work fine with the SecurID solution; RSA has tested it with Cisco Aironet and Proxim ORiNOCO products running the Funk and Cisco RADIUS servers, which in turn proxy a user to the required RSA ACE/Server for full authentication.

The RSA ACE/Server runs on Windows NT/2000, Solaris or Unix on the backend. Masotta says costs for an enterprise rollout are about $100 per user for around 1000 users, but can go down to as low as $50 per user depending upon volume. Current SecurID tokens in use by wired networks can also be put to use in new wireless deployments.

RSA has a long history in the 802.11 space already. Besides creating the RC4 stream cipher used by WEP, it also developed with Hifn a Fast Packet Keying solution based on RC4 that would change keys for each packet of data sent on a WLAN, which was included by the IEEE as a informative section on the early 802.11i document Cisco's Protected Extensible Authentication Protocol (PEAP) encryption, which they use in their Access Control Server, was developed in conjunction with RSA and Microsoft to prevent potential security attacks to 802.1X authentication -- it forces the network challenge the user for their authentication credentials at the time they want to get on the network via the wireless access point.

Eric Griffith is the managing editor of 802.11 Planet.

Got a comment or question? Discuss it in the 802.11 Planet Forums with moderator Jim Geier.


Comment and Contribute
(Maximum characters: 1200). You have
characters left.