Making the WPA Upgrade
May 05, 2003
Now that Wi-Fi Protected Access is arriving in an 802.11 product installed near you, the big questions come up, such as: How do you actually use it? And is it worth upgrading to it in the long run?
After suffering with Wired Equivalent Privacy (WEP) for what seems like ages, we finally have a wireless security protocol, Wi-Fi Protected Access (WPA) that gives us reasonable, albeit not perfect, protection. But, now the question is: how do you actually use it?
The theory of how WPA works is simple enough. WEP's main problems are that its security keys are very breakable and that they're no easy way to way reset keys on a regular basis to avoid someone breaking messages encrypted with an overused key.
WPA addresses these concerns, not by replacing the weak RSA Security's RC4 encryption, but by improving how RC4 is implemented and adding automatic key resetting. Specifically, WPA first increases the initialization vector (IV) from 24-bits to 48-bits. This makes a WPA protected message orders of magnitude harder to crack.
Next, WPA changes the key with every 802.11 packet using the Temporal Key Integrity Protocol (TKIP). This is a mixed blessing. While it does make packets harder to break, it comes at the cost of PC and Network Interface Card (NIC) performance.
Finally, WPA uses that ancient message security technique of a checksum
In addition, WPA includes some of 802.1X server-based authentication tricks
with support for Extensible Authentication Protocol (EAP) using Remote Authentication
Dial-In User Service (RADIUS)
The end result of these technology improvements is that Wi-Fi will be far safer. How much safer? Enough to make the safety distance between a top of the line Saab and a 'fire in the back!" Pinto look minute.
Before you charge out and start implementing WPA, you should know that WPA is a stopgap security measure. It's really just a snapshot of the IEEE 802.11i standard (rumor has it the Wi-Fi Alliance might want to brand 802.11i as WPA2 for just that reason). Unfortunately, 802.11i is still a ways out from being done and since ever faster computers made hacking WEP ever easier, the Wi-Fi Alliance decided to put out a temporary standard, WPA, until 802.11i is finalized.
One headache you shouldn't have though, which many of us have faced with pre-standard 802.11g equipment, is compatibility. The Wi-Fi Alliance has set down the ground-rules for WPA and is making sure that all vendors stick to the letter of the WPA law.
The idea also is that any WPA devices or software you buy soon will be backwards
compatible with 802.11i. Well, except that 802.11i will also introduce an optional
replacement for RC4 called Advanced Encryption Standard (AES)
Some WPA cards will be able to support 802.11i. For example, take Texas Instrument's TNETW1130 chip, which supports 802.11a, b and g, and has built in hardware accelerators for AES. If you buy any access point or NIC with that chip, you will be able to use them with WPA and also after 802.11i finally arrives.
The moral of the story is if you're looking to upgrade your wireless infrastructure only once within the next year or two, your best bet is to look for equipment with 802.11i-capable chipsets.
Ready to Replace Everything?Next, if you're going to seriously use WPA, you can't just replace/upgrade an access point here and a radio-based NIC there. You need to replace and upgrade all your Wi-Fi equipment.
Why? Because while WPA equipment will work with WEP hardware, it does so by down-shifting to WEP. A security chain is only as strong as its weakest link, so if you try mixing old WEP hardware with WPA, you're likely to end up with a false sense of security followed by a criminal hacker in your network.
In theory, you can upgrade your existing WEP equipment to WPA with a firmware
In any cases, you simply can't upgrade the cards. For example, there was a rumor at the beginning of the year that Apple's AirPort Card could be firmware upgraded to take advantage of WPA. It isn't.
Indeed, it may well be that before WPA solid firmware upgrades become available, 802.11i equipment will be arriving on the scene. Therefore, if you need better wireless security today, your best move may to bite the bullet and replace your equipment with WPA-capable hardware today.
If you simply can't afford that but need additional security right sooner than
later, vendors like Atheros recommend
using a Virtual Private Network (VPN)
Don't think, by the way, that if you're running Windows XP as your operating
Microsoft will also not be giving support to those few WZC users running on earlier versions of their operating system. The Redmond giant has, however, promised to support 802.11i and 802.1X across their product line, including the almost outmoded Windows 98 Second Edition.
On most operating systems, such as Linux and MacOS, you won't have to make any operating system changes. Of course, your client software and driver will need to be upgraded to work with WPA, but that's true of any significant NIC change.
For the most part, though, changing over to WPA will simply be a matter of plugging in the new hardware, upgrading your software and logging on to the network. It should take only seconds longer than installing WEP-empowered NICs or access points today.
If you're using a RADIUS server for authenticaiton, you will of course have to work the WPA hardware into your RADIUS setup using your vendor's directions. If you have a small business or a home Wi-Fi network, you'll want to use a pre-shared key and set it on each workstation and access point. This shouldn't cause you any grief. It's less trouble than doing WEP right in the first place and provides much better protection.
The real question is: "Is WPA worth it with 802.11i on the horizon?" There's no good answer. If the IEEE standardization process goes extremely well, 802.11i might be available as early as the end of this year. In that case, your new WPA hardware might only be state of the security art for as little as six months.
In the worse case scenario, though, we could still be sitting here in May of 2004 and still not have either standard finalized. In that case, buying WPA makes much more sense.
So ask yourself is how important is Wi-Fi security for you today? If it's mission-critical, go ahead and buy WPA-capable access points and NICs. But, if it's not, maybe you should stick to doing what you can with WEP and a VPN, and gamble that 802.11i will arrive by the end of this year instead of next year
Think you've heard the last word on WPA? Join us at the 802.11 Planet Conference & Expo, June 25 - 27, 2003 at the World Trade Center Boston in Boston, MA. A panel of experts will continue to debate the issue on our panel entitled Does WPA Close The Wi-Fi Security Gap?