By Eric Griffith
June 25, 2004
UPDATED: The long awaited standard for Wi-Fi-based LANs has been ratified by the IEEE — and arrives with some new features.
The IEEE ratified the 802.11i security standard for wireless LANs yesterday in a standards committee meeting in Piscataway, N.J.
802.11i is the long-awaited security standard for Wi-Fi networks that upgrades the former “official” wireless security standard, the much-maligned wired equivalent privacy (WEP). WEP was found to be easy to crack by those with the right tools and enough patience — and so hard to implement that most people don’t bother turning on the security at all.
In 2002, stating that the industry couldn’t wait for 11i’s ratification, the industry consortium Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA). It is a subset of the abilities of 802.11i, including better encryption with Temporal Key Integrity Protocol (TKIP), easier setup using a pre-shared key, and the ability to use RADIUS-based 802.1X authentication of users. WPA comes in two flavors, one that’s easier for home users, and one for enterprises (the latter incorporates 802.1X).
Official 802.11i has all the abilities of WPA and adds the requirement to use Advanced Encryption Standard (AES) for encryption of data. AES provides enough security to meet the needs for the Federal Information Processing Standard (FIPS) 140-2 specification, which is required by many government agencies. The downside is that AES support may require new hardware for many existing WLANs, as it needs a dedicated chip to handle the encryption and decryption.
Within the IEEE 802.11 Working Group (WG), there are several Task Groups (TG). The group behind 802.11i — called TGi — has been working on the standard for years under the direction of chair David Halasz from Cisco Systems. He says the last year brought few changes to the standard as it moved from committee to committee up the chain to the IEEE, but that it does include a couple of relatively unknown features. One is key-caching, which stores information from your system on the network so if you leave and come back to an access point, you don’t need to re-enter all your credentials — all invisible to the user. The other is called pre-authentication, which allows a client/station to become authenticated to an AP before moving to it, by sending a pre-authentication packet that’s routed through the AP the user is currently associated with. It allows for faster roaming from AP to AP.
- Feelings of Insecurity
- iPass Pushes 802.1X
- Linksys Provides Hosted 802.1X
- Security Bug in Linksys Wireless-G Router
- Countering Lack of Security in Wi-Fi Hot Spots
- Beyond WEP
The Wi-Fi Alliance will use the nomenclature of “WPA2” when referring to 802.11i, according to the Alliance’s Frank Hanzlik. He expects the Alliance to begin testing products for WPA2 by September. It will not replace WPA, however, which will continue to be available for homes and small businesses that don’t need the advanced encryption or RADIUS authentication. 802.11i/WPA2 products will be backwards compatible with WPA products, assuming they have the means to support AES.
Julie Ask, senior analyst at JupiterResearch, says after so much time the ratification is somewhat anticlimactic. Despite research showing security as the number one barrier to deployment, it’s only affecting about one third of companies. Small companies are particularly immune to the issue, but they don’t have to worry about things like RADIUS serviers.
“Overall, [it’s] not such a big deal, since companies have been selling what they believed to be 802.11i for so long,” says Ask. She does feel that “testing by Wi-Fi Alliance for WPA2 will help drive interoperability so is badly needed. It’s great that they can finally get started.”
Other 802.11 standards are still in process with the WG. The next to get ratification will likely be 802.11e, which handles Quality of Service (QoS) for the transmission of video and voice over wireless. Other groups include:
- TGn works on 802.11n, pushing the theoretical throughput of Wi-Fi over 100 Megabits per second (Mbps)
- TGr works on 802.11r, handling the “fast hand-off” when a wireless client re-associates when moving from access point to access point on the same WLAN.
- TGs works on 802.11s, codifying what’s needed for standardized self-healing/self-configuring mesh networks.
The 802.11 WG has internal Study Groups looking at possible future standards for using Wi-Fi in moving vehicles (likely to become TGp, thus 802.11p), Wi-Fi performance prediction for testing (likely to become TGt, thus 802.11t), and inter-working with external networks (no letter yet).
With ratification of 802.11i, the TGi will disband. Stuart Kerry, the chair of the WG, says that he’s considering forming a standing committee that would look at wireless security on an ongoing basis, a group that would work with the various Task Groups to ensure that new additions to 802.11 don’t introduce security issues.