I mentioned 802.16 a few days ago and lauded the possibilities that could emerge from its deployment in residential areas. No matter what kind of neighborhood you live in, it is always a good rule of thumb to protect your assets and keep your belongings safe. So in turn, you might install locks or security systems and hire burly looking street-ninja’s. In the case of wireless Ethernet technologies ('WiFi'), the current crop of secure access is few and far between and was at one point non-existent.
In February of 2001, a group of researchers from the University of California at Berkeley computer-science division, published a report outlining the various defects, exploits and otherwise, insecurities in what was the Wired Equivalent Privacy (WEP) protocol used by WiFi devices for “secure transmissions.”
The long and the short of it is, the engineers on the standardization committee for the WEP were not experienced enough in the field of cryptography to catch serious defects, or as the report concluded:
The protocol's problems are a result of misunderstanding of some cryptographic primitives and therefore combining them in insecure ways. These attacks point to the importance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided.Note: in August of 2001 a team led by Adam Stubblefield (then an intern at AT&T) publicly announced that they were able to crack the WEP.
One of the multiple fixes that has arisen from this embarrassing snafu is WiFi Protected Access (WPA). This protocol fixes the encryption aspect of WEP by utilizing the Temporal Key Integrity Protocol (TKIP), which “provides per-packet key mixing, a message integrity check and a re-keying mechanism,” all of which fix the original exploits found by the researchers. The WPA is basically a stop-gap solution until the “real” standard, 802.11i is finalized.
Another feature that is finding its way into 802.11i is Robust Security Network (RSN). This is actually an encryption system that can dynamically evolve based on newly developed algorithms that are designed in the future. One of these is the Advanced Encryption Standard (AES) encryption algorithm which offers among other things, “bigger” keys (up to 256-bit), which should thwart would-be eavesdroppers from now until quantum computers are invented.
If you have been hesitant up until today to purchase any ‘WiFi’ equipment because of the insecurities involved, you should not have to wait too much longer. Currently, 802.11i is still being finalized (the 4th draft was just submitted for approval) and most probably will be standardized by the end of the year. So starting sometime next year, all of the features I’ve listed above (the “good” ones at least) should be heading to a computer store near you – just remember to do your due diligence before you sink your money and your network into wireless-based hardware.
Oh, and the moral of the story is, before you make an industry standard, have an experienced 3rd party examine your data and feature-set prior to its release into the wild.
Posted by Tim at June 13, 2003 03:17 AM | TrackBack