WPA: Will it plug wireless` security holes?

Johannesburg, 11 Sep 2003

Security still remains a major obstacle in the successful implementation of wireless LANs. Past efforts to solve this have not been entirely successful. There is, however, a new security mechanism set to change this. Graham Vorster, chief technology officer of Duxbury Networking, discusses the benefits of the recently introduced WPA technology.

Since the inception of wireless technology, security has been a major concern and inhibitor of widespread industry adoption.

The wireless LAN industry`s first crack at security - 802.11 Wireless Equivalent Privacy (WEP) has already - though somewhat prematurely - been branded as a failure. Jim Geier, author of Wireless LANs, recently commented that WEP is so easy to break it`s like having a plastic lock on your door.

"Although WEP can keep casual snoopers from accessing a wireless LAN, companies need and can do much better," he says.

One of the key flaws of WEP is that its encryption keys are static rather than dynamic. The problem with this scenario is that once an IT administrator wants to update the keys, he or she has to visit each machine, which is not feasible when dealing with a big network.

Introducing WPA

At the end of last year, the Wireless Fidelity (WiFi) Alliance announced WiFi Protected Access (WPA), a standards-based security mechanism that eliminates most 802.11 security issues.

Based on the still to be ratified 802.11i standard, WPA will be integrated into products within the next few months.

According to the WiFi Alliance, one of the key advantages of WPA is that it enables the implementation of open wireless LAN security in public areas and hot spots such as universities - this has in the past no been possible with WEP.

And to demonstrate just how serious they are about the implementation of WPA, the WiFi Alliance has mandated that by the end of this year the security mechanism will be a requirement for all new WiFi certifications.

How WPA works

WPA features both Temporal Key Integrity Protocol (TKIP) and 802.1x mechanisms, which provide dynamic key encryption and mutual authentication for mobile clients.

Unlike WEP, it counters hacker intrusions by generating a periodic and unique encryption keys for each of its users.

Companies can, for example, use WPA to interface with an authentication server, such as RADIUS (remote authentication dial-in user service) using 802.1x with EAP.

However, in the case of SOHOs (small office, home office) WPA does not require an authentication server, due to the technology`s ability to operate in "preshared key mode".

Similar to WEP, a user`s preshared key must match the one stored at the access point. An access point then uses the preshared key for authentication. If the key matches, access is given to the wired side of the access point.

Who will benefit from WPA?

It is believed that WPA will benefit legacy equipment the most. Companies can install it via software upgrades to WiFi certified access points. These access points will then support a mixed environment of client devices, ones implementing WPA and others that don`t.

But, one of the key benefits of WPA is that it forward compatible with the 802.11i standard. When finally ratified, this standard will include Advanced Encryption Standards (AES) as an option, which is said to be stronger that RC4.

One downfall of AES is that it will probably require the replacement of a legacy point because of the need for higher performing processors. 802.11i will, therefore, be targeted at new equipment.

Undoubtedly WPA is not an interim solution but a long-term step. It is set to provide excellent security and can already be implemented on existing technology.

With the new hardware requirements of 802.11i, WPA is likely to be solution that lasts until you move to the next generation of hardware.


Editorial contacts

Michele Turner
Howard Mellet & Associates
(011) 463 4611
Graham Vorster
Duxbury Networking
(011) 646 3323