This week's Q&A tackles the critical shortcomings of WEP security for wireless LANs and takes an in-depth look at its ultra-secure successor.
By Ron Pacchiano
Q. One of the things my wife and I always fight about is the spider web of wires covering the floor of my home office. After our last "discussion," she made it clear that if I didn't do something about them, I'd be out of here. So after much reluctance, I finally took the plunge and invested in a new wireless router and network adapters from D-link Technologies. I have to admit that I'm happier for it. It was relatively easy to do, and the performance is much better than I would have anticipated.
One of my initial concerns with moving to wireless had to do with security. I was always afraid that someone was going to be able to tap into my network and steal or damage my data. That was one of the reasons I went with the D-link products; they were the only vendor I found that supported 256-bit WEP encryption. Lately, however, I've been reading that WEP has numerous security holes that make it very ineffective against attacks. I also heard that a new wireless security standard was being developed that is going to be replacing WEP in the not to distant future.
So my question is this, what exactly is WEP, and is it so completely inadequate at providing security that my data is at risk? Also, is this replacement for WEP going to make my existing hardware obsolete? I hate to think that I spent all this money for nothing. Thanks!
A. Well, I don't think I would personally refer to WEP as being completely inadequate. Despite its flaws, WEP does provide some margin of security, particularly when compared with no security at all, and it remains a useful deterrent for the casual malcontent.
However, WEP does suffer from a number of shortcomings that really are in need of fixing. To better understand why, let's first take a closer look at what WEP was originally designed to do and what its vulnerabilities are. Then I'll introduce you to its more secure upcoming replacement, WiFi Protected Access (WPA).
In the beginning there was WEP, or Wired Equivalent Privacy. WEP is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard (802.11b) that's designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. WEP seeks to establish similar protection to that offered through a wired network's physical security measures by encrypting data transmitted over the WLAN.
Data encryption protects the vulnerable wireless link between clients and access points, but that's the extent of its security measures. For greater security, WEP relies heavily on other types of LAN security mechanisms to ensure privacy. This includes such things as password protection, end-to-end encryption, Virtual Private Networks (VPNs), and user authentication.
In recent years a number of respected research groups have published reports citing "major security flaws" in WEP that leave WEP-protected WLANs vulnerable to attack. During their examination, researchers were able to intercept and modify transmissions and gain access to restricted networks that were supposedly being protected by WEP. The official response to this from the Wireless Ethernet Compatibility Alliance (WECA) stated that WEP was never intended to be the sole security mechanism for a WLAN and that, in conjunction with traditional security practices, it is very effective.
In larger companies with qualified IT staffs and deep pockets, this isn't as much of a concern, as these companies routinely make use of the additional security mechanisms discussed earlier. This doesn't mean that it's not a problem for them as well; they're just better equipped to deal with it correctly.
For home and Small Office/Home Office (SOHO) users where wireless is really propagating, however, it's definitely more of a concern. Most home users barely do anything more than take the products out of the box and plug them in. Their feeling is if it works, don't touch it. Many don't realize the critical risk to their systems.
WPA to the Rescue
In any event, the need for something better is clearly needed, and it's with this need in mind that the WiFi Alliance – in conjunction with the IEEE – has driven an effort to bring strongly enhanced, interoperable WiFi security to market. The result of this effort is the WiFi Protected Access (WPA) security protocol.
WPA is a specification of security enhancements that increases the level of data protection and access control for existing WiFi networks. WPA has been designed to be forward compatible with the upcoming IEEE 802.11i specification and utilizes the enhanced data encryption Temporal Key Integrity Protocol (TKIP). It further adds user authentication capabilities and support for the Extensible Authentication Protocol (EAP).
WPA was designed to operate in two different modes, enterprise and home mode. In enterprise mode, a network server and sophisticated authentication mechanisms are utilized and automatically distribute special encryption keys, called master keys.
In a home environment, where there are no network servers, WPA runs in a special mode, which allows the use of manually entered keys or passwords. This mode, also called Pre-Shared Key (PSK), is designed to be easy to set up for the home user. All the home user needs to do is enter a password (also called a master key) into their access point or home wireless gateway and each PC that is on the wireless network. After entering the password, WPA automatically takes over.
First, WPA keeps out eavesdroppers and other unauthorized users by requiring all devices to have the matching password. Second, the password kicks off the encryption process, which in WPA is called Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements, including a per-packet key mixing function, a message integrity check (MIC), an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through these enhancements, TKIP addresses all of WEP's known vulnerabilities.
This is where the mechanics of WPA are substantially different from WEP, in which the same static encryption key is used over and over again. TKIP takes the original master key only as a starting point and derives its encryption keys mathematically from this master key. TKIP then regularly changes and rotates the encryption keys so that the same encryption key is never used twice. This all happens in the background automatically, invisible to the user. Together, these features make WPA a far stronger security solution than WEP.
While no security mechanism can be considered "absolutely secure," the protection given by WPA is strong enough to prevent most attacks, even sophisticated ones. As such, WPA offers a pragmatic, economical security mechanism for most home users.
Now to answer the last part of your question, does this mean that all of your existing wireless hardware will become obsolete once WPA becomes an official standard? In most cases, the answer is no. One of the design goals of WPA was that it be software upgradeable for existing WiFi-certified products. This means that your existing investment in wireless hardware should be upgradeable to the new security standard through a simple software upgrade. If you haven't purchased any wireless equipment yet, just make sure that whatever you plan to purchase has been both WiFi certified (displaying the WiFi logo) and includes WPA.
So to recap, WPA had several design goals, among which was to improve upon the weak data encryption in WEP and to provide user authentication, which was largely missing in WEP. It has been designed to be a strong, interoperable security replacement for WEP, to be software upgradeable with existing WiFi-certified products, and to be applicable for both home and large enterprise users. Only time will tell if the developers have succeeded in all three of these endeavors.
Next week we'll discuss some tips you can implement for your current wireless network that should help keep it as secure as possible until the WPA upgrade becomes available for your hardware.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|