Mobile & Wireless - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Mobile & Wireless


802.11i Strengthens Wi-Fi Security



 By: Andrew Garcia
2005-01-03
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Mobile & Wireless story.


  Table of Contents:
  1. 802.11i Strengthens Wi-Fi Security
  2. ' Page Two '

Rate This Article:
Poor Best
802.11i Strengthens Wi-Fi Security
( Page 1 of 2 )

802.11i is ready to bring new security to wireless computing, but the costs of retrofitting legacy hardware might make for an uneasy migration.

With the recent ratification of 802.11i, and the certification and availability of products enabled for the wireless security specification, the time seems right for enterprises to feel safe in adopting wireless networking en masse. However, eWEEK Labs has found that issues ranging from incompatible legacy hardware to uneven migration strategies may slow adoption of 802.11i technology.

To be sure, 802.11i is a huge step forward—its the first standardized wireless security solution with which government and businesses can be comfortable.

Click here for suggested migration strategies.

Built upon strong AES-CCMP (Advanced Encryption Standard-Counter Mode/ CBC-MAC Protocol)-based encryption, 802.11i avoids the IV (initialization vector) and MIC (Message Integrity Check) flaws that doomed the WEP (Wired Equivalent Privacy) security standard. By relying on AES-CCMP, a block cipher, 802.11i ensures not only that the packet data payload is encrypted but also that selected packet header fields are protected.

802.11i includes a complex series of communications and key exchanges designed to mutually authenticate wireless clients and access points and to reduce as much as possible the impact on back-end authentication systems.

Resource Library:

In response to a requesting clients probe, an 802.11i-enabled access point responds with an RSN (Robust Secure Network) Information Element that advertises the networks enabled authentication suites and ciphers. The client then selects a mutually compatible setting and initiates an open system authentication to the access point, which verifies the compatible settings and completes the association request. At this time, 802.1x authentication begins.

Similar to WPA (Wi-Fi Protected Access)—a stopgap solution based on Draft 3 of the 802.11i specification—802.11i provides port-based authentication to a RADIUS server to provide user authentication. However, 802.11i streamlines WPAs key exchange process among the client, access point and authorization server by requiring fewer messages.

Once a user has successfully authenticated to the RADIUS server, the authentication server creates a PMK (pairwise master key) that is moved to the access point and then exchanged with the client. This key controls both devices access to the 802.11 channel (no matter which band) and is used to derive the PTK (pairwise transient key), which is actually a collection of keys that help mutually identify the devices and secure the data traffic.

The PMK is unique to the client/access point conversation, so the 802.1x authentication process must occur again when a client roams to a new access point. Because the authentication process causes some latency, devices running time-sensitive applications may falter during a roam.

Click here to read about PKC, which lets clients roam among access points using a single master key in order to prevent secure wireless LANs from getting sluggish.

The 802.11r task group is working on a fast-roaming amendment to the 802.11 wireless specification, but the 802.11i security specification also includes some optional components that may alleviate roaming latency.

For example, with PMK caching, clients and access points may indicate that they have cached a PMK from a previous association. If both the access point and client have the PMK cached, the client may skip a full 802.1x authentication.

Another optional 802.11i component for alleviating roaming dropouts is pre-authentication, where a client authenticates to access points within range in the background while maintaining an association with another access point. However, vendor support may be limited.

802.11i also offers scaled-down security for small networks without a RADIUS server. Based on a preshared key that must be configured identically on the client and access points, this method is potentially vulnerable to offline dictionary attacks if the key is too short or is not changed often enough, and there is no provision for user-level authentication.

Next page: Slow adoption.





  Reader Comments: 802.11i Strengthens Wi-Fi Security
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Mobile & Wireless Articles          >>> More By Andrew Garcia
 


xr㶲0;; ʷ♵MR-bI^f&uT I)R|IzgyoP/gq2DFh4$KW7-gLڮ9)ٟG,zI}݇@BeZNULrJԶnL7n[c3P/W!׫L|Aშ bH %j'AMc{Fm_2F\3Ѣeb ^Pk$ȁ_MMk9JGD=֥E!m$oQX}:[S=2tS[BTuK$!GQcDOПg^/ԡcF 4-fGdh-vuH`Uƞfn= ! A-c9p= uI%f:I!@*v`4EOmCcPpm׃) TQ3#}jـY}@|ݑ|Y#Xo:QQ 3Mu&q/#!_TBp`ÅzSK<{m6O( |@ɤ:aģZq9e̛f4öۼCٰo5T:Ԫr\ˇJYrӽm˙?X8N5j͛_~]*eU.r$QPw;@ږuP[^O:~q iq,ȯD_*0QI- i|-DǏY^Z'moVqaASc T$0yY>E4b™EUCdV&?[~k~]R${3BDȝ`g/3A.r)#`o8{ØWX\E< [&zlNTVʒ0Wb{(QO .ufyFzWN^ S35ލpX.B2i%!8WG5MGR>M獯fz\CU9-|Qnl :2X jX1nґ>~ӁAkӧIΎ|Zꎓx>:AG:ڴ{\V4!>Fha㻣^h>[W <{ C 0ԟr!FAтMz>kI-ߟLs#08w ɝ5 <QС4}aqjS?g !Tgxs=w= } o  ߃5#z[-[Z6x G͹A }Q sZ( 7^`3y"# EEKy3@ $hO`z.< ŊH~ޑvZ*&RP*m=!ԑt݁Z*=h3aGe-n^ $ d6g2+IMiG0V-&D7r"e.G 7Kᙖ6ZlkVe y=0ޅ .z*Hp0ѿy6yBfOx;r+kF3UʝWRVy'g|)WNyVc$C V6_2˧L)Esr:w'e?z~uVkCT]^u 9R@{4 m 246@Ȱ\k_X5QW(:,)T saŰ,Bl6<E9̆ɨau{j,j&M;?&TY9?xz#jISʱb1vn g%A qsGIݔ6 [IF|x|ꝺ3 kQDz3OD<}:_Nϣ )a!c"Q+}ne@ͤԪ)X[3T2.Q\&V,'`#z3F K~,Y\X/+uRR|~lN BrShfh:l=}6:Hy5՝5̆RP՘Iڏ9&_G5 k^ˣ6Wȵm>2躢΍GƱ4f3t%Ҷy4h_GskHb4"T2paLHa0S] elQؼK;(<2k9r]ilu0q`(1Z3:uV*[O;$!WTͶwAQ O1kM8vهE1Ǿ{E;# F:7a/S" @54hÀԇ>B SL@ΧrE\ ~1~1UŠP=I)Gz-X]>L, ~Ê?DNQcG=.C+DÜU^oVw.$JPVbrxɡUT9.J8;|%ZA~~Qet4?trFg}qs`~6|Oe/Pz;7ܮ;a%W#s3/'x/ &1h'0^+o@|V?>]Ik01Sle`Sxt( b*䪢#?݀έ.#Џ]!.־ X@P A6+8SӞ-jXXRO-8-_k13" ,rP˶SL*H@8u2|[\Y3 Q|l8`Č)Ԩ5UV *~e[g5^ߜ]hDA`! Нv;#ؐCKA;cVS,fo|렀6RaMxޜ9"yea@WIlJhLwh^.Qm(}a51r`]X4v>2Q&OB8Jh-[r_A~V0u^Ac#ȫͦ'0k(j'fcO7)~ }$DC9km4{~KeTg7 FBR%%^ͳ!YAɂ]AӀM\r8khLl'P`R(S&L]8TV<^ۋ953ק~@Lf@= P3&t]6:ky*1a2N4D knIG:aF*ݔ[Y`'\U%P-HjYt>80xnX N zWQ{qT2NZU"}QL ޟpف#{? t%.cﻛY4}Fu0qqnou;GA\4[/QAZ=gq O4 8*:g1U/:gRa\}dzLR(1Iw1]2|r&Eqv|;y?`yA+'~pڍ돭{ٽeӔX+΃ 7ec?!hSHf:<fSڎ7M ,#zzǎ ^Cښҽ>k^sfꅰjZ ^Uc z A0vq4aRxy~ïnU2k~  I+U:=<  1 +JGzW/i{mE-@X:Ua2"(BS.iDO§,yڽnp lo}AFJN^fZ-[N7S+t,#?]/8ʚ=?MN:k}&B2^'68/[=h)ڏIE/p(A-H7ܼN9"4qJh"g:Q;6c?G( cdG!!J b"f(BO. K7t[b)/bJ<9syȠ#%tBE[V8_K}p¾"8 0^t,4P$yUZ/WU $uzۋNgS^q,<&nlځ{-3(#{F-޹3{KwK U<Ϻ4]f+wB%MJKz%nQhr;D҂%e(qQ#{ GHڃ} FuU6m>==3ӨO6;x2t? G OFxfw9g; 9>lId3h l?|7t5%pRx65y(1h4Rwot8lv4W -;N ֱVاe W_M·⎭zgQy{rx|[q$[+' g|o#&_M_k wS&5.4y˭0LdT/rK[⹏^}:lQۏo%~2-珰F- y6u2kzX.]&?5Ċ8?z9/i)DGYGt܎5mqbH.ax.s~Wn@D~5ʪL[wt07ٹ]o܆~b k-`B3CH^YI63߯TkSVϣ>Ou?p=K}q6Vհ,广Ai[*HP{ 0br]Iޛ?3 0 ΄ayR,Tr04fN:u(}IO0`BddAWAg9]u _R]n!6T64 T gikNS!&R6ő0)(+a>Vmj1AՏv^[zJ&+qLMly+^hs&r3%KR$]q#q/.+1Z "5[PC3%@B(ZwTBt O=J6TAɗURfoK:K=ݯ1t6 !XHgѧ`UeufNP}S: A%*.Mh 7i=8!]@:arߖ*/pה%G3M{FGT*5,er!f p8ykl 5~ַ+T3%|p98}9 :+Vy7W^a&R" OBBer7 %R(Q>A]Mᐈ~ 4[4N;K-D{).aIZi/t=qԝRoϣ-<0/ktYt}#d#1<I+[vcXIR[rV8 ^bTܛXS+0Ľ]DJ&k jW0Q-u4!7–Y|zn}"-eЧ[+c {׉ }U؟>lOvm-9U'` 5CΰzcOђzG[K54Hz i%n\>N0|&qٶXSP2,-E]oIR)W V f,VpHa3D4Y_t%V^u^in>'ZՔuSJM؛v|-O't<6}oSkw{G~}}}ϽB\~k9rqCHl舛&lD;{x2#?~% _XfÞmp.pN" `(Jfw+W{EjEQϤNo͡*R¶A,ĝۦ+5<ĕk9LU;߽"' o_7Bs^k,fz60[b[ۣĸ,HbOa\m qJs]jלZ3KNJ0zRO0kw>d0K)*:&Cx$0xomHF{ SO8,0E s嚆H> Q3>7-cu݋ukZ})}atzxA{h$ kzF7١Phތ?"iZw\q$ˋ|<=l1wP)=h%l%GX|" IKopTTS`;mO-po~4_=q:; t90ڬޫl߽!۩ʹmcl(M#_ۀږձևxQy| [~{ԽKgD`g <ά;͋=m @ɼ#Ь%5̐X +l%I"q0M?+┉fneϼ%s_&"I4p7DJXȓt`]g4εw ɪy/EҶ 8xT_[]L#_Ukb2О$~Mw qa E#(hILÑBu}KTabɲ#PCnx.ۮ!^jwT60+P=G?۵@( x}}-66Ӫ=F(xėhF!;OuطJ8k9 ΰ.xDG#ͦ0a:u&߮w[y-돉ۋD= ? K&*R. mI?I5?O:ߣ&-x Q){.;1$Hݜ"pv{"(#DמSN|l:,[*juܷ',xEu 쀤᫉PX !%9pgaQ=ʵm~|ݱDyFSi.QTe9LqؕĠAIB4ĸW˔n"I”HUWk-l+ ,|"Y"'"KIH^XA0`'guQ%ǤHFpxAҲ0abS,Y𖭐Kc.ᝧZE9TWK.>%܋%ӊ,ƻ.c 2X3!1cTA9=j"Z-% jD-~0 7|^3mw?)fFllz^C `5olz^CM` /K.қ≠D37:Qos;'7ƄgE[TvXj Km6+% 7~6տ4,\ 9\πTnUw=jhD~ԤJd m_P)ϱVPJj\=w(9q Q])J\k1ة P="^Gl;z^*iߗySG~ :rX$EL>iIߚqm,飏ji' 1 m0=xPgl}g%fl9 c{_[ w5W wGOڵϔ4I vH{wi/1~J+kɱFh=>1}юMݺݵnt)@P\'cĞ۫u퇩bH,9+ xfV-j%!V㬤{0 ",.(HP)dmH.tGw,@8(<DқQq߷~m9|lZߝaD5}Tbt4dVOobD )m3FwG#ˠOW1h>`֨1LW<00t+P̲jNT\OpY=XCE3 cL >VHUljod@2t o'}& )w[WLQXj*{3wȣ4ϓ ,˿+D:èd]@Q:GU T, cn p^bJ MF·:ss;%̔,,2E<ezX<> 4S♝ 07Y:N*r P:ς9s!aZ;hYh?X0M蕴B^Ȉq~/w_Ч6#&DwncquuwI_7wzݺ귺rҼ)lkni|ԝ9}9^}9ouW׭N?W?<1(kyl2_T 3',C riNSʩ`Sg̵,% e*wDE Gcqq^ L;O|տ@)Qe; \VCĨҫSa0L27ήM֖C@VՉt.f53!eA^^Z+!PU8iz67axnZP ">vzhRK`ˌ__׌k(^_~NmdwQ__~48kfBsy}>3 ?/h孳\uQ2CLQ2(_֗_ 0ӆ3,@v}@v}vF l3eg(Q~dQO'C~:0~  _?2 ޿x !חk}'O?gC>g3sn&&oon2/9IR< 9k\픊$dK " SV9,:P g ~-2*Bό~ y/} k{\WKM0TntEճKT쵆cn%:v^_| SG0VĔ}".nmG;yh#ֽ2vb;w K췡^P`26UJ` z!OJ1=4c­dKo1;B&\Cx‹&2&dofⅺ߰%R!:)@18Lo 7X- R箋W!+Bfx;1mqڼ1i*mdɮ51l桭uʿO.+H&KфwY"DühlУm{whıPr O]^+e'aNW>KDr&ߢjOG T*A[`y[Eq Z<6T?rقwr$F4]$ǖlKzUx, #XC0 |ˉ ]1s%1Q.`3x4FȊ?l` v $f\30w6҉ן' Ы~| $>/޺chd1Ck+P<ՍP{ dp1o6Nώ{;]95}+Qݍ;S7 œj@@rveN(lfB ?|ë_Τ62f3BLr$2) Nˌq?Ih"v]!6 R Ň%޿1ȗ3`׻3 p59=`&<9ϖ,|Ŷr.iGAI';->#g`躷'SrY`_GFb+MGVk*q.w iᢚ:4R_ 7'쭰F.v+2}ju"춮HORKQLPxUE0P;Cf KQps4F v[F{c 5,l$9=ASh4M+o0ѝEX!%9wvgcw[/AI)H[aD.v ;3-Mv"مxދ!Z^y|XT ,sD?>7S1U)ւ_/gwd6VLSc? `nwn9r'#rm˜2J1Д8v2COA=t ύke[ |kc'pg ! X/'̂;OulÝgD d9e7 o9] *۳i|?e Lt8?n90kn>7Q$L{xr:4Y W96s-[ !ۂˌKmӴ6u¥"UXHMX,8. k4⿞5;>Ba2\DGx kok3gzϷ;<v7͇OVe؋$v/-'vJ^S.!O3й?-{/e; ;],{ QAbFC8u vAѪ f7"60^q۷KRl@swS a \Nսv)E=b농E]hT_ !** /߉n^]e#X#&7I;s__9V0|6,cz#ɾ Yf+3sƫ-I>2ūaq1jVI{{a0&|iE-㨤t`C v_ <8 c,;fcXJ Y2!&ۅ7O80Ux|-h\};xrmx0#ŸErY)2^{HvdzU.\d׎sl#^"|f`*aH 3Ay0,X+0W_ǀ 52lt* X*!KŬ"D0H'Z:tsh{h۟sTHهl*~&,Yl{kۺнT~xhy6xL ꟭eTUA$摝7y@ƦI:1q09TV}p0v&b(1lS24K_hjJlxTʉ|Y0oǝF6Ȅ В#nvbe}!hX*