The AES security that 802.11i brings to wireless networks finally delivers on the promise that wireless computing can be as secure as wired. AES uses an encryption scheme developed by a pair of Belgian cryptographers that stood up to attacks in a veritable cryptographical bake-off that the U.S. Department of Commerce and the National Institute of Standards and Technology sponsored in 2000. The winning algorithm was adopted by those agencies a year later to replace DES as the Federal Information Processing Standard and was incorporated into 802.11 security just last week. In 802.11i, it replaces WEP 40-bit static encryption key with variable key sizes of 128, 192 or 256 bits, making it far more difficult to crack.Thats the good news. The bad news is that getting all this protection could be costly to early enterprise adopters who shied away from the draft-compliant products and went with 802.11b, a, g or combo equipment. AES is not backward-compatible with WEP. This doesnt mean the WLAN will be insecure if you dont replace the devices youre now using. The spec is backward-compatible, even if AES is not. 802.11i also includes TKIP (Temporal Key Integrity Protocol), the encryption protocol used in WPA (Wi-Fi Protected Access), the interim security standard that the Wi-Fi Alliance issued last year to bring strong wireless encryption, along with 802.1X authentication and a message integrity check to provide strong security and put worries to rest while the industry awaited 802.11is ratification. WEP devices can be upgraded to WPA with TKIP encryption if vendors have made drivers available. TKIPs presence in 802.11i means new devices should work alongside legacy devices that have made the WPA upgrade. They just wont have AES encryption. Looking ahead, it will be interesting to see whether 802.11is ratification will result in a huge uptick in demand for Wi-Fi devices in the enterprise. Many of those under regulatory mandates to secure their data, typically those in health care and financial services, deployed draft-compliant products in advance of the specifications ratification. And many of those that dont face regulatory mandates may find it less expensive and more practical to stick with the WPA products now on the market. The Wi-Fi Alliance will launch its interoperability certification program for 802.11i devices in September under the name WPA2, the second generation of Wi-Fi Protected Access. David Cohen, chairman of the Wi-Fi Alliances security committee, said enterprise customers will have to determine if AES protection merits the cost of new equipment. If immediate upgrades are impractical, he said, customers "can look for products that have Wi-Fi WPA certification, and it will still give them a lot of security." Check out eWEEK.coms Mobile & Wireless Center at http://wireless.eweek.com for the latest news, reviews and analysis.
So difficult, in fact, that there is some disagreement in the cryptography community whether it can be cracked at all and general agreement that if it can (and surely someday it can), that day is some time off. A 128-bit key size generates a number of possible keys thats too high to write out here. Think 340 followed by 36 zeros.