Wireless Security: A Partial Glossary of Wireless Security Terms

 
 
By Larry Seltzer  |  Posted 2008-12-02 Email Print this article Print
 
 
 
 
 
 
 

Users have every right to be perplexed by wireless security standards. Faced by an alphabet soup of AES, RADIUS, WEP, WPA, TKIP, EAP, LEAP and 802.1x, many users don't secure their wireless networks at all. Now that earlier wireless security standards such as Wi-Fi Protected Access and Wired Equivalent Privacy are being cracked, it's time to examine what all the terms mean and think about changes.

Just about a month ago, in early November, the news came out that the first cracks were appearing in WPA, or Wi-Fi Protected Access, a very popular wireless security standard. The compromise that was accomplished by some researchers was not a real killer, but the affected version of WPA (and the associated encryption process, TKIP, or Temporal Key Integrity Protocol), was always meant as a stopgap standard.

For some time now there have been better standards implemented in shipping wireless products, and there have been many articles published with good advice on improving your wireless security. For example, this one from eWEEK Labs' Andrew Garcia discusses the attack itself and how you can protect yourself from it. This one from Dan Croft discusses bigger issues of wireless security architecture and policy.

After reading the wireless security news, Steven M. Bellovin, professor of Computer Science at Columbia University, decided to tighten up the security on his own home wireless network. Bellovin's house is not an enterprise, so much of the advice and solutions available for dealing with this problem aren't really applicable. Bellovin didn't really know how to proceed, and if a professor of Computer Science at an Ivy League school can't make immediate sense of it all, how is everyone else supposed to?

I decided to examine the wireless terms that Bellovin encountered in the various products he has to see what they all meant:

  • WEP (Wired Equivalent Privacy)-The old, original, now discredited wireless security standard. Easily cracked.
  • WEP 40/128-bit key, WEP 128-bit Passphrase-See WEP. The user key for WEP is generally either 40- or 128-bit, and generally has to be supplied as a hexadecimal string.
  • WPA, WPA1-Wi-Fi Protected Access. The initial version of WPA, sometimes called WPA1, is essentially a brand name for TKIP. TKIP was chosen as an interim standard because it could be implemented on WEP hardware with just a firmware upgrade.
  • WPA2-The trade name for an implementation of the 802.11i standard, including AES and CCMP.
  • TKIP-Temporal Key Integrity Protocol. The replacement encryption system for WEP. Several features were added to make keys more secure than they were under WEP.
  • AES-Advanced Encryption Standard. This is now the preferred encryption method, replacing the old TKIP. AES is implemented in WPA2/802.11i.
  • Dynamic WEP (802.1x)-When the WEP key/passphrase is entered by a key management service. WEP as such did not support dynamic keys until the advent of TKIP and CCMP.
  • EAP-Extensible Authentication Protocol. A standard authentication framework. EAP supplies common functions and a negotiation mechanism, but not a specific authentication method. Currently there are about 40 different methods implemented for EAP. See WPA Enterprise.
  • 802.1x, IEEE8021X-The IEEE family of standards for authentication on networks. In this context, the term is hopelessly ambiguous.
  • LEAP, 802.1x EAP (Cisco LEAP)-(Lightweight Extensible Authentication Protocol) A proprietary method of wireless LAN authentication developed by Cisco Systems. Supports dynamic WEP, RADIUS and frequent reauthentication.
  • WPA-PSK, WPA-Preshared Key-Use of a shared key, meaning one manually set and manually managed. Does not scale with a large network either for manageability or security, but needs no external key management system.
  • RADIUS-Remote Authentication Dial In User Service. A very old protocol for centralizing authentication and authorization management. The RADIUS server acts as a remote service for these functions.
  • WPA Enterprise, WPA2 Enterprise-A trade name for a set of EAP types. Products certified as WPA Enterprise or WPA2 Enterprise will interoperate. The included types are:
    • EAP-TLS
    • EAP-TTLS/MSCHAPv2
    • PEAPv0/EAP-MSCHAPv2
    • PEAPv1/EAP-GTC
    • EAP-SIM
  • WPA-Personal, WPA2-Personal-See Pre-Shared Key.
  • WPA2-Mixed-Support for both WPA1 and WPA2 on the same access point.
  • authentication algorithms: OPEN, SHARED and LEAP-OPEN in this context meant no authentication; the network was open to all. SHARED refers to preshared key. for LEAP see LEAP.
And I'll add a few more:

  • 802.11i-An IEEE standard specifying security mechanisms for 802.11 networks. 802.11i uses AES and includes improvements in key management, user authentication through 802.1X and data integrity of headers.
  • CCMP-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol that uses AES.


 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel