WPA Should Wipe Out Some WEP Worries

New wireless security standard is geared for enterprise-level deployment

The beginning of the new year brings much-needed new security technology for the Wireless LAN industry. New products and software enhancements using WPA (WiFi Protected Access) will be announced this quarter, which will address the security shortcomings of WEP (Wired Equivalent Privacy).

WEP was developed to make wireless LANs as secure as wired ones. However, it has been plagued with many vulnerabilities and inherent security flaws. WEP also lacks robust user authentication and key management capabilities, making it hardly scalable. Although it was the only security option available for WiFi WLAN products on the market, WEP did not see much implementation in the enterprise space.

Despite these shortcomings, WEP is not completely useless. Having any security is better than having none, and WEP works fairly well for small household WLANs to protect against eavesdroppers. A few enterprises have used WEP with security appliances and VPNs to boost security.

The WiFi alliance and the IEEE drew up the WPA last year in an effort to provide better interoperable security technologies in the WiFi space. WPA certifications are expected to start the first quarter of this year. Intersil last week announced WPA software upgrades for its PRISM-based WLAN clients and access point products.

WPA provides improved data encryption through the TKIP (Temporal Key Integrity Protocol). TKIP addresses all the current WEP vulnerabilities by providing enhancements to the WEP encryption engine. TKIP provides a 48-bit initialization vector (compared to the 24-bit initialization vector used in WEP), per-packet key mixing, a message integrity code named Michael and a key distribution mechanism.

Using a 48-bit initialization vector greatly increases the number of possible shared keys that are dynamically generated. With an extended IV and new sequencing rules, TKIP can better protect against the replay and initialization vector collision attacks to which WEP is vulnerable.

The per-packet key mixing provides stronger, 128-bit based keys and a key hierarchy structure. This feature protects against key recovery attacks using tools like AirSnort, which have been used to crack weak WEP keys. The new Michael checksum algorithm safeguards against forgery attacks.

WPA can provide enterprise-level user authentication capabilities via 802.1x and the Extensible Authentication Protocol.

Although WPA is more than a temporary fix for WEP, it is not the definitive WiFi security solutions: WPA Version 2, which uses the AES-based CCMP protocol, will be introduced at end of 2003 and early 2004.

The bottom line is that WPA will be a blessing for sites beleaguered by WEP vulnerability problems, although WPAs user authentication management features should have been in WEP in the first place. In addition, WPAs enhanced encryption capabilities mean there will be network throughput implications if WPA is used in legacy WiFi products.

What are your thoughts on WPA? Let me know at francis_chu@ziffdavis.com.