Last week the IEEE gave its official stamp of approval to 802.11i, the long-awaited security specification that replaces Wired Equivalent Privacy, the original—and basically insecure—802.11 security scheme. In its place, were getting the robust, elegant and globally applauded Advanced Encryption Standard.
That comes as good news in a month in which wireless security was haunted by news of a new cell phone virus. And it should bring a sigh of relief from the wireless industry that has been waiting to exhale for some time.
Colin Macnab, vice president of marketing and business development for wireless chip maker Atheros Communications, told me 802.11i “brings a level of encryption that is acceptable for the enterprise. Now the market can meet the expectations Ive seen reported for it for the last four to five years.”
Actually, it could have before now. Atheros and Broadcom, its counterpart in the wireless chip-set business, have been putting AES in silicon for well over a year now. Broadcom shipped an 802.11g chipset with AES in hardware in fall, 2002 and McNab said “we put the hardware in our chips in our February 03 release.”
According to McNab, “theres little to change but the marketing. Nobody could call it 802.11i until it became official.” Up until now the chip sets could only claim to be “compliant with the draft standard.”
Compliance with a draft standard was evidently not enough to assuage the doubts of enterprise network managers. From nearly the moment that the 802.11b specification was released in 1999, WEP had been generating the kind of headlines no one wanted to see. There were the reports of “war driving” hackers who, with laptops equipped with antennas crafted from Pringles cans and tools they downloaded from the Internet, managed to penetrate corporate networks.
And there were those scathing comments from Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board, who in 2002 declared, “We should all shut [wireless LANs] off until the technology gets better.” That, despite the fact that 802.11b delivered no less than what the feds demanded of it when it was adopted in 1999. The specification met the federal security mandate of that time.
The imprimatur the IEEE gave the new standard last week and the certification program that the Wi-Fi Alliance is now putting behind it to assure corporate buyers of the devices interoperability should open doors that previously remained closed.
The AES security that 802.11i brings to wireless networks finally delivers on the promise that wireless computing can be as secure as wired. AES uses an encryption scheme developed by a pair of Belgian cryptographers that stood up to attacks in a veritable cryptographical bake-off that the U.S. Department of Commerce and the National Institute of Standards and Technology sponsored in 2000. The winning algorithm was adopted by those agencies a year later to replace DES as the Federal Information Processing Standard and was incorporated into 802.11 security just last week. In 802.11i, it replaces WEP 40-bit static encryption key with variable key sizes of 128, 192 or 256 bits, making it far more difficult to crack.
So difficult, in fact, that there is some disagreement in the cryptography community whether it can be cracked at all and general agreement that if it can (and surely someday it can), that day is some time off. A 128-bit key size generates a number of possible keys thats too high to write out here. Think 340 followed by 36 zeros.
Thats the good news. The bad news is that getting all this protection could be costly to early enterprise adopters who shied away from the draft-compliant products and went with 802.11b, a, g or combo equipment. AES is not backward-compatible with WEP.
This doesnt mean the WLAN will be insecure if you dont replace the devices youre now using. The spec is backward-compatible, even if AES is not. 802.11i also includes TKIP (Temporal Key Integrity Protocol), the encryption protocol used in WPA (Wi-Fi Protected Access), the interim security standard that the Wi-Fi Alliance issued last year to bring strong wireless encryption, along with 802.1X authentication and a message integrity check to provide strong security and put worries to rest while the industry awaited 802.11is ratification. WEP devices can be upgraded to WPA with TKIP encryption if vendors have made drivers available. TKIPs presence in 802.11i means new devices should work alongside legacy devices that have made the WPA upgrade. They just wont have AES encryption.
Looking ahead, it will be interesting to see whether 802.11is ratification will result in a huge uptick in demand for Wi-Fi devices in the enterprise. Many of those under regulatory mandates to secure their data, typically those in health care and financial services, deployed draft-compliant products in advance of the specifications ratification. And many of those that dont face regulatory mandates may find it less expensive and more practical to stick with the WPA products now on the market.
The Wi-Fi Alliance will launch its interoperability certification program for 802.11i devices in September under the name WPA2, the second generation of Wi-Fi Protected Access.
David Cohen, chairman of the Wi-Fi Alliances security committee, said enterprise customers will have to determine if AES protection merits the cost of new equipment. If immediate upgrades are impractical, he said, customers “can look for products that have Wi-Fi WPA certification, and it will still give them a lot of security.”