The Wi-Fi Alliance will use its pull in the industry to improve security measures in wireless LAN hardware over the next year.
The Austin, Texas, trade organization, which confers the right to use the Wi-Fi label on hardware, plans to increase encryption requirements for certification. But members of the security task groups within the alliance stress that the onus of WLAN security still lies with the customer.
Last fall, the group quietly made support for 64-character passwords a requirement for access points to be certified for WPA2—the next version of the Wi-Fi Protected Access protocol, which incorporates AES (Advanced Encryption Standard). The move came in reaction to a report last summer detailing potential attacks using rogue access points and a RADIUS servers shared secret. Adding characters to the shared secret makes the hack more difficult and less likely to succeed, experts said.
By spring of next year, the alliance will require that all access points be WPA2-certified to get the Wi-Fi label, said Frank Hanzlik, managing director of the group. WPA2 is based on the IEEEs 802.11i standard. The first version of WPA is already required for certification.
Some analysts say WPA2 is too stringent a requirement.
“I dont think its a good idea to require WPA2,” said Craig Mathias, an analyst at Farpoint Group, in Ashland, Mass. “I dont think everyone will need AES. I also think higher-level security of the 802.1x or VPN variety can effectively substitute for AES in many cases.”
Alliance officials disagree. “It is really nonsense in claiming VPNs are an economic alternative to WPA2,” said Eugene Chang, vice president of strategic development at Funk Software Inc., in Cambridge, Mass., and an active member of the Wi-Fi Alliance security working group.
“WPA2 is free, secure encryption at wire speed. VPN devices are extremely expensive. Even low-cost 1M-bps VPN servers are more expensive than an access point,” said Chang. “The strongest reason to use IPSec [IP Security] over WLAN is an application that requires use of FIPS [Federal Information Processing Standard] 140-2-certified encryption, [because] FIPS 140-2-certified 802.11i products are not available yet.”
Meanwhile, throughout this year, the alliance will be adding various strains of EAP (Extensible Authentication Protocol) to its testing bed, Hanzlik said.
Alliance officials said the responsibility for a secure WLAN still lies with the administrator, noting that there are plenty of users who dont take advantage of security protocols. For example, the aforementioned RADIUS hack assumed a weak shared secret on the users part. Requiring a vendor to support a 64-character shared secret does not preclude a user from choosing an eight-character one.
“It is important that we always keep sight of the difference between the capabilities of the equipment and the practice of the users,” Chang said. “We should not be blurring the distinction between equipment flaws [and] the difficulties of user education.”
While the Wi-Fi Alliance is not a government standards body, WLAN administrators and analysts say the group has cachet and that the Wi-Fi sticker matters.
“I look at the Wi-Fi sticker to make sure the devices are capable of WPA either with preshared keys or server-based,” said John Greiner, chief technology officer at Legal Services for New York City. “Basically, it helps me screen out certain products more quickly.”
Wi-Fi Security Initiatives
WPA testing incorporated into the certification process
Tests for WPA2 require that WPA2- certified products support a 64-character shared secret
Tests for various iterations of EAP developed
WPA2 support required for Wi-Fi certification