Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Standards Will Fill Holes in WEP Authentication and Encryption

    Written by

    Francis Chu
    Published February 3, 2003
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      The security built into Wi-Fi is better than no security at all—but not by much. Standards bodies are at work, though, on a framework that will free IT managers from some of the heavy lifting they have to do to get WLANs up to enterprise code.

      During the past two years, the IEEE has been working on the 802.11i security standard. This standard is designed to address known WEP (Wired Equivalent Privacy) vulnerabilities and provide significant enhancements to 802.11-based equipment. 802.11i calls for a better authentication scheme—via 802.1x—and two new encryption protocols that will replace WEP.

      The IEEE-ratified 802.1x, which provides a framework for stronger user authentication and a centralized security management model, comprises three components: the supplicant, a client machine trying to access the wireless LAN; the authenticator, a Layer 2 device that provides the physical port to the network (such as an access point or a switch); and the authentication server, which verifies user credentials and provides key management.

      802.1x supports the use of an authentication server or a database service, including a Remote Authentication Dial-In User Service, or RADIUS, server; an LDAP directory; a Windows NT Domain; or Active Directory.

      The upper-layer authentication protocol used by 802.1x components is called EAP (Extensible Authentication Protocol). EAP is a challenge-response protocol that can be run over secured transport mechanisms such as TLS (Transport Layer Security) and TTLS (Tunneled TLS).

      EAP-TLS is a certificate-based protocol supported natively in Windows XP. Both the client and the authentication server require certificates to be configured during initial implementation.

      EAP-TTLS can be used to provide a password-based authentication mechanism. In EAP-TTLS implementations, only the authentication server is required to have a certificate.

      Cisco Systems Inc.s proprietary LEAP (Lightweight EAP) was the first password-based authentication scheme available for WLANs. Ciscos Aironet AP supports LEAP and EAP-TLS.

      Encryption Boost

      Encryption Boost

      Although 802.1x will help fix the static WEP key security issues, it is strictly an authentication standard and does not address the encryption weaknesses found in WEP. The Wi-Fi Alliance, working with the IEEE, has devised a security standard called WPA (Wi-Fi Protected Access) that will reach the product certification stage this year.

      WPA uses 802.1x for authentication but adds a stronger encryption element from the 802.11i draft called TKIP (Temporal Key Integrity Protocol). TKIP addresses all the known deficiencies in the WEP algorithms but maintains backward compatibility with legacy 802.11 hardware.

      TKIP works like a “wrapper” around WEP, adding multiple enhancements to the WEP cipher engine. TKIP ex-tends the IV (initialization vector) from 24 bits in WEP to 48 bits to address replay attacks. The IV is used to encrypt the data in a packet.

      Extending the IV to 48 bits greatly increases the number of possible shared keys, to protect against replay attacks. Some vendor implementations of WEP use the same IV for all packets for the lifetime of the connection or rotate the IV in a predictable manner. TKIP uses better sequencing rules to ensure that the IV cannot be reused even if intruders got hold of it.

      WPA also adds Message Integrity Code, a cryptographic checksum that protects against forgery attacks.

      The transmitter of a packet adds about 30 bits (the MIC) to the packet before encrypting and transmitting it. The recipient decrypts the packet and verifies the MIC (based on a value derived from the MIC function) before accepting the packet. If the MIC doesnt match, the packet is dropped.

      Having the MIC ensures that modified packets will be dropped and attackers wont be able to forge messages to fool network devices into authenticating them.

      Per-packet key mixing of the IV prevents weak key attacks. A new key derivation scheme helps to minimize the amount of information gained on a successful forgery attempt.

      With TKIP implemented on both the access point and all client devices, a different key is generated to encrypt each new packet. This will ensure that hackers with exploited IVs cannot predict the base WEP key.

      Although WPA brings a welcome boost to WLAN security, many view it as a temporary fix because future 802.11 equipment will likely use the Counter Mode with CBC-MAC Protocol, or CCMP, which is also a part of the 802.11i draft. CCMP uses AES (Advanced Encryption Standard) to provide even stronger encryption. However, AES requires a good amount of processing power—which likely means upgrading hardware to see optimal performance—and is not designed for backward compatibility.

      Certification of the new security enhancements in the 802.11i standard is just starting, and Wi-Fi products supporting WPA will make their way slowly to market this year.

      Technical Analyst Francis Chu can be reached at [email protected].

      Web Resources

      WEB RESOURCES

      • Security of the WEP algorithm www.isaac.cs.berkeley.edu/isaac/wep-faq.html
      • 802.11i draft and call for interest on link security for IEEE 802 networks grouper.ieee.org/groups/802/linksec/meetings/MeetingsMaterial/Nov02/halasz_sec_1_1102.pdf
      • 802.1x: port-based network access control www.ieee802.org/1/pages/802.1x.html
      • Open-source implementation of 802.1x open1x.sourceforge.net/
      Francis Chu
      Francis Chu

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×