Windows Update Skimps on Wi-Fi Security Compliance

News Analysis: Microsoft's latest Windows XP update lacks full compliance with the WPA2 specification, adding to the confusing state of the WLAN enterprise market.

The confusion over Wi-Fi security certification and interoperability has moved into a new gear, with Microsoft shipping a Windows XP update that is not fully compliant with the latest wireless security specification.

Microsoft Corp.s update, released earlier this month, promised support for WPA2, aka Wi-Fi Protected Access 2, the newest wireless security specification approved by the IEEE.

However, security researchers quickly discovered that the update fell well short of full WPA2 compliance, a situation that adds to the confusing state of the WLAN (wireless LAN) market.

At the center of the latest hubbub is the Wi-Fi Alliance, the nonprofit group that handles the certification of WLAN gear. Back in April, the Alliance announced the addition of four EAP (Extensible Authentication Protocol) types to the WPA and WPA2 enterprise certification programs.

The new EAP types, all nonproprietary, are considered significant additions because of the way they fit into the 802.1x framework to support a range of diverse authentication mechanisms.

/zimages/1/28571.gifRead more here about Microsofts Windows XP update with limited support for WPA2.

The big problem, according to John Pescatore, Gartner Inc. research director for Internet security, started with the Wi-Fi Alliances refusal to differentiate between certifications that included the new EAP types.

"We have a situation where there are old and new certifications, all being called the same thing. [The Wi-Fi Alliance] refused to rename WPA2 when they added the new EAP types and now were in this grace period where two different types of certifications are being called the same thing," Pescatore said in an interview with Ziff Davis Internet News.

In the midst of this, along came Microsofts update, without the four new EAP types (EAP-TTLS/MSCHAPv2, PEAPv0/EAP-MSCHAPv2, PEAPv1/EAP-GTC and EAP-SIM). Only EAP-TLS, which was previously tested in WPA2, has been fitted into Microsofts free offering.

Because Microsoft shipped its update without the WPA2 revisions, enterprises using WLAN gear with those EAP types will run into problems. "A business using Cisco PEAP or gear with EAP SIM will not have native Microsoft support, even with this WPA2 update. They will have to go out and buy a third-party plug-in," Pescatore explained.

Pescatore, who is an NSA-certified cryptologic engineer, said the absence of a Microsoft WPA2 supplicant, or client software, has been one of several factors that have stalled adoption of the Wi-Fi Alliance certification program.

This update from Microsoft will help any customer satisfied with the WPA2 framework without the April revisions but businesses moving to the latest WPA2 framework will have to purchase additional software, Pescatore said.

"Between what the Wi-Fi Alliance did and what Microsoft chose to do, it just underscores and adds to the confusion. Microsoft would have been better off testing the additional four EAP types before coming out with a fully compliant piece of software," he argued.

/zimages/1/28571.gifClick here to read about conflicting views regarding the latest Wi-Fi standard.

In a statement sent to Ziff Davis Internet News, a Microsoft spokesperson insisted that the update provides support for the "highest level of standards-based wireless security available today."

"Microsoft will continue to evaluate new standards as they become available," he said, without addressing why the Wi-Fi Alliances revisions were not included.

By adding WPA2 support to its flagship operating system, Microsoft gets to market Windows XP Service Pack 2 with full FIPS 140-2 (Federal Information Processing Standard – Publication 140-2) support. FIPS 140-2 is a U.S. security standard used to certify cryptographic modules and is mandatory for some businesses.

But, as Gartners Pescatore wrote in a research note to clients, the software giants move fell short of industry expectations.

"Microsoft has not announced any timetable to synchronize its supplicant with the [revised] WPA2 specification. Furthermore, Microsoft has only hinted at a Windows Mobile supplicant, leaving enterprises to deal with a mixed-vendor environment across various categories of mobile devices," Pescatore added.

Now, infrastructure vendors will have to resubmit products for WPA2 testing to ensure that they operate with this new Microsoft supplicant. "Enterprises with the first WPA2 infrastructure [without the April additions] cannot automatically assume that the Microsoft supplicant will work problem-free without testing," he said.

Gartner recommends the new Microsoft Windows XP supplicant for businesses that require only the first WPA2 spec, as long as their WLAN infrastructure vendors support it.

Pescatore called on Microsoft to upgrade to WPA2 with the new WAP types across both the Windows and Windows Mobile platforms by the end of 2005. "Until then, vendors and end users alike will be faced with the added complexity of third-party add-on products," he argued.

Karen Hanley, senior director of marketing for the Wi-Fi Alliance, sidestepped the Gartner criticisms and argued that the April additions of new EAP types were not significant enough to justify a new name for the spec.

"Because of expectations that well be adding more EAP types going forward, we made a conscious decision not to rename it. Were saving something like WPA3 for new security capabilities and not for small testing extensions," Hanley said.

That decision, Pescatore said, contributes to the confusion that he believes will last well though the second half of 2006.

Gartner has recommended that enterprises push ahead with WLAN purchases regardless of WPA certification. "[S]elect the authentication approach that best matches your business, IT and security processes. Plan on performing your own interoperability testing before large-scale procurement and deployment rather than relying solely on vendor-driven certifications."

The Wi-Fi Alliances Hanley said businesses deploying WLAN networks should examine product certificates. "The certificates are pretty easy to read and they have the EAP types clearly listed. Regardless of what its called, enterprise users still have to refer to which EAP types have been tested with that specific product," she said.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.