Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Fast Packet Keying" Improvements to WEP

Posted by michael on from the what-me-worry dept.

Weedstock writes: "BBC Tech News has an article about the latest development in wireless networking security. It seems that RSA Security has improved the encryption system used by the protocol. Will this new update finally make wireless networking secure? You can also find a list of papers about wireless security issues here." RSA has a press release about their changes to WEP being accepted by the 802.11 committee.

3 of 88 comments (clear)

  1. Fast packet keying again ? by tempmpi · · Score: 4, Redundant

    http://slashdot.org/article.pl?sid=01/12/17/185320 6&mode=thread

    --
    Jan
  2. not that secure by xtp · · Score: 5, Informative

    The press releases are designed to soothe security-minded corporate customers and disguise the remaining technical issues with WEP, such as
    1. the key-mixing technique was diluted in strength so that the overhead of firmware upgrades would be acceptable. The "improved" technique has been changed a few times as weaknesses were discovered. It is quite possible that the new WEP can be cracked as thoroughly as the original.
    2. the key-mixing technique requires that a new temporal key be set up every 16K packets - a sign of weakness. The 802.1X procedures for setting up the temporal keys have not been finalized and contain weaknesses.
    3. it is debateable whether the 802.1X temporal key procedures, once finalized, will be practical at higher PHY rates of 802.11g or 802.11a since the rate of temporal key updates must be greater than the lower rates needed for 11b.

    It is more foolproof to rely on IPSEC as other posters observe. The argument against IPSEC and for wireless link crypto is based on the perceived overhead of forcing everything on an internal enterprise network to run IPSEC so that the wireless subnet can be secure. For SOHO setups this should not be an issue.

    1. Re:not that secure by hawkfan · · Score: 5, Interesting

      The argument against IPSEC and for wireless link crypto is based on the perceived overhead of forcing everything on an internal enterprise network to run IPSEC so that the wireless subnet can be secure.

      Using IPSEC on the wireless network only requires the wireless stations and a gateway to run IPSEC. The IPSEC gateway acts like a normal router to the rest of the network. You can even do transparent gatewaying based on proxy-arp.
      Our laptops use 802.11b cards without WEP and 2 Linux machines with Prism2 based cards operating in HostAP mode. One AP handles the encryption and allows handoff to the other via proxy-arp depending on which AP has the link to a particular station on their own wired subnet. The primary AP acts as a router to the rest of the unencrypted wired lan. All the stations on the wireless lan are configured to drop all but the IPSEC traffic. This not only protects against spoofing and hijacking on the wireless lan but also gives strong encryption to the traffic.
      After the pleasant experience I had with Freeswan on the wireless network I'm considering bringing IPSEC to the rest of the wired network.