Slashdot Mirror

← Back to Stories (view on slashdot.org)

Replacing WEP for Wireless Security

Posted by michael on from the ha-ha,-he-said-wireless-security dept.

i.r.id10t writes "Over at infoworld.com they have an article about the organization that certifies wireless LAN products under the Wi-Fi name revealed new specifications Thursday for how vendors should make their products more secure. The guidelines call for new mechanisms to replace the current security system, based on WEP, which has come under fire for being too easy to circumvent. The certification body, Wi-Fi Alliance, plans to lay the mechanisms out as optional features beginning in February and require them for Wi-Fi compliance about six months later, said Dennis Eaton, chairman of the Wi-Fi Alliance."

9 of 79 comments (clear)

  1. Re:WEP? by jamie · · Score: 5, Informative
    "The last I checked, WEP stood for Wired Equivalent Privacy."

    I found a few places, like this, that say either is OK:

    What Type of Security is Available?

    WEP (Wired Equivalent Privacy a.k.a. Wireless Encryption Protocol) is data encryption defined by the 802.11 standard that was designed to prevent access to the network...

    But Google finds over 20 times as many hits on "Wired Equivalent Privacy," so that's the de facto winner. I'm guessing "Wireless Encryption Protocol" is just such a good expansion of the acronym that it's sprouted up all by itself. That's actually what I had understood "WEP" to mean until 10 minutes ago. :)

  2. Re:WEP Acronym by xiaix · · Score: 3, Informative

    Which I always took to mean "this is just as secure as if you had a wired network jack sitting out in the street which anyone who found it could use to connect to your network."
    This does seem to be a reasonably accurate descripion of the security level, and this is how I explain it to the execs here who want to set up wireless at home.

    --

    Have you read the Moderator Guidelines yet?

  3. Weak key avoidance/WEP Plus/etc by zardie · · Score: 5, Informative

    I've found that most manufacturers get around the current WEP issues by using a method called weak key avoidance. This doesn't use a sequential init vector, therefore rendering the attack invunerable to things such as airsnort.

    However, Cisco APs won't do that with my Orinoco cards. Orinoco APs won't do that with Cisco cards. Which is why I'd welcome some sort of standard "WEP plus" method implemented across the board. As each manufacturer implemented their own weak key avoidance algorithm via a firmware update on the cards and the AP itself, it should be a trivial task to implement a standard method, assuming the WiFi standards group doesn't make any stupid mistakes and require more powerful hardware. Wireless has been the hot technology lately, educational institutions have been the big users of this technology so the last thing they'll want to do is shell out hundreds of thousands of dollars for another 100 access points (in the case of Monash here in Melbourne).

    Also remember that WEP 128 (RC4) is NOT part of the Wi-Fi standard! I think they should address this one while they're at it as well.

    1. Re:Weak key avoidance/WEP Plus/etc by TechyImmigrant · · Score: 2, Informative

      Weak key avoidance involves skipping over weak IVs.

      This shortens the time before the IV space has been exhausted and security is compromised through Key/IV pair reuse.

      So it is six of one, half a dozen of the other.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  4. Re:Secure by default by nerdbert · · Score: 3, Informative

    You haven't tried an Orinoco setup then. They ship by default with WEP turned on and with the latest drivers they avoid the weak keys problems of WEP. A very nice setup, even out of the box, for your average user.

  5. Re:WEP isn't "good enough" by iiioxx · · Score: 2, Informative

    WEP can never be a "good enough" security protocol

    If you are going to quote me, do so in context. What I said was:

    "WEP would be a 'good enough' security protocol for the average application..."

    The key phrase here is "for the average application". Meaning, home LAN, small business, or anything where high security is not a tantamount concern. WEP is "good enough" to provide a reasonable level of deterance against the casual intruder. Is WEP an end-all-be-all security panacea? No. And I don't think anyone said it was, least of all me.

  6. This hasn't been explained well.. by TechyImmigrant · · Score: 5, Informative

    This article doesn't really give the whole story..

    WPA is a renaming of SSN. This is based around a scheme called TKIP (temporal key integrity protocol).

    TKIP attempts to wrap WEP in mechanisms to address all the currently known attacks against WEP. This is with the express intention of allowing it to be provided as a software upgrade to existing hardware.

    TKIP does not attempt to be super secure. It does various bad things from a cryptographic standpoint. It is just that exploits haven't been discovered yet.

    The mechanisms of TKIP are:
    1) Key and IV mixing. The IV and the key are cryptographically mixed to avoid weak key attacks.
    2) Longer IV. The IV is 48 bits, not 24. Preventing Key/IV pair reuse.
    3) An MSDU level MAC (Message Authentication Code) called a MIC (to avoid overloading the term MAC). This gives proper message authentication and replay protection. The WEP ICV fails badly in this respect.
    4) An 802.1x derived protocol for mutual STA-AP and AP-STA authentication and key distribution.

    Things to keep in mind are..
    1) TKIP fails in its goal to be backwards compatible with some existing hardware. It will not work on some manufacturers equipment, since they cannot insert the mixed key into the system at a point to replace the RC4 WEP seed.
    2) This is a stopgap to hold out until real security can be provided via 802.11i, using some mode of AES.
    3) It is not using vanilla 802.1x. The 802.1x spec has been rewritten in places to provide for the needs of 802.11. So it is not enough to just read 802.1x. You also need to be aware of the as yet unpublished changes in 802.1aa and 802.11i.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  7. People are still USING this Swiss Cheese? by CrystalFalcon · · Score: 5, Informative

    Last company I worked for shut down the entire WLAN service corporate-wide when a loophole was found. It took MONTHS to get it back to service, still with WEP.

    Really, really. It is not that hard. Consider anything wireless to be untrusted, and require that they establish a VPN connection to your wired network. Set the clients to not accept any communications from outside this VPN. This technology has existed seemingly forever and IS tried and true.

  8. 802.11 authenication by Luminous+Coward · · Score: 2, Informative
    Matthew Gast, the author of 802.11 Wireless Networks: The Definitive Guide, has written a good article for the O'Reilly Network describing the future of 802.11 authentication:

    A Technical Comparison of TTLS and PEAP

    ZDNet also has a good overview of the proposed solutions.