Slashdot Mirror

← Back to Stories (view on slashdot.org)

Replacing WEP for Wireless Security

Posted by michael on from the ha-ha,-he-said-wireless-security dept.

i.r.id10t writes "Over at infoworld.com they have an article about the organization that certifies wireless LAN products under the Wi-Fi name revealed new specifications Thursday for how vendors should make their products more secure. The guidelines call for new mechanisms to replace the current security system, based on WEP, which has come under fire for being too easy to circumvent. The certification body, Wi-Fi Alliance, plans to lay the mechanisms out as optional features beginning in February and require them for Wi-Fi compliance about six months later, said Dennis Eaton, chairman of the Wi-Fi Alliance."

11 of 79 comments (clear)

  1. WEP? by mgibbs · · Score: 5, Insightful
    From the article:
    The guidelines call for new mechanisms to replacement the current security system, based on WEP (Wireless Encryption Protocol), which has come under fire for being too easy to circumvent.

    The last I checked, WEP stood for Wired Equivalent Privacy. Has to make you wonder how technically accurate the rest of the article is...

    1. Re:WEP? by jamie · · Score: 5, Informative
      "The last I checked, WEP stood for Wired Equivalent Privacy."

      I found a few places, like this, that say either is OK:

      What Type of Security is Available?

      WEP (Wired Equivalent Privacy a.k.a. Wireless Encryption Protocol) is data encryption defined by the 802.11 standard that was designed to prevent access to the network...

      But Google finds over 20 times as many hits on "Wired Equivalent Privacy," so that's the de facto winner. I'm guessing "Wireless Encryption Protocol" is just such a good expansion of the acronym that it's sprouted up all by itself. That's actually what I had understood "WEP" to mean until 10 minutes ago. :)

  2. why don't they realize by Allaria · · Score: 5, Insightful

    That trying to base wireless security on wired security will not work. There will always be a workaround if WEP is used/based on. The only way you're going to be able to secure wireless networks is through authorization and encryption. Tons of companies have already done this, and it seems to be transparent to them.

    --
    If a and b in c, and a can create b, and a can create a, and b can create b, and b cannot create a, then a created c.
  3. Secure by default by iiioxx · · Score: 5, Interesting

    I think it's great that wireless standards are expanding to include better security, but I think the real problem is with the way the products ship from the manufacturers. WEP would be a "good enough" security protocol for the average application, IF IT WAS USED CONSISTENTLY.

    But every wireless product I've ever used (and there have been a lot of them) shipped by default with WEP disabled, I guess to make it more plug-and-play. In my mind if you want to make wireless networking more secure, start by shipping the products with WEP enabled by default, and require the user to configure a unique SSID and WEP passphrase when they setup the equipment.

    I mean, you could have a rock-solid encryption protocol, but if nobody is using it... what's the point?

    1. Re:Secure by default by Build6 · · Score: 5, Insightful

      Actually, I don't think that's quite right. Having WEP on is "better" than not having it on, but the problem with WEP is that even with it on, with airsnort and enough traffic, the thing can be broken quite speedily. That's the whole point of the various papers published (e.g. by the CMU people) - WEP isn't "private" at all, provided someone out there WANTS to listen. Granted once you turn it on, assuming there's any other networks in range, anyone trying to "break in" will probably go for the low-hanging fruit.

      But what I want to say is, the other way of looking at what you say is this - if the manufacturers all ship with WEP on by default, the people using it would be lulled into a -false sense of security.

      (And if the manufacturers ship with WEP by default, then there'd be quite a few people leaving them on with the default keys... yet another problem).

  4. Compatibility by JoshuaDFranklin · · Score: 5, Interesting
    A task group within the IEEE... 802.11 working group... is now working on a tough new security standard called 802.11i. However, it isn't expected to ratify that standard until September 2003, so the Wi-Fi Alliance took a "snapshot" of 802.11i.

    Great! More non-standard possibly incompatible implementatins ahead.

    For home users, the eventual goal is to have the new security features activated out of the box
    This would actually help a lot, as long as "activated" doesn't mean "password set to 1234".

    This article also didn't say anything about vender support, especially whether all the existing 802.11b gear will get new firmware. This is a really big deal for someone like a Uni or Wireless ISP where students/customers are going to try to buy the cheapest stuff they can find and expect it to work.

  5. On the back page... by i0chondriac · · Score: 5, Funny

    Several comittee members of the Warchalk Standards Organization met today to hammer out a new standard for Warchalking. They claim that the current warchalking symbols are too easily recognized by the media and authorities, and leave little room for future expansion.

  6. Weak key avoidance/WEP Plus/etc by zardie · · Score: 5, Informative

    I've found that most manufacturers get around the current WEP issues by using a method called weak key avoidance. This doesn't use a sequential init vector, therefore rendering the attack invunerable to things such as airsnort.

    However, Cisco APs won't do that with my Orinoco cards. Orinoco APs won't do that with Cisco cards. Which is why I'd welcome some sort of standard "WEP plus" method implemented across the board. As each manufacturer implemented their own weak key avoidance algorithm via a firmware update on the cards and the AP itself, it should be a trivial task to implement a standard method, assuming the WiFi standards group doesn't make any stupid mistakes and require more powerful hardware. Wireless has been the hot technology lately, educational institutions have been the big users of this technology so the last thing they'll want to do is shell out hundreds of thousands of dollars for another 100 access points (in the case of Monash here in Melbourne).

    Also remember that WEP 128 (RC4) is NOT part of the Wi-Fi standard! I think they should address this one while they're at it as well.

  7. Stupid! by Anonymous Coward · · Score: 5, Interesting
    Wired equivalent privacy? You haven't sniffed an ethernet cable, have you?

    Don't trust the wire (or wireless). YOU DON'T HAVE TO!!!

    Why try to create new technology for this? The problem can be solved with technology OFF THE SHELF.

    Linksys makes a "VPN router" that uses IPSEC and 3DES for under $100. It works fine with windows 2000 ipsec and many many others. I use it with OpenBSD. Linksys also makes wireless access points. Combine the two devices! Problem solved.

    Now if linksys would combine the two devices into 1 box and write some clear documentation for the newbies, they would have a great product!

    Are you listening linksys? d-link? netgear?

    Hmmm. Maybe I should go patent this idea.

  8. This hasn't been explained well.. by TechyImmigrant · · Score: 5, Informative

    This article doesn't really give the whole story..

    WPA is a renaming of SSN. This is based around a scheme called TKIP (temporal key integrity protocol).

    TKIP attempts to wrap WEP in mechanisms to address all the currently known attacks against WEP. This is with the express intention of allowing it to be provided as a software upgrade to existing hardware.

    TKIP does not attempt to be super secure. It does various bad things from a cryptographic standpoint. It is just that exploits haven't been discovered yet.

    The mechanisms of TKIP are:
    1) Key and IV mixing. The IV and the key are cryptographically mixed to avoid weak key attacks.
    2) Longer IV. The IV is 48 bits, not 24. Preventing Key/IV pair reuse.
    3) An MSDU level MAC (Message Authentication Code) called a MIC (to avoid overloading the term MAC). This gives proper message authentication and replay protection. The WEP ICV fails badly in this respect.
    4) An 802.1x derived protocol for mutual STA-AP and AP-STA authentication and key distribution.

    Things to keep in mind are..
    1) TKIP fails in its goal to be backwards compatible with some existing hardware. It will not work on some manufacturers equipment, since they cannot insert the mixed key into the system at a point to replace the RC4 WEP seed.
    2) This is a stopgap to hold out until real security can be provided via 802.11i, using some mode of AES.
    3) It is not using vanilla 802.1x. The 802.1x spec has been rewritten in places to provide for the needs of 802.11. So it is not enough to just read 802.1x. You also need to be aware of the as yet unpublished changes in 802.1aa and 802.11i.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  9. People are still USING this Swiss Cheese? by CrystalFalcon · · Score: 5, Informative

    Last company I worked for shut down the entire WLAN service corporate-wide when a loophole was found. It took MONTHS to get it back to service, still with WEP.

    Really, really. It is not that hard. Consider anything wireless to be untrusted, and require that they establish a VPN connection to your wired network. Set the clients to not accept any communications from outside this VPN. This technology has existed seemingly forever and IS tried and true.