Slashdot Mirror
IEEE Approves 802.11i
Dozix007 writes "IEEE has approved a
new wireless security protocol dubbed 802.11i, intended to finally
provide sufficient security for wireless connections that users don't
need to rely on alternate security layers. The new specification works
by using AES encryption
in the transceiver itself, encrypting data directly at the level just
above the actual radio pulses themselves. That makes it transparent for
applications sending data through the radio, so legacy programs running
on new 802.11i-compliant hardware will automatically get the benefits
of the new protocol without the need for modification."
Or can I do a firmware upgrade on my Linksys WRT54GS.
$$$$ Dude.
I'll believe it when I see it... and after it's been out in the open for at least a year for the world to try to hack it to pieces first. Anytime you broadcast any signal into the airwaves, you're handing its content on a silver platter to anyone with the equipment and know-how to receive and decode it.
Even if I is going to be the new wireless standard, there is going to be many years until it becomes it. G was supposed to become the new standard, and I am rarely in a situation where my Powerbook picks up a G signal.
Does anyone have any figures on how long between products get rolled out until inception in the digital world? I would be curious to see the timeliens of some products such as: 3.0megapixel cameras, DSL/Cable, 802.11b/g, etc.
GroupShares Inc. - A Free and Interactive Investment Community
-------
artlu.net
Hopefully the approval of the standard will reel in the multiple competing vendor solutions that have been out there. From Cisco's LEAP to TKIP (Aka WEP2), most still would not encrypt things like the MAC address or ESSID. For companies who are actually security-minded and wouldn't deploy wireless without a truely secure standard, this should be their open door to some real mobility.
:)
Now if only I can convince my employer so I can use Trillian to get me through those boring meetings.
Is there any news on if this will be available as a firmware update for existing equipment? Or will our access points not have the required processing power to handle it?
If thats the case, running a VPN over the wireless may still be the best option.
Douglas P. Price
Did anyone else notice that there was no mention of key management? Who cares what algorithm it uses if there isn't secure key management. AES is a good choice for the encryption algorithm, but it might as well be plaintext if the key managment isn't handled properly.
Is they key negotiated as part of the protocol? How is that exchange authenticated? How is access control done? Can anyone enter the network?
Does it use a pre-placed key? How do you make sure the AP has every clients key? Can you access the AP without encryption? Do users have to type keys in?
My router claims to be firmware-upgradeable to 802.11i/AES 'when the time comes,' but what about other stuff? If given the option, I would a sufficiently upgradeable AP or wireless NIC. It seems that only routers have enough CPU horsepower to spare to do be indefinitely upgradeable, but could I be wrong?
You know, the one that makes it that anyone on the wifi network can see all the other traffic?
I personally think a HUB is still a bad idea, even if the main transports are encrypted to the outside. The insider doesn't need to be able to see anyones traffic unless it's repeated to the target. It would be great if it was encrypted and acted like a switch.
I would still use my VPN with this.
"Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
so, how exactly do you propose we do a separate physical wire over radio? and don't give me a set-frequency-per-endpoint response, because that doesn't address the scan-all-frequencies-and-listen approach.
i'm not trolling here, i'm really wondering.
09
Anyone ever heard of the end-to-end argument?
Putting encryption at this level is useless because secure communication with e.g. a webserver still requires that I encrypt over HTTPS, since my link to the server goes over more than just the wireless link. Thus, hardware AES only duplicates functionality. This is one of the premises of the end-to-end argument: put functionality at the highest layer possible to avoid duplication.
The argument that this is useful to keep "baddies" out of your network is weak, too. If you want to keep your wireless network secure, tie MAC addresses to IP addresses, and presto! no one can wardrive your wireless network. No, this is not perfectly secure, but you can secure yourself against a better-than-casual attacker by pushing the necessary authentication up to a higher layer. This approach is more flexible and doesn't require specialized hardware. Plus, when it's shown in five years that AES is breakable in faster than brute-force time, we don't need massive hardware (or firmware) upgrades; just apt-get install openswan.
802.11b should be a standard with the same scope as 802.3 (ethernet)---define the hardware link level and be done with it. Security at the link layer has been shown time and again to be worthless in even the best of cases. Rolling AES into the hardware spec of 802.11i is just window-dressing. The people who decided to do it should be beaten with a stick and forced to read the Saltzer paper until they recite it in their sleep.
(If you haven't read Saltzer's paper on the end-to-end argument, google should provide ample background.)
Stupid admins can mess anything up.
IEEE 802.11i uses AES, which is not a public key algorithm, but it does provide for a key exchange process which can be based on public key cryptography (but doesn't have to be).
As for hiding the SSID, I question the accuracy of tha article. It doesn't tally with what I've read about 802.11i over the last year. I don't think 802.11i provides for encryption of the entire frame any more than WEP or WPA does, and AFAIK it doesn't provide any security for management frames, so the SSID should still be in the open.
MAC-based authentication is useless for deterring a serious attacker, but 802.11i provides for 802.1x port-based authentication, which typically will operate at the user level.
Although 802.11i provides for generating the master key on-the-fly, I suspect that many installations (expecially home networks) will use pre-shared keys, which are usually hashed passwords and thus vulnerable to dictionary attacks.
The HostAP driver does encryption in software.
My home server is (among other things) a wireless access point. The card I have is a few years old and doesn't support WEP at all, but thanks to this driver it does! In fact it also supports a bunch of other security features for encryption and authentication, which I have not delved into.
That said, it sounds like this new encryption may be at a lower level, which for all I know may necessitate new firmware.
The parent should be modded up. I'd add that you should be suspicious of key management carried out below the application layer. Even the submitter emphasizes the wrong point, IMNSHO, when he/she says that AES will be used to secure the connection. The choice of encryption algorithm is almost inconsequential because the world has plenty of good encryption algorithms, but the key management is the really difficult part. Designing a protocol is moderately difficult too (read Peter Gutmann's VPN rant to see some examples of poor protocols).
Bullshit. They drop support just about as soon as they can. I've got a first-gen WPA11 for which linksys never released a single firmware update and which never had a reliable driver. I've also got a WAP11 that's in the same boat. You may be confused by the fact that linksys generally keeps the same name when they change the chipset on their products. So they have updates for WAP11's, but only the very latest hardware rev of it. If you buy a linksys product consider it to be disposable.