Slashdot Mirror
IEEE Approves 802.11i
Dozix007 writes "IEEE has approved a
new wireless security protocol dubbed 802.11i, intended to finally
provide sufficient security for wireless connections that users don't
need to rely on alternate security layers. The new specification works
by using AES encryption
in the transceiver itself, encrypting data directly at the level just
above the actual radio pulses themselves. That makes it transparent for
applications sending data through the radio, so legacy programs running
on new 802.11i-compliant hardware will automatically get the benefits
of the new protocol without the need for modification."
Or can I do a firmware upgrade on my Linksys WRT54GS.
$$$$ Dude.
Oh no another wireless radio wave flying through the air! Oh well maybe I can pic up the internet if i tune my radio just right!
"sufficient" security- hahahahah history teaches us nothing apparently
I browse at +5 Flamebait- moderation for all or moderation for none.
Even if I is going to be the new wireless standard, there is going to be many years until it becomes it. G was supposed to become the new standard, and I am rarely in a situation where my Powerbook picks up a G signal.
Does anyone have any figures on how long between products get rolled out until inception in the digital world? I would be curious to see the timeliens of some products such as: 3.0megapixel cameras, DSL/Cable, 802.11b/g, etc.
GroupShares Inc. - A Free and Interactive Investment Community
-------
artlu.net
Hopefully the approval of the standard will reel in the multiple competing vendor solutions that have been out there. From Cisco's LEAP to TKIP (Aka WEP2), most still would not encrypt things like the MAC address or ESSID. For companies who are actually security-minded and wouldn't deploy wireless without a truely secure standard, this should be their open door to some real mobility.
:)
Now if only I can convince my employer so I can use Trillian to get me through those boring meetings.
What happened to 802.11h? Was it brushed under the rug by the NSA? The CIA? The Bush family?
Get out the tin foil hats boys, this is a big one.
Now try explainging to regular people the difference between a/b/i/g/x and which ones work together, which ones don't and why.
i hope the guys at best buy are up to speed to direct the consumers!
Here you go. Pirate radio, on the cheap!
I hope this means that everybody is respecting my patent for 802.11h--which is, of course, packet transmission by horsepack. We are also trying to teach dolphins... the squeaks are tough to error correct. :(
The i is for incryption! [groan]
Hey, if you don't think anyone makes that spelling mistake, check out this link!
Is there any news on if this will be available as a firmware update for existing equipment? Or will our access points not have the required processing power to handle it?
If thats the case, running a VPN over the wireless may still be the best option.
Douglas P. Price
IANA wireless expert, but isn't one of the annoying gotchas of 802.11g that the presence of a B client drops all connected nodes down to B speeds?
If I'm remembering that right, then what you're experiencing may not be a lack of standards uptake -- you could be connecting to a ton of 802.11g stations, but somebody's got a B card running.
I know some seemless intergrated security is better than having it tacked on afterward. I've always felt that if folks trusted a default security layer to be perfect, they will get burned when the defaul layer is broken. You should always have application encryption of important data. You shouldn't just trust that your pipe will be encrypted. Sometimes those pipes get used by unauthorized third parties that's when having everything else encrypted comes in handy. I'm just afraid folks will switch to the 802.11i and not bother to encrypt any of their data.
That makes it transparent for applications sending data through the radio, so legacy programs running on new 802.11i-compliant hardware will automatically get the benefits of the new protocol without the need for modification.
And exactly 0% of the hardware will be backwards compatible. Who trusts data privacy flying across a network anyway? Isnt that what we have VPN, SSH, HTTPS, etc. for? IMHO we have more things to concern ourselves with, like interference countermeasures, signal efficiency, etc. Who is going to switch to a new hardware platform just because it offers a different (read: not necessarily better) encryption method?
More security and more awareness for security means that I won't be able to leach off my neighbor's wireless and in turn that means I will not be able to sit on the toilet with my PowerBook and in turn that means I will have to stretch Ethernet clear across into the bathroom and THAT can create a fire hazard.
Need I say more.
The next comment I write will be ready soon, but subscribers can beat the rush and see it early!
...because once we get to 802.11l we're really going to be screwed and nevermind the marketing nightmares.
/."
Sample tech support eamil exchange
"I'm having problems with my 802.11l wireless router"
"Did you say 802.111?"
"No, 802.11l"
"That's what I said"
"No, you said 802.111, that's not due out til next month according to
"Sorry sir, so you have our 802.11/. router?"
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
Perhaps.
However, you do have to remember that a lot of classified information that would result in really major problems for many governments travels, encrypted, over the airwaves, on a regular basis. A cryptosystem isn't called secure unless it can't be broken in a reasonable amount of time, even if the bad guy knows your algorythm, and even if the bad guy is able to observe your transmissions.
Basicly, what the entire WEP debacle has shown is that when you are transmitting over the airwaves, the importance of secure encryption increases. And that if you are going to make a widespread standard for encryption, you had better check it out with some folks who know encryption first.
Gentoo Sucks
What the hell am I supposed to do at starbucks now If I can't sit around and sniff wirelessness??. Read the newspaper?!?!?!
Did anyone else notice that there was no mention of key management? Who cares what algorithm it uses if there isn't secure key management. AES is a good choice for the encryption algorithm, but it might as well be plaintext if the key managment isn't handled properly.
Is they key negotiated as part of the protocol? How is that exchange authenticated? How is access control done? Can anyone enter the network?
Does it use a pre-placed key? How do you make sure the AP has every clients key? Can you access the AP without encryption? Do users have to type keys in?
My router claims to be firmware-upgradeable to 802.11i/AES 'when the time comes,' but what about other stuff? If given the option, I would a sufficiently upgradeable AP or wireless NIC. It seems that only routers have enough CPU horsepower to spare to do be indefinitely upgradeable, but could I be wrong?
You know, the one that makes it that anyone on the wifi network can see all the other traffic?
I personally think a HUB is still a bad idea, even if the main transports are encrypted to the outside. The insider doesn't need to be able to see anyones traffic unless it's repeated to the target. It would be great if it was encrypted and acted like a switch.
I would still use my VPN with this.
"Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
You can't just say oh, it uses AES. AES is a symmetric cipher, which implies that there is a shared session key.
How do the nodes generate and exchange a shared session key? Or do you have to enter an AES key manually before you even hook up? That would certainly lock down the node!
It would be nice if someone posted a link explaining at a medium level how it actually works. I don't want to just go read a draft of the standard, but I wouldn't mind reading a few of the important details.
MM
--
By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
That's essentially what's happening already. They settle on a standard, people adopt it. The trouble comes with the "go from there" part. Whenever you "go" anywhere new with a standard, the old stuff is non-compliant, thus requiring a new standard.
If a job's not worth doing, it's not worth doing right.
Apple anounced it's own version, called i802.11
How is that a stop-gap? IPSec has one purpose: to protect IP traffic data over an insecure link. Sounds like it fits right into the wifi game. And given that it's a proven standard with many interoperable implementations, it still strikes me as an excellent option for people who wish to secure their wireless transmissions. This is especially true given that 802.11i won't be fully adopted in the market place for at least a year or two.
Besides, there are *many* issues regarding security aside from the wire protocol. As one other posted mentioned, key management is one of these issues. How does 802.11i deal with this? I know IPSec has many different solutions available for key management, meaning I can make it fit into my network infrastructure. How does 802.11i fit into this picture?
Maybe I do not have enough knowledge to know shit about this, but it looks to me that this is a standard for encryption, and it obviously would be public key encryption, and transceivers would exchange public keys to talk.
While this clearly means that now no one can sniff the SSID, is this going to be any better for those who leave it at the default? And without any kind of MAC authentication or network protection at upper levels, would knowing the SSID the only difficult imposed against abuse of the network?
Not trolling, I just want to know if stupid admins can still mess this one up.
AES, like DES and 3DES is a public algorithm and was subject to extensive peer review prior to adoption by the US government. (It's not a US algorithm; the original name was Rijndael). It was chosen for key length, security and efficiency of the algorithm and memory footprint among other things.
While this doesn't guarantee the security, it certainly improves the chances of it being as secure as possible. AFAIK, DES/3DES, a 20+ year old algorithm is still only vulnerable to brute force attacks.
The real fear here -- as in any encrytion system -- is the security of the key handling protocol. It's TKIP not AES that'll be the key to the security of 802.11i.
I have a netgear wireless router that does G and B. It can handle both at the same time just fine, and does not drop the G down to B speeds if there is a B client. :)
Maybe some routers do this, honestly I wouldnt be surprised, but I'm just letting you know that mine doesn't.
Joseph?
From what I can read on the NIST 802.11 overview it's still not designed to protect identity.
Thus it will still not encrypt ESSID (used as a clue for what encryption credentials you need, NOT as a security measure) or the MAC address of the systems using it. (Page 29 of the above referenced article).
It's designed to address two of the three of the CIA principles, those being confidentiality and integrity of your data. Not to hide who is on the wireless network.
so, how exactly do you propose we do a separate physical wire over radio? and don't give me a set-frequency-per-endpoint response, because that doesn't address the scan-all-frequencies-and-listen approach.
i'm not trolling here, i'm really wondering.
09
... wrote the RFC using IPv5.
To utilize the (perhaps overused) broadcasting <-> speaking metaphor, assume that you have four people standing an equal distance apart from each other. If you say something to one, the others are going to hear it. Not much you can do about that. However, you can speak in code.
Freedom is the freedom to say that 2 + 2 = 4
Anyone ever heard of the end-to-end argument?
Putting encryption at this level is useless because secure communication with e.g. a webserver still requires that I encrypt over HTTPS, since my link to the server goes over more than just the wireless link. Thus, hardware AES only duplicates functionality. This is one of the premises of the end-to-end argument: put functionality at the highest layer possible to avoid duplication.
The argument that this is useful to keep "baddies" out of your network is weak, too. If you want to keep your wireless network secure, tie MAC addresses to IP addresses, and presto! no one can wardrive your wireless network. No, this is not perfectly secure, but you can secure yourself against a better-than-casual attacker by pushing the necessary authentication up to a higher layer. This approach is more flexible and doesn't require specialized hardware. Plus, when it's shown in five years that AES is breakable in faster than brute-force time, we don't need massive hardware (or firmware) upgrades; just apt-get install openswan.
802.11b should be a standard with the same scope as 802.3 (ethernet)---define the hardware link level and be done with it. Security at the link layer has been shown time and again to be worthless in even the best of cases. Rolling AES into the hardware spec of 802.11i is just window-dressing. The people who decided to do it should be beaten with a stick and forced to read the Saltzer paper until they recite it in their sleep.
(If you haven't read Saltzer's paper on the end-to-end argument, google should provide ample background.)
Although it is correct that it was not invented by Americans, the term "Rijndael" is not a foreign word. It is simply a contraction of the names of the two inventors: Vincent Rijmen and Joan Daemen.
Yes, it does solve this problem. Since every wireless client (insider as you call it) is using a different key, one client can't decrypt another's traffic.
The key is negotiated at authentication time and is valid only for the given client and sesion. Without the client's authentication credential (certificate or otherwise), you can't get a hold of the key.
I saw it on maximumpc, it's going to be introduced and it will be efficient at compression, making the real transportation faster than 100MBytes even at further distance. :D
The HostAP driver does encryption in software.
My home server is (among other things) a wireless access point. The card I have is a few years old and doesn't support WEP at all, but thanks to this driver it does! In fact it also supports a bunch of other security features for encryption and authentication, which I have not delved into.
That said, it sounds like this new encryption may be at a lower level, which for all I know may necessitate new firmware.
Just run IPSec over your network. Fixed.
I wouldn't really count Linksys on that bandwagon yet. They've been really good about keeping their firmware up to date even on old devices. If you have any of their "G" products and even some of the not-too-old 802.11b ones, they've provided updates that now include WPA instead of just WEP.
Linksys usually keeps their products updated to the latest capabilities within two years, and past that they still provide bug fixes.
This new encryption thing might be different and/or it might require new hardware or faster processors. Who knows. But if they can do it in software, you'll probably get it for nothing on your existing Linksys product.
- It's not the Macs I hate. It's Digg users. -
to finally provide sufficient security for wireless connections
There are two kinds of people working in these IEEE groups.
1. Seasoned engineers; and
2. Twits.
The former have from the beginning been clamouring for security. They were literally brushed off by the latter. The former will roll their eyes and tell you of how these twits use Windoze and LookOut and get infected all over the place and literally have no clue - and this is years ago, before Sasser and Blaster and Donner and Blixen...
How did they get in? Good question, next question. All security issues were shelved for the first standard...
And now? Now they're talking about 'finally' having security? These same morons?
Sorry - I have friends who've worked on all these standards and pulled their hair out all along, and I just don't trust the IEEE anymore if the pros are tired of trying. Make it secure? I won't believe it. I don't care enough to even try.
Unfortunately 802.11i isn't listed here yet, but here is a link to the full text of the other 802.11 standards. (Free, no registration required)
Bullshit. They drop support just about as soon as they can. I've got a first-gen WPA11 for which linksys never released a single firmware update and which never had a reliable driver. I've also got a WAP11 that's in the same boat. You may be confused by the fact that linksys generally keeps the same name when they change the chipset on their products. So they have updates for WAP11's, but only the very latest hardware rev of it. If you buy a linksys product consider it to be disposable.