Slashdot Mirror
IEEE Approves 802.11i
Dozix007 writes "IEEE has approved a
new wireless security protocol dubbed 802.11i, intended to finally
provide sufficient security for wireless connections that users don't
need to rely on alternate security layers. The new specification works
by using AES encryption
in the transceiver itself, encrypting data directly at the level just
above the actual radio pulses themselves. That makes it transparent for
applications sending data through the radio, so legacy programs running
on new 802.11i-compliant hardware will automatically get the benefits
of the new protocol without the need for modification."
Or can I do a firmware upgrade on my Linksys WRT54GS.
$$$$ Dude.
"sufficient" security- hahahahah history teaches us nothing apparently
I browse at +5 Flamebait- moderation for all or moderation for none.
Hopefully the approval of the standard will reel in the multiple competing vendor solutions that have been out there. From Cisco's LEAP to TKIP (Aka WEP2), most still would not encrypt things like the MAC address or ESSID. For companies who are actually security-minded and wouldn't deploy wireless without a truely secure standard, this should be their open door to some real mobility.
:)
Now if only I can convince my employer so I can use Trillian to get me through those boring meetings.
What happened to 802.11h? Was it brushed under the rug by the NSA? The CIA? The Bush family?
Get out the tin foil hats boys, this is a big one.
Now try explainging to regular people the difference between a/b/i/g/x and which ones work together, which ones don't and why.
i hope the guys at best buy are up to speed to direct the consumers!
Here you go. Pirate radio, on the cheap!
I hope this means that everybody is respecting my patent for 802.11h--which is, of course, packet transmission by horsepack. We are also trying to teach dolphins... the squeaks are tough to error correct. :(
The i is for incryption! [groan]
Hey, if you don't think anyone makes that spelling mistake, check out this link!
Is there any news on if this will be available as a firmware update for existing equipment? Or will our access points not have the required processing power to handle it?
If thats the case, running a VPN over the wireless may still be the best option.
Douglas P. Price
IANA wireless expert, but isn't one of the annoying gotchas of 802.11g that the presence of a B client drops all connected nodes down to B speeds?
If I'm remembering that right, then what you're experiencing may not be a lack of standards uptake -- you could be connecting to a ton of 802.11g stations, but somebody's got a B card running.
I know some seemless intergrated security is better than having it tacked on afterward. I've always felt that if folks trusted a default security layer to be perfect, they will get burned when the defaul layer is broken. You should always have application encryption of important data. You shouldn't just trust that your pipe will be encrypted. Sometimes those pipes get used by unauthorized third parties that's when having everything else encrypted comes in handy. I'm just afraid folks will switch to the 802.11i and not bother to encrypt any of their data.
That makes it transparent for applications sending data through the radio, so legacy programs running on new 802.11i-compliant hardware will automatically get the benefits of the new protocol without the need for modification.
And exactly 0% of the hardware will be backwards compatible. Who trusts data privacy flying across a network anyway? Isnt that what we have VPN, SSH, HTTPS, etc. for? IMHO we have more things to concern ourselves with, like interference countermeasures, signal efficiency, etc. Who is going to switch to a new hardware platform just because it offers a different (read: not necessarily better) encryption method?
More security and more awareness for security means that I won't be able to leach off my neighbor's wireless and in turn that means I will not be able to sit on the toilet with my PowerBook and in turn that means I will have to stretch Ethernet clear across into the bathroom and THAT can create a fire hazard.
Need I say more.
The next comment I write will be ready soon, but subscribers can beat the rush and see it early!
...because once we get to 802.11l we're really going to be screwed and nevermind the marketing nightmares.
/."
Sample tech support eamil exchange
"I'm having problems with my 802.11l wireless router"
"Did you say 802.111?"
"No, 802.11l"
"That's what I said"
"No, you said 802.111, that's not due out til next month according to
"Sorry sir, so you have our 802.11/. router?"
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
Perhaps.
However, you do have to remember that a lot of classified information that would result in really major problems for many governments travels, encrypted, over the airwaves, on a regular basis. A cryptosystem isn't called secure unless it can't be broken in a reasonable amount of time, even if the bad guy knows your algorythm, and even if the bad guy is able to observe your transmissions.
Basicly, what the entire WEP debacle has shown is that when you are transmitting over the airwaves, the importance of secure encryption increases. And that if you are going to make a widespread standard for encryption, you had better check it out with some folks who know encryption first.
Gentoo Sucks
What the hell am I supposed to do at starbucks now If I can't sit around and sniff wirelessness??. Read the newspaper?!?!?!
Did anyone else notice that there was no mention of key management? Who cares what algorithm it uses if there isn't secure key management. AES is a good choice for the encryption algorithm, but it might as well be plaintext if the key managment isn't handled properly.
Is they key negotiated as part of the protocol? How is that exchange authenticated? How is access control done? Can anyone enter the network?
Does it use a pre-placed key? How do you make sure the AP has every clients key? Can you access the AP without encryption? Do users have to type keys in?
You can't just say oh, it uses AES. AES is a symmetric cipher, which implies that there is a shared session key.
How do the nodes generate and exchange a shared session key? Or do you have to enter an AES key manually before you even hook up? That would certainly lock down the node!
It would be nice if someone posted a link explaining at a medium level how it actually works. I don't want to just go read a draft of the standard, but I wouldn't mind reading a few of the important details.
MM
--
By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
Apple anounced it's own version, called i802.11
How is that a stop-gap? IPSec has one purpose: to protect IP traffic data over an insecure link. Sounds like it fits right into the wifi game. And given that it's a proven standard with many interoperable implementations, it still strikes me as an excellent option for people who wish to secure their wireless transmissions. This is especially true given that 802.11i won't be fully adopted in the market place for at least a year or two.
Besides, there are *many* issues regarding security aside from the wire protocol. As one other posted mentioned, key management is one of these issues. How does 802.11i deal with this? I know IPSec has many different solutions available for key management, meaning I can make it fit into my network infrastructure. How does 802.11i fit into this picture?
AES, like DES and 3DES is a public algorithm and was subject to extensive peer review prior to adoption by the US government. (It's not a US algorithm; the original name was Rijndael). It was chosen for key length, security and efficiency of the algorithm and memory footprint among other things.
While this doesn't guarantee the security, it certainly improves the chances of it being as secure as possible. AFAIK, DES/3DES, a 20+ year old algorithm is still only vulnerable to brute force attacks.
The real fear here -- as in any encrytion system -- is the security of the key handling protocol. It's TKIP not AES that'll be the key to the security of 802.11i.
I have a netgear wireless router that does G and B. It can handle both at the same time just fine, and does not drop the G down to B speeds if there is a B client. :)
Maybe some routers do this, honestly I wouldnt be surprised, but I'm just letting you know that mine doesn't.
Joseph?
Although it is correct that it was not invented by Americans, the term "Rijndael" is not a foreign word. It is simply a contraction of the names of the two inventors: Vincent Rijmen and Joan Daemen.
Yes, it does solve this problem. Since every wireless client (insider as you call it) is using a different key, one client can't decrypt another's traffic.
The key is negotiated at authentication time and is valid only for the given client and sesion. Without the client's authentication credential (certificate or otherwise), you can't get a hold of the key.
If you want to keep your wireless network secure, tie MAC addresses to IP addresses, and presto!
Presto, you're screwed? What keeps a "baddie" from sniffing your traffic, waiting until you're not on, then changing his MAC address to be the same as yours? Oh, gee... I guess that doesn't buy you very much, either.
Even if it did, that still doesn't keep them from *sniffing* your network. Any data you transmit, they have. Just checked your email? Chances are they have your password. And all of those pictures that your girlfriend sent to you in those pictures. And those are just benign examples.
Putting encryption at this level is useless because secure communication with e.g. a webserver still requires that I encrypt over HTTPS
Until *every* protocol that goes over your network has reliable encryption, then this is still useful.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Stupid admins can mess anything up.
IEEE 802.11i uses AES, which is not a public key algorithm, but it does provide for a key exchange process which can be based on public key cryptography (but doesn't have to be).
As for hiding the SSID, I question the accuracy of tha article. It doesn't tally with what I've read about 802.11i over the last year. I don't think 802.11i provides for encryption of the entire frame any more than WEP or WPA does, and AFAIK it doesn't provide any security for management frames, so the SSID should still be in the open.
MAC-based authentication is useless for deterring a serious attacker, but 802.11i provides for 802.1x port-based authentication, which typically will operate at the user level.
Although 802.11i provides for generating the master key on-the-fly, I suspect that many installations (expecially home networks) will use pre-shared keys, which are usually hashed passwords and thus vulnerable to dictionary attacks.
The HostAP driver does encryption in software.
My home server is (among other things) a wireless access point. The card I have is a few years old and doesn't support WEP at all, but thanks to this driver it does! In fact it also supports a bunch of other security features for encryption and authentication, which I have not delved into.
That said, it sounds like this new encryption may be at a lower level, which for all I know may necessitate new firmware.