Slashdot Mirror

← Back to Stories (view on slashdot.org)

IEEE Approves 802.11i

Posted by michael on from the my-lock-my-key dept.

Dozix007 writes "IEEE has approved a new wireless security protocol dubbed 802.11i, intended to finally provide sufficient security for wireless connections that users don't need to rely on alternate security layers. The new specification works by using AES encryption in the transceiver itself, encrypting data directly at the level just above the actual radio pulses themselves. That makes it transparent for applications sending data through the radio, so legacy programs running on new 802.11i-compliant hardware will automatically get the benefits of the new protocol without the need for modification."

25 of 302 comments (clear)

  1. Ah Finally! by scosol · · Score: 4, Insightful

    "sufficient" security- hahahahah history teaches us nothing apparently

    --
    I browse at +5 Flamebait- moderation for all or moderation for none.
    1. Re:Ah Finally! by nazsco · · Score: 5, Funny

      encription in EVERY protocol layer and then some encription in the software, that's runing trhu ssh... so i can safely read my mail that i protected with my birtday as the password.

    2. Re:Ah Finally! by Kymermosst · · Score: 4, Funny

      encription in EVERY protocol layer and then some encription in the software, that's runing trhu ssh... so i can safely read my mail that i protected with my birtday as the password.

      I'd say your spelling problems provide enough encryption at the user level.

      --
      "Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
  2. It's about time... by Shoeler · · Score: 5, Interesting

    Hopefully the approval of the standard will reel in the multiple competing vendor solutions that have been out there. From Cisco's LEAP to TKIP (Aka WEP2), most still would not encrypt things like the MAC address or ESSID. For companies who are actually security-minded and wouldn't deploy wireless without a truely secure standard, this should be their open door to some real mobility.

    Now if only I can convince my employer so I can use Trillian to get me through those boring meetings. :)

  3. Suspicious by gUmbi · · Score: 5, Funny

    What happened to 802.11h? Was it brushed under the rug by the NSA? The CIA? The Bush family?

    Get out the tin foil hats boys, this is a big one.

  4. awesome by joel2600 · · Score: 5, Insightful

    Now try explainging to regular people the difference between a/b/i/g/x and which ones work together, which ones don't and why.

    i hope the guys at best buy are up to speed to direct the consumers!

  5. 802.11h? by BoldAC · · Score: 4, Funny

    I hope this means that everybody is respecting my patent for 802.11h--which is, of course, packet transmission by horsepack. We are also trying to teach dolphins... the squeaks are tough to error correct. :(

  6. The i stands for... by calebb · · Score: 4, Funny

    The i is for incryption! [groan]

    Hey, if you don't think anyone makes that spelling mistake, check out this link!

  7. Is this really a good thing? by kabocox · · Score: 5, Insightful

    I know some seemless intergrated security is better than having it tacked on afterward. I've always felt that if folks trusted a default security layer to be perfect, they will get burned when the defaul layer is broken. You should always have application encryption of important data. You shouldn't just trust that your pipe will be encrypted. Sometimes those pipes get used by unauthorized third parties that's when having everything else encrypted comes in handy. I'm just afraid folks will switch to the 802.11i and not bother to encrypt any of their data.

    1. Re:Is this really a good thing? by bloo9298 · · Score: 4, Interesting

      The parent should be modded up. I'd add that you should be suspicious of key management carried out below the application layer. Even the submitter emphasizes the wrong point, IMNSHO, when he/she says that AES will be used to secure the connection. The choice of encryption algorithm is almost inconsequential because the world has plenty of good encryption algorithms, but the key management is the really difficult part. Designing a protocol is moderately difficult too (read Peter Gutmann's VPN rant to see some examples of poor protocols).

  8. This is terrible news by piecewise · · Score: 4, Funny

    More security and more awareness for security means that I won't be able to leach off my neighbor's wireless and in turn that means I will not be able to sit on the toilet with my PowerBook and in turn that means I will have to stretch Ethernet clear across into the bathroom and THAT can create a fire hazard.

    Need I say more.

    --
    The next comment I write will be ready soon, but subscribers can beat the rush and see it early!
  9. Let's hope 802.11 stops soon by FerretFrottage · · Score: 4, Funny

    ...because once we get to 802.11l we're really going to be screwed and nevermind the marketing nightmares.

    Sample tech support eamil exchange
    "I'm having problems with my 802.11l wireless router"

    "Did you say 802.111?"

    "No, 802.11l"

    "That's what I said"

    "No, you said 802.111, that's not due out til next month according to /."

    "Sorry sir, so you have our 802.11/. router?"

    --
    "Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
  10. Re:Actually secure? by cmowire · · Score: 4, Insightful

    Perhaps.

    However, you do have to remember that a lot of classified information that would result in really major problems for many governments travels, encrypted, over the airwaves, on a regular basis. A cryptosystem isn't called secure unless it can't be broken in a reasonable amount of time, even if the bad guy knows your algorythm, and even if the bad guy is able to observe your transmissions.

    Basicly, what the entire WEP debacle has shown is that when you are transmitting over the airwaves, the importance of secure encryption increases. And that if you are going to make a widespread standard for encryption, you had better check it out with some folks who know encryption first.

    --
    Gentoo Sucks
  11. Poor Starbucks by Anonymous Coward · · Score: 4, Funny

    What the hell am I supposed to do at starbucks now If I can't sit around and sniff wirelessness??. Read the newspaper?!?!?!

  12. Key Management by provolt · · Score: 4, Interesting

    Did anyone else notice that there was no mention of key management? Who cares what algorithm it uses if there isn't secure key management. AES is a good choice for the encryption algorithm, but it might as well be plaintext if the key managment isn't handled properly.

    Is they key negotiated as part of the protocol? How is that exchange authenticated? How is access control done? Can anyone enter the network?

    Does it use a pre-placed key? How do you make sure the AP has every clients key? Can you access the AP without encryption? Do users have to type keys in?

    1. Re:Key Management by DeathBunny · · Score: 4, Informative

      802.11i includes the 802.1x (ie. EAP) authentication and key management included in WPA. It's a superset of WPA.

  13. OK, but how does it actually work by mamba-mamba · · Score: 4, Insightful

    You can't just say oh, it uses AES. AES is a symmetric cipher, which implies that there is a shared session key.

    How do the nodes generate and exchange a shared session key? Or do you have to enter an AES key manually before you even hook up? That would certainly lock down the node!

    It would be nice if someone posted a link explaining at a medium level how it actually works. I don't want to just go read a draft of the standard, but I wouldn't mind reading a few of the important details.

    MM
    --

    --
    By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
    1. Re:OK, but how does it actually work by j+h+woodyatt · · Score: 5, Informative

      I am a wireless expert.

      802.11i uses AES for privacy, HMAC-SHA1 for integrity, and it defines its own protocol for establishing transient unicast and group session keys. You can use it with a pre-shared master key (derived from a simple passphrase), or you can use it conjunction with 802.1X and get per-user pairwise master keys derived from the authentication service.

      The Wi-Fi Alliance (I'm told) is calling 802.11i by the name WPA2. If you have hardware that supports the AES variant of WPA, then your vendor should be able to supply a firmware upgrade soon that will support WPA2.

      --
      jhw
  14. In related news... by genka · · Score: 4, Funny

    Apple anounced it's own version, called i802.11

  15. Re:Sure but does it require new equipment by spellraiser · · Score: 5, Informative

    Well, since encryption only involves standard processing, a firmware upgrade should be all that's required. Don't see any reason why a device would need to be created specifically for 802.11i. This is also interesting (taken from here):

    Cisco, one of the largest providers of enterprise APs, said AES is supported in hardware on the IEEE 802.11g versions of AP models 1100, 1200, and the newly announced 1300 outdoor AP/bridge. However, a software upgrade for those devices will be required. Software upgrades will also be available for 802.11a, b and g card-bus and NIC cards.

    Although they don't state it explicitly, it's a pretty fair bet that firmware upgrades for Linksys APs will be available at some point.

    --
    I hear there's rumors on the Slashdots
  16. Re:No by scd · · Score: 4, Informative

    The actual issue is that some of the 802.11 protocol has to be done at speeds that all possible connecting units can understand. What this amounts to is that 'handshaking' is done at B speeds to allow B units to communicate, while the actual data transfer for G units is done at G speeds.

    This causes some slowdown for G units. If an access point has proper settings, you should be able to make it do G only, thereby speeding up all G units at the expense of disallowing B units from connecting at all.

    At least, the 802.11 protocol allows this, don't know if APs do or not.

  17. Re:Sure but does it require new equipment by tmasssey · · Score: 4, Insightful
    Three things:

    1) It's not likely that the 200MHz CPU in that thing is going to handle 54Mbit worth of traffic. AES is not the easiest to calculate...

    2) Even so, it's highly likely that a firmware update could *possibly* add this. Will Cisco? My guess is no: they are not incented to make your current device more useful. They'd rather sell a new device.

    3) The beauty of OpenSource is that you can add whatever features you want...

    --
    Linux IT Consulting and Domino Development in Michigan
  18. Re:Sure but does it require new equipment by paranode · · Score: 4, Insightful

    Don't see any reason why a device would need to be created specifically for 802.11i.

    Ah, that would be because corporations are greedy. Sure they could give you a firmware upgrade, but they could also peddle a completely new product that costs you money.

  19. Re:Now we can start waiting for a total break of A by pclminion · · Score: 4, Informative
    It's not a US algorithm; the original name was Rijndael

    Although it is correct that it was not invented by Americans, the term "Rijndael" is not a foreign word. It is simply a contraction of the names of the two inventors: Vincent Rijmen and Joan Daemen.

  20. Re:Sure but does it require new equipment by tmasssey · · Score: 5, Insightful
    According to this article, the speed of encryping 128 bits of data with a 128-bit AES key is 730 cycles on a 32-bit MIPS processor. To keep it consistent with your numbers, that's actually >45 cycles/byte. At approximately 5 Million bytes/sec (54Mbit wireless), and 45 cycles/byte, that's 225 Million cycles per second right there. IIRC, the processor that's embedded in the router has a single pipeline at 200MHz, or, at best, 200 MIPS.

    In other words, assuming *zero* processing overhead, we're 25 MIPS short for wire-speed encryption.

    These are very rough numbers, but think of it this way: do you think Cisco (or whoever) spec'ed a processor substantially faster than what they needed? From my peronal experience, embedded processors do not usually have more than a few percent more performance than they need: rarely do they have even 30% more performance than they need. Even if they design a system with a way-fast processor, one of two things happen: their code bloats to use that speed (or they quit optimizing because they don't need to), or they end up buying a lower-cost, slower processor for production!

    In short, it's highly unlikely that the Wrt54g will have anywhere near the CPU power to do wire(less)-speed AES at 54Mbit. Half that? Maybe, but not all of it.

    --
    Linux IT Consulting and Domino Development in Michigan