Slashdot Mirror

← Back to Stories (view on slashdot.org)

IEEE Approves 802.11i

Posted by michael on from the my-lock-my-key dept.

Dozix007 writes "IEEE has approved a new wireless security protocol dubbed 802.11i, intended to finally provide sufficient security for wireless connections that users don't need to rely on alternate security layers. The new specification works by using AES encryption in the transceiver itself, encrypting data directly at the level just above the actual radio pulses themselves. That makes it transparent for applications sending data through the radio, so legacy programs running on new 802.11i-compliant hardware will automatically get the benefits of the new protocol without the need for modification."

8 of 302 comments (clear)

  1. It's about time... by Shoeler · · Score: 5, Interesting

    Hopefully the approval of the standard will reel in the multiple competing vendor solutions that have been out there. From Cisco's LEAP to TKIP (Aka WEP2), most still would not encrypt things like the MAC address or ESSID. For companies who are actually security-minded and wouldn't deploy wireless without a truely secure standard, this should be their open door to some real mobility.

    Now if only I can convince my employer so I can use Trillian to get me through those boring meetings. :)

  2. Suspicious by gUmbi · · Score: 5, Funny

    What happened to 802.11h? Was it brushed under the rug by the NSA? The CIA? The Bush family?

    Get out the tin foil hats boys, this is a big one.

  3. awesome by joel2600 · · Score: 5, Insightful

    Now try explainging to regular people the difference between a/b/i/g/x and which ones work together, which ones don't and why.

    i hope the guys at best buy are up to speed to direct the consumers!

  4. Is this really a good thing? by kabocox · · Score: 5, Insightful

    I know some seemless intergrated security is better than having it tacked on afterward. I've always felt that if folks trusted a default security layer to be perfect, they will get burned when the defaul layer is broken. You should always have application encryption of important data. You shouldn't just trust that your pipe will be encrypted. Sometimes those pipes get used by unauthorized third parties that's when having everything else encrypted comes in handy. I'm just afraid folks will switch to the 802.11i and not bother to encrypt any of their data.

  5. Re:Ah Finally! by nazsco · · Score: 5, Funny

    encription in EVERY protocol layer and then some encription in the software, that's runing trhu ssh... so i can safely read my mail that i protected with my birtday as the password.

  6. Re:Sure but does it require new equipment by spellraiser · · Score: 5, Informative

    Well, since encryption only involves standard processing, a firmware upgrade should be all that's required. Don't see any reason why a device would need to be created specifically for 802.11i. This is also interesting (taken from here):

    Cisco, one of the largest providers of enterprise APs, said AES is supported in hardware on the IEEE 802.11g versions of AP models 1100, 1200, and the newly announced 1300 outdoor AP/bridge. However, a software upgrade for those devices will be required. Software upgrades will also be available for 802.11a, b and g card-bus and NIC cards.

    Although they don't state it explicitly, it's a pretty fair bet that firmware upgrades for Linksys APs will be available at some point.

    --
    I hear there's rumors on the Slashdots
  7. Re:OK, but how does it actually work by j+h+woodyatt · · Score: 5, Informative

    I am a wireless expert.

    802.11i uses AES for privacy, HMAC-SHA1 for integrity, and it defines its own protocol for establishing transient unicast and group session keys. You can use it with a pre-shared master key (derived from a simple passphrase), or you can use it conjunction with 802.1X and get per-user pairwise master keys derived from the authentication service.

    The Wi-Fi Alliance (I'm told) is calling 802.11i by the name WPA2. If you have hardware that supports the AES variant of WPA, then your vendor should be able to supply a firmware upgrade soon that will support WPA2.

    --
    jhw
  8. Re:Sure but does it require new equipment by tmasssey · · Score: 5, Insightful
    According to this article, the speed of encryping 128 bits of data with a 128-bit AES key is 730 cycles on a 32-bit MIPS processor. To keep it consistent with your numbers, that's actually >45 cycles/byte. At approximately 5 Million bytes/sec (54Mbit wireless), and 45 cycles/byte, that's 225 Million cycles per second right there. IIRC, the processor that's embedded in the router has a single pipeline at 200MHz, or, at best, 200 MIPS.

    In other words, assuming *zero* processing overhead, we're 25 MIPS short for wire-speed encryption.

    These are very rough numbers, but think of it this way: do you think Cisco (or whoever) spec'ed a processor substantially faster than what they needed? From my peronal experience, embedded processors do not usually have more than a few percent more performance than they need: rarely do they have even 30% more performance than they need. Even if they design a system with a way-fast processor, one of two things happen: their code bloats to use that speed (or they quit optimizing because they don't need to), or they end up buying a lower-cost, slower processor for production!

    In short, it's highly unlikely that the Wrt54g will have anywhere near the CPU power to do wire(less)-speed AES at 54Mbit. Half that? Maybe, but not all of it.

    --
    Linux IT Consulting and Domino Development in Michigan