Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security evaluation of 802.11i

Posted by CmdrTaco on from the segessem-terces-ylotot dept.

Uberhacker.Com writes "Server Pipeline features an interesting report on the security viability of 802.11i. As most observers of the WLAN industry are aware, the security features found in the original standard were woefully inadequate. To a certain degree, these deficiencies reflected the perception that security services are normally implemented at layer 3 and above. 802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators."

5 of 179 comments (clear)

  1. Security? by Quasar1999 · · Score: 5, Interesting

    Why is it that applying security at a higher layer is a bad thing? The data is what needs to be secured, not the headers of the packets... I don't care if people know I'm sending data to my credit card company, I do care if they know what my login and password is though... Am I missing something? Why is it so important to apply security to the lowest layer?

    --

    ---
    Programming is like sex... Make one mistake and support it the rest of your life.
  2. AES, buzzword of the moment by Anonymous Coward · · Score: 5, Insightful

    AES!=SECURE! It's how you implement it and use it that makes you secure!

    AES is the buzzword of the moment. The real question: is 802.11i implemented in such a way that it is secure from the get-go (even at the expense of usability), and implemented in such a way that it can be upgraded quickly and easily should exploits be found.

    Well?? I don't give a damn what algorithm it uses, I just want it to use the algorithm CORRECTLY.

  3. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  4. ARGH! by nuintari · · Score: 5, Insightful

    You can't throw pretty sounding state of the art encryption schemes at something and call it secure. WEP's failing was not a bad algorithem, RC4 isn't new by any means, but its nothing to turn your nose to. When used properly, it can do the job. But WEP used predictable session id's, a tiny key space, and a whole host of recomended but "optional" wep concepts that the manufacturers ignored because they were all harder to implement.

    Wep was designed with the model:

    1. pretty acronyms.
    2. mumnle mumble mumble
    3. SECURITY!!!

    You could use AES in wep and it would still be breakable, the key exchange was piss poor, making the entire system piss poor.

    I didn't read the article, this was just me bitching at the slashdot post, and people who believe fancy new encryption = security automagically.

    --

    --Nuintari

    slashdot : where an opinion can be wrong.

  5. Getting There... by diagnosis · · Score: 5, Insightful

    Here is the problem: Most people *still* aren't going to turn on encryption, and 802.11i doesn't address one of the biggest regions people don't turn on encryption:

    Encryption makes configuring your wireless network 10x harder for the average person.

    As the article recognizes, "the lack of a single, universally accepted standard will inevitably lead to implementation and interoperability challenges."

    Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.

    So what is the average user supposed to do? Just keep waiting, I guess...