IEEE Approves 802.11i 302
Dozix007 writes "IEEE has approved a
new wireless security protocol dubbed 802.11i, intended to finally
provide sufficient security for wireless connections that users don't
need to rely on alternate security layers. The new specification works
by using AES encryption
in the transceiver itself, encrypting data directly at the level just
above the actual radio pulses themselves. That makes it transparent for
applications sending data through the radio, so legacy programs running
on new 802.11i-compliant hardware will automatically get the benefits
of the new protocol without the need for modification."
Ah Finally! (Score:4, Insightful)
awesome (Score:5, Insightful)
i hope the guys at best buy are up to speed to direct the consumers!
Lack of equipment or how it's supposed to work? (Score:4, Insightful)
If I'm remembering that right, then what you're experiencing may not be a lack of standards uptake -- you could be connecting to a ton of 802.11g stations, but somebody's got a B card running.
Is this really a good thing? (Score:5, Insightful)
Change hardware *again*? No thanks (Score:4, Insightful)
And exactly 0% of the hardware will be backwards compatible. Who trusts data privacy flying across a network anyway? Isnt that what we have VPN, SSH, HTTPS, etc. for? IMHO we have more things to concern ourselves with, like interference countermeasures, signal efficiency, etc. Who is going to switch to a new hardware platform just because it offers a different (read: not necessarily better) encryption method?
Re:Long Time Until it Replaces B/G (Score:3, Insightful)
thats probably because for most purposes B is fine. i mean who is going to spend more on G when typical internet speeds never even reach 11Mps? G maybe is fine for the office or home where you are talking to local servers or other clients, but starbucks doesnt need more than a B.
Re:Is this really a good thing? (Score:2, Insightful)
Re:Actually secure? (Score:5, Insightful)
However, you do have to remember that a lot of classified information that would result in really major problems for many governments travels, encrypted, over the airwaves, on a regular basis. A cryptosystem isn't called secure unless it can't be broken in a reasonable amount of time, even if the bad guy knows your algorythm, and even if the bad guy is able to observe your transmissions.
Basicly, what the entire WEP debacle has shown is that when you are transmitting over the airwaves, the importance of secure encryption increases. And that if you are going to make a widespread standard for encryption, you had better check it out with some folks who know encryption first.
Couldn't this be used by terrorists. (Score:1, Insightful)
OK, but how does it actually work (Score:5, Insightful)
How do the nodes generate and exchange a shared session key? Or do you have to enter an AES key manually before you even hook up? That would certainly lock down the node!
It would be nice if someone posted a link explaining at a medium level how it actually works. I don't want to just go read a draft of the standard, but I wouldn't mind reading a few of the important details.
MM
--
Re:Too many goddamn wireless standards. (Score:3, Insightful)
That's essentially what's happening already. They settle on a standard, people adopt it. The trouble comes with the "go from there" part. Whenever you "go" anywhere new with a standard, the old stuff is non-compliant, thus requiring a new standard.
Re:Better than IPSec over wi-fi... (Score:4, Insightful)
Besides, there are *many* issues regarding security aside from the wire protocol. As one other posted mentioned, key management is one of these issues. How does 802.11i deal with this? I know IPSec has many different solutions available for key management, meaning I can make it fit into my network infrastructure. How does 802.11i fit into this picture?
Now I'm confused. (Score:2, Insightful)
While this clearly means that now no one can sniff the SSID, is this going to be any better for those who leave it at the default? And without any kind of MAC authentication or network protection at upper levels, would knowing the SSID the only difficult imposed against abuse of the network?
Not trolling, I just want to know if stupid admins can still mess this one up.
Re:Key Management (Score:3, Insightful)
This means I'd bet someone $20 that it'll use a single shared key across the entire network, and client machines will obtain it from a user-entered password.
But since it uses AES, all sorts of people will get excited and believe it's secure.
So I see this as little more than a marketing ploy.
Is it more secure than WEP and WPA? Yes. Yes, it's more secure, because in order to get the password that lets you get on the network and steal network resources and intercept everyone's data, you'll need to run a key logger or watch over someone's shoulder or get a virus on to their machine instead of just watching network traffic.
Re:Sure but does it require new equipment (Score:5, Insightful)
1) It's not likely that the 200MHz CPU in that thing is going to handle 54Mbit worth of traffic. AES is not the easiest to calculate...
2) Even so, it's highly likely that a firmware update could *possibly* add this. Will Cisco? My guess is no: they are not incented to make your current device more useful. They'd rather sell a new device.
3) The beauty of OpenSource is that you can add whatever features you want... [seattlewireless.net]
Re:Sure but does it require new equipment (Score:5, Insightful)
Ah, that would be because corporations are greedy. Sure they could give you a firmware upgrade, but they could also peddle a completely new product that costs you money.
Re:Key Management (Score:4, Insightful)
If you rely on encryption that behaves like that, you're foolish and will have problems.
If you believe this is better than what has come before, you are more likely to rely on it.
Therefore, I actually think this will in practice cause more harm than good with regard to actual security.
IMHO, we need totally wide-open unencrypted wireless, with IPSec and nothing else running on top of that, with secure apps running on top of that. I think any crypto at this layer is essentially smoke and mirrors.
Re:Sure but does it require new equipment (Score:5, Insightful)
In other words, assuming *zero* processing overhead, we're 25 MIPS short for wire-speed encryption.
These are very rough numbers, but think of it this way: do you think Cisco (or whoever) spec'ed a processor substantially faster than what they needed? From my peronal experience, embedded processors do not usually have more than a few percent more performance than they need: rarely do they have even 30% more performance than they need. Even if they design a system with a way-fast processor, one of two things happen: their code bloats to use that speed (or they quit optimizing because they don't need to), or they end up buying a lower-cost, slower processor for production!
In short, it's highly unlikely that the Wrt54g will have anywhere near the CPU power to do wire(less)-speed AES at 54Mbit. Half that? Maybe, but not all of it.
Re:The way things ought to be (Score:2, Insightful)