IEEE Approves 802.11i 302
Dozix007 writes "IEEE has approved a
new wireless security protocol dubbed 802.11i, intended to finally
provide sufficient security for wireless connections that users don't
need to rely on alternate security layers. The new specification works
by using AES encryption
in the transceiver itself, encrypting data directly at the level just
above the actual radio pulses themselves. That makes it transparent for
applications sending data through the radio, so legacy programs running
on new 802.11i-compliant hardware will automatically get the benefits
of the new protocol without the need for modification."
Sure but does it require new equipment (Score:4, Interesting)
$$$$ Dude.
Actually secure? (Score:1, Interesting)
Long Time Until it Replaces B/G (Score:2, Interesting)
Does anyone have any figures on how long between products get rolled out until inception in the digital world? I would be curious to see the timeliens of some products such as: 3.0megapixel cameras, DSL/Cable, 802.11b/g, etc.
GroupShares Inc. [groupshares.com] - A Free and Interactive Investment Community
It's about time... (Score:5, Interesting)
Now if only I can convince my employer so I can use Trillian to get me through those boring meetings.
Firmware (Score:4, Interesting)
If thats the case, running a VPN over the wireless may still be the best option.
Key Management (Score:5, Interesting)
Is they key negotiated as part of the protocol? How is that exchange authenticated? How is access control done? Can anyone enter the network?
Does it use a pre-placed key? How do you make sure the AP has every clients key? Can you access the AP without encryption? Do users have to type keys in?
FW Upgrades for non-router 802.11x equipment? (Score:2, Interesting)
Does this finally solve the *other* major problem? (Score:3, Interesting)
I personally think a HUB is still a bad idea, even if the main transports are encrypted to the outside. The insider doesn't need to be able to see anyones traffic unless it's repeated to the target. It would be great if it was encrypted and acted like a switch.
I would still use my VPN with this.
Re:Key Management (Score:3, Interesting)
I fearlessly predict that some of those passphrases will be chosen poorly.
Security advice for your Aunt Tillie and Cousin Homebuilder: http://besphere.blogspot.com.
Re:Does this finally solve the *other* major probl (Score:3, Interesting)
i'm not trolling here, i'm really wondering.
hardware-level encryption = crap (Score:2, Interesting)
Putting encryption at this level is useless because secure communication with e.g. a webserver still requires that I encrypt over HTTPS, since my link to the server goes over more than just the wireless link. Thus, hardware AES only duplicates functionality. This is one of the premises of the end-to-end argument: put functionality at the highest layer possible to avoid duplication.
The argument that this is useful to keep "baddies" out of your network is weak, too. If you want to keep your wireless network secure, tie MAC addresses to IP addresses, and presto! no one can wardrive your wireless network. No, this is not perfectly secure, but you can secure yourself against a better-than-casual attacker by pushing the necessary authentication up to a higher layer. This approach is more flexible and doesn't require specialized hardware. Plus, when it's shown in five years that AES is breakable in faster than brute-force time, we don't need massive hardware (or firmware) upgrades; just apt-get install openswan.
802.11b should be a standard with the same scope as 802.3 (ethernet)---define the hardware link level and be done with it. Security at the link layer has been shown time and again to be worthless in even the best of cases. Rolling AES into the hardware spec of 802.11i is just window-dressing. The people who decided to do it should be beaten with a stick and forced to read the Saltzer paper until they recite it in their sleep.
(If you haven't read Saltzer's paper on the end-to-end argument, google should provide ample background.)
Re:Sure but does it require new equipment (Score:3, Interesting)
Re:Now I'm confused. (Score:4, Interesting)
IEEE 802.11i uses AES, which is not a public key algorithm, but it does provide for a key exchange process which can be based on public key cryptography (but doesn't have to be).
As for hiding the SSID, I question the accuracy of tha article. It doesn't tally with what I've read about 802.11i over the last year. I don't think 802.11i provides for encryption of the entire frame any more than WEP or WPA does, and AFAIK it doesn't provide any security for management frames, so the SSID should still be in the open.
MAC-based authentication is useless for deterring a serious attacker, but 802.11i provides for 802.1x port-based authentication, which typically will operate at the user level.
Although 802.11i provides for generating the master key on-the-fly, I suspect that many installations (expecially home networks) will use pre-shared keys, which are usually hashed passwords and thus vulnerable to dictionary attacks.
OSS to the rescue(?) (Score:4, Interesting)
The HostAP [epitest.fi] driver does encryption in software.
My home server is (among other things) a wireless access point. The card I have is a few years old and doesn't support WEP at all, but thanks to this driver it does! In fact it also supports a bunch of other security features for encryption and authentication, which I have not delved into.
That said, it sounds like this new encryption may be at a lower level, which for all I know may necessitate new firmware.
Re:Is this really a good thing? (Score:5, Interesting)
The parent should be modded up. I'd add that you should be suspicious of key management carried out below the application layer. Even the submitter emphasizes the wrong point, IMNSHO, when he/she says that AES will be used to secure the connection. The choice of encryption algorithm is almost inconsequential because the world has plenty of good encryption algorithms, but the key management is the really difficult part. Designing a protocol is moderately difficult too (read Peter Gutmann's VPN rant to see some examples of poor protocols).
Re:But Linksys has a history of good updates (Score:3, Interesting)
Bullshit. They drop support just about as soon as they can. I've got a first-gen WPA11 for which linksys never released a single firmware update and which never had a reliable driver. I've also got a WAP11 that's in the same boat. You may be confused by the fact that linksys generally keeps the same name when they change the chipset on their products. So they have updates for WAP11's, but only the very latest hardware rev of it. If you buy a linksys product consider it to be disposable.