Administrators worried about airlink security and crypto-crackers will soon have an option to banish WEP from their WLANs. The Wi-Fi Alliance recently announced the first batch of products to pass Wi-Fi Protected Access (WPA) certification, and many vendors plan to ship WPA upgrades this summer.
Because radio networks lack the physical access control inherent to Ethernet, the 802.11 standard created Wired Equivalent Privacy (WEP) to deter access to wireless traffic. In theory, only stations that possess the same key are supposed to be able to associate with the WLAN's access point and encrypt/decrypt traffic. In practice, WEP fell short of this objective. Attackers who capture enough traffic can use shareware to figure out encryption keys, gaining access to everything sent and received by others. What's worse, weak key values reduce time required for key cracking. Because there was no standard method for key update, cracked keys tend to remain in use, further increasing risk.
Why WPA is better
A Message Integrity Check (MIC) to prevent forgery. With WEP, attackers can capture and modify frames without detection. With WPA, they cannot.
A sequence number to prevent replay. With WEP, attackers can capture frames and resend them later without detection. Replayed frames are discarded by WPA.
A Temporal Key Integrity Protocol (TKIP) that uses key mixing to derive short-lived keys to neutralize key cracking techniques. Mixing is a multi-step process that starts with a base key and the sender's address, so every station derives different keys.
A new base key process. Home and small office WLANs use a configured secret phrase as the starting point for TKIP keys. Larger WLANs can use IEEE 802.1X port access control to deliver per-session keys, further reducing risk.
WPA uses the same encryption engine as WEP, which means that upgrades can be supplied as firmware upgrades instead of new hardware. WPA can also back down to WEP if one endpoint doesn't support these new features.
When will WPA be available? Proprietary pre-WPA TKIP upgrades have been around for months. Companies with homogenous, single-vendor WLANs can apply those upgrades at any time. But most of us must deal with multi-vendor WLANs. Even if we deploy one vendor's access points, we still may face a hodge-podge of integrated and after-market wireless adapters.
If you're in that camp, you'll want to know when certified WPA firmware is going to ship for all products that you use. Certification increases the likelihood of multi-vendor interoperability. According to the Wi-Fi Alliance, the first products to pass 802.11b WPA certification at the end of April were:
Atheros: AR5BCB-00025A - AR5001X+ 802.11a/b/g CardBus Reference Design and AR5BAP-00025A - AR5001AP 802.11a/b/g Access Point
Broadcom: BCM94306-GAP 802.11g Access Point Reference Design and BCM94306CB 802.11g CardBus Reference Design
Cisco: AIR-AP1230B Access Point
Intel: PRO/Wireless 2100 LAN 3B Mini-PCI Adapter
Intersil: ISL37300P PRISM 2.5 PCMCIA Card Reference Design and ISL36356A PRISM Access Point Development Kit
Symbol: LA-4137 Wireless Networker CompactFlash Wireless LAN Adapter
The Wi-Fi Alliance only certifies 802.11b right now, even if products also support pre-standard 802.11g. Standard 802.11g certification testing will start later this year. Several of these are reference designs that your favorite WLAN vendor will use in products that you buy. Consumer products will also undergo testing, and you're no doubt wondering when your vendor will start shipping WPA upgrades. Here's what several said when I asked last week:
Belkin: Upgrades for 54g Wireless Cable/DSL Gateway Router (F5D7230-4) , 54g Wireless Network Access Point (F5D7130), and 54g Wireless PCI and Notebook Cards (F5D7000 and F5D7010) by will available by mid-June. "For other products, we will be slowly transitioning to WPA support, but have no firm timeframe," said spokesperson Melody Chalaban.
Buffalo: WPA upgrade will be posted on Buffalo's Web site by Friday June 6th, and currently requires Windows XP Zero Config. "We are working on other Microsoft OSs, but Microsoft will only support WPA for XP," said spokesperson Kelly Reeves.
Cisco: Upgrades that support WPA are available now for 1100 and 1200 series APs. The AP 350, Aironet 350 series client cards, and Aironet 5 GHz 54 Mbps Wireless LAN client adapters will support WPA in an IOS release in Q403.
Colubris Networks: Currently implementing WPA support across its entire line of secure WLAN products, available by the end of August.
Netgear: Free WPA firmware upgrades will be available for the ME103 802.11b ProSafe Wireless AP in July, with the WG602 54 Mbps Wireless AP, WGR614 54Mbps Cable/DSL Wireless Router, and WG511/WAG511 CardBus adapters to follow. "We are working to fully understand effort to support WPA on existing and previous versions of our complete 802.11b product line," said spokesperson Kenneth Hagihara.
Proxim: Shipping products will be WPA enabled and a download will be available for existing and legacy products by the middle/end of July.
SMC Networks: Plan to have software upgrades for WPA for 802.11 products by the end of July/early August timeframe.
No reply was received from another half-dozen vendors that I asked. If your vendor isn't listed here, call tech support and bug them until you get an answer. To learn more about Microsoft's WPA support and the Windows XP patch that you'll need to use WPA, see Microsoft's Knowledge Base Article.
WPA is a Wi-Fi Alliance snapshot of the draft IEEE 802.11i security standard. It includes only those parts that are stable and implementable as firmware upgrades for existing 802.11 products. Improvements include:
Dig deeper on Wireless LAN Implementation