Volume 26 • No 10 • 2003
ISSN 0742-468X • Since 1978
On-line Since 2000

The Future

of

by

This is my third and final article on wireless security and it addresses the upcoming 802.11i protocol,considered to be the latest word in wireless security. The ratification of this protocol in Spring, 2004 will become the deciding factor for banks and other financial institutions to join the wireless world.

802.11i will include all the elements of WPA, but with stronger encryption.

Among other improvements, 802.11i will include a system for creating fresh keys at the start of each session. It also will provide a way of checking packets to make sure they are part of a current session and not repeated by hackers to fool network users, Walker said. To manage keys, it will use a RADIUS (Remote Access Dial-In User Service)server to authenticate users and the IEEE 802.1x standard.

The authentication process begins when the end user attempts to connect to the WLAN. The authenticator server receives the request and creates a virtual port with the user's device. The authenticator then acts as a proxy for the end user passing authentication information to and from the authentication server on its behalf. The authenticator limits traffic to authentication data to the server. (Note there are TWO servers, a proxy and an authentication server, involved here.)

In a nutshell, the authentication process goes like this:

1. The user (with laptop, PDA or cell phone) sends a message to his business network.
2. The message is encapsulated with the EAP protocol which passes through a proxy server to the network's authentication server. The authentication server sees the EAP header as an "ID card" and then compares it with the other ID numbers in its database.
3. If the end user was accepted, the authenticator (proxy) changes the virtual port with the end user to an authorized state allowing full network access to that end user.
4. When the user logs off, the client virtual port on the server is changed back to the unauthorized state.

EAP: The Extensible Authentication Protocol

The 802.1x authentication process outlined above depends on the Extensible Authentication Protocol or EAP.

The problem is that there are currently five different commercial versions of EAP, including a proprietary version from Cisco. In order for 802.1x to work, both client and server must be running the same version of EAP!Cisco's version, Light EAP (or LEAP)can be compromised by dictionary attacks, and several hospitals that have been using Cisco wireless connectivity. (A denial of service attack on a hospital server could be considered negligent homicide if it caused the death of a patient who was on a life-support system.)

Another version, Protected EAP (PEAP) has been developed by Cisco, Microsoft and RSA. It uses certifications in a manner similar to SSL and is included in the Windows XP service pack.

For more details on EAP, consult the Computerworld site:

1. http://www.computerworld.com/securitytopics/security/story/0,10801,86 189,00.html
2. http://www.computerworld.com/mobiletopics/mobile/story/0,10801,79995, 00.html

Conclusion

Maximum wireless security, then, is a combination of several techniques: strong authentication and a strong encryption mechanism, coupled with data integrity.The 802.11i standard will supposedly be ratified by Spring, 2004, but some changes might happen before then. If and when you hear of them, please post to this forum, and we'll discuss them.

In the meantime, wireless is still insecure, financial institutions still haven't accepted it, and if you stand in your local mall you can eavesdrop on numerous cell phone conversations, just by using your ears.

The Future of Wireless Security and 802.11i
Copyright© 2003 by Roy Troxel.

Free Domain Name Search! Enter a domain name: www. .com.net.org.info.biz.us.ws Back to Top