802.11i - designed to integrate
Published: 10 Apr 2003 09:22 BST
802.1x also specifies how keys are passed back to the client to be used in further network traffic -- how these keys are used is not specified, but how they are transferred securely is. It also sets a per-packet authentication key that can't be faked by a third party, maintaining authentication if the client roams to another port and preventing interception and taking over of a session by an intruder.
In installations where there's no authentication server -- probably the case in most homes and many small businesses -- 802.1x can be used in pre-shared key mode, where every node has its keys set up explicitly by hand. The rest of the 802.1x features work, with the proviso that if the shared keys are ever compromised the security of the network is lost.
When 802.1x was started, wireless networking wasn't nearly as prominent as it is now, so the standard is designed for a variety of wired networks only -- hence the need to incorporate it into 802.11i before it can be used for radio.
802.11i's data security additions include various encryption processes such as TKIP (Temporal Key Integrity Protocol) and CCMP (Counter with Cipher Block Chaining Message Authentication Code Protocol). TKIP's main attraction is a frequent update of the encryption key,
TKIP can be added to an existing 802.11 interface by upgrading its software, while a version of the TKIP mechanism called SSN (Safe Secure Networks), has already been adopted by the WiFi industry group prior to the approval of 802.11i. This is a temporary measure due to the need for a fast fix to the broken WEP standard. CCMP is designed for future wireless LANs, as it needs more processing power than most adaptors and access points currently have to spare -- it uses a version of the Advanced Encryption Standard (AES), the current US Government approved method of encrypting data in transit.
802.11i remains under development
With most of the technicalities decided but some areas -- such as fast roaming between access points -- still receiving attention. Such is the pressure for secure wireless LANs that some systems are already available with pre-approval versions of the standard. These are better than non 802.11i systems, but deploying them without a guaranteed upgrade path to the finished standard has interoperability and security risks of its own. By the end of the year, the standard should be finalised and equipment available: then the IEEE will have done its part, and it will be down to system deployers and managers to configure and maintain adequate security. 802.11i is just the kit of parts to do the job -- network security only works when people do it right.
For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter.
Tell us what you think in the Enterprise Mailroom.
Previous
