BW Online | November 8, 2002 | Stronger Security Fences for Wi-Fi

BW MAGAZINE Get Four Free Issues Register Subscribe Customer Service

ONLINE FEATURES Book Reviews BW Video Columnists Interactive Gallery Newsletters Past Covers Philanthropy Podcasts Special Reports BLOGS Auto Beat Bangalore Tigers Blogspotting Brand New Day Byte of the Apple Economics Unbound Eye on Asia Fine On Media Green Biz Hot Property Investing Insights Management IQ NEXT: Innovation NussbaumOnDesign Tech Beat Working Parents TECHNOLOGY J.D. Power Ratings Product Reviews Tech Stats Wildstrom: Tech Maven AUTOS Home Page Auto Reviews Classic Cars Car Care & Safety Hybrids INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads

BW EXTRAS BW Digital BW Mobile BW Online Alerts Dashboard Widgets Podcasts RSS

RSS Feeds

Reprints/ Permissions Conferences Research Services

NOVEMBER 8, 2002

NEWS ANALYSIS
By Stephen H. Wildstrom

Stronger Security Fences for Wi-Fi
A new standard will be ready early next year that makes it much harder to eavesdrop or fake a user ID on wireless networks

Wildstrom is Technology & You columnist for BusinessWeek

STORY TOOLS

Printer-Friendly Version

E-Mail This Story

POLL INSTANT SURVEY >>

PEOPLE SEARCH

Search for business contacts:

PREMIUM SEARCH
Search by job title, geography and build a list of executive contacts

Tech White Papers

Most Recent

Most Popular

When researchers first reported serious security problems with Wi-Fi wireless networks last year, the first response of the Wireless Ethernet Compatibility Assn. was to dismiss the threat as insignificant. But WECA changed its tune quickly after tools such as Air Snort, which lets even the relatively unskilled eavesdrop on Wi-Fi networks, showed up on the Internet.

Now with commendable alacrity, the trade group, renamed the Wi-Fi Alliance, has come up with a new standard that should solve the most pressing problems. While the new system, called Wi-Fi Protected Access, won't ship until early next year, it will still be out many months before the "official" solution, called 802.11i, that the Institute of Electrical & Electronics Engineers is developing. And both businesses and consumers will be able to upgrade most existing hardware to the new standard as soon as it becomes available.

Wi-Fi has been beset by two interrelated problems. One is a serious flaw in the encryption system, called Wired Equivalent Privacy (WEP), used to prevent eavesdroppers from monitoring. While described as offering a choice of 64- or 128-bit encryption -- meaning hackers would have to try billions upon billions of possible "keys" -- a design flaw meant only about a million keys were possible. That made it easy for computerized analysis to discover the password used to generate the key.

OPEN STANDARD. The second flaw, the lack of any system for determining that users really were who they claimed to be, meant that it was simple for anyone in possession of the password to get on the network.

Wi-Fi Protected Access attacks both problems. First, it discards WEP and replaces it with a much better-designed encryption system called TKIP. Wi-Fi Alliance President Dennis Eaton, a marketing manager for semiconductor maker Intersil, explains that, unlike the original approach to WEP, TKIP was designed as an open standard with input from leading cryptographers. TKIP is one of two encryption standards proposed for 802.11i. The other, the government's new Advanced Encryption Standard, may be somewhat stronger, but it will run only on future Wi-Fi hardware.

For businesses, Wi-Fi Protected Access also addresses the problem of identifying users more precisely. It takes a standard called 802.1x that has been used in a number of proprietary wireless user-identification schemes from Cisco Systems (CSCO ) and others, and creates a standard. Basically, with 802.1x a user is initially allowed to communicate only with a wireless access point. The access point passes the request on to a special login server. Only if that server is satisfied by the person's credentials -- a user name plus a password, a biometric such as a fingerprint, or a smart card -- does the person gain access to the full network.

A MUST FOR CERTIFICATION. This system isn't practical for home users, who have neither the skill nor the equipment to set up a special authentication server. Instead, the home version of Protected Access uses an improved approach to WEP's shared password. The main change is that while the password is still used to gain access to the network, the keys actually used for encryption are generated dynamically, making eavesdropping much harder.

The Wi-Fi Alliance expects the first Protected Access software to be available via download around the end of 2003's first quarter. By yearend 2003, it will be mandatory for Wi-Fi certification of networking gear.

In the meantime, Wi-Fi networks should continue to at least run WEP. It's not very good, but it's better than no encryption. And any business communications that are at all sensitive should be conducted using virtual private network hardware or software, which uses strong encryption to protect traffic, wired or wireless, over the public Internet.

Wildstrom is Technology & You columnist for BusinessWeek. Follow his Flash Product Reviews, only on BusinessWeek Online

Get BusinessWeek directly on your desktop with our RSS feeds. XML

Add BusinessWeek news to your Web site with our headline feed.

Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.

To subscribe online to BusinessWeek magazine, please click here.

Learn more, go to the BusinessWeekOnline home page