802.11i: The next big thing

By Joel Snyder and Rodney Thayer
Network World, 10/04/04

Original Article on Network World Web Site

The IEEE standard called Robust Security Networking is a force to be reckoned with. As an amendment to the original 802.11 WLAN standard, 802.11i replaces the original meager 10-page WEP discussion with more than 200 pages of detailed protocol on how to lock unwanted users out of your wireless network.

This is the good stuff.

Approved in July, 802.11i products have started to appear in the market. Even though we received our test equipment before the final draft of the standard was ratified, 3Com, Airespace, Belkin, Buffalo, Proxim, SMC and Trapeze all had some pieces of 802.11i included with the hardware we tested.

The primary difference between the final version of 802.11i and the scaled-down version that the Wi-Fi Alliance published as WPA is AES. As a streaming encryption algorithm, RC4 (used in WEP and WPA) was not designed for use in packet-oriented Ethernet environments because packet-oriented transmission has to "restart" RC4 at the beginning of each packet, a process that can lead to a variety of attacks. AES resolves those issues.

The Wi-Fi Alliance has expanded the WPA program by publishing a subset of 802.11i as WPA2. Early in September, it announced that products from six manufacturers had been certified for WPA2 compliance. These manufacturers include Atheros, Broadcom, Intel and Realtek, four of the most significant manufacturers of the wireless chips that make up everyone else's cards, access points and laptops. Based on this early adoption, we can expect an explosion of 802.11i-compatible products, as vendors that already have modern chipsets from these manufacturers in current products will be able to turn on 802.11i compatibility without swapping out hardware.

Like WPA, 802.11i includes 802.1X authentication as a core feature. But the same authentication caveat as with WPA applies; PSK authentication is a poor choice for network security and is highly vulnerable if the PSK is not long and changed frequently enough.