Wireless LAN manufacturers plan to beef up security for their products with harder-to-break keys and an industrywide authentication plan targeted at enterprise users through a program called Wi-Fi Protected Access (WPA).
The effort was announced today by the Wi-Fi Alliance industry trade group.
Dennis Eaton, chairman of the Mountain View, Calif.-based Wi-Fi Alliance, said vendors should start rolling out certified products featuring key components of WPA in February. WPA provides enterprises with a built-in mechanism to authenticate the identity of users based on the Extensible Authentication Protocol, which runs on Remote Authentication Dial-In User Service network servers.
WPA also replaces the static encryption keys incorporated into the current Wi-Fi Wired Equivalent Protocol (WEP) with harder-to-crack dynamic keys through use of the Temporal Key Integrity Protocol (TKIP), part of the draft Institute for Electrical and Electronics 802.i standard expected to be approved in 2004.
In addition, WPA includes a message integrity check-sum called "Michael" that will help network administrators determine whether or not an unauthorized user has tried to intercept and decode TKIP keys.
Home Wi-Fi users will be able to take advantage of the TKIP portion of WPA, but not the authentication portion, Eaton said.
John Pescatore, an analyst at Gartner Inc. in Stamford, Conn., said WPA marks industrywide acceptance of the Safe Secure Networks project developed by industry heavyweights such as Microsoft Corp. and Cisco Systems Inc. this spring to improve wireless LAN security.
The fix comes none too soon for an industry that is enjoying phenomenal growth, analysts said. In-Stat/ MDR, a Scottsdale, Ariz.-based research firm, predicted Wi-Fi WLAN hardware shipments will hit 33 million units in 2006, up from 6 million this year, with the majority used for home networking.
Eaton said WPA is the industry effort to correct well-known flaws in WEP and counter individual and organized wireless LAN sniffing projects such as the ongoing, second WorldWide WarDrive in which hobbyists detect and map WLAN access points. He emphasized that WPA is an interim fix until the IEEE approves the 802.1 standard, which besides TKIP, also includes the new, strong federally backed Advanced Encryption Standard (AES).
WPA is designed to be backward-compatible with existing WLAN hardware and forward-compatible with the 802.1 standard, Eaton said. Vendors are developing fixes that users can download from Web sites once their WPA products are certified next year. Some of these fixes will be in firmware, while others may have to run as client software, Eaton added.
Eric Wolbrom, president of Safe Harbor Technologies, a Katonah, N.Y., security company, said that in his view WPA is an attempt to develop an industrywide open security standard, which he called a good idea, but "not easy" to do. He said enterprises that have bought high-end WLAN hardware can probably download patches, but wondered if such a fix would work with low-end home systems, which may not have enough memory to handle the security upgrades.
Pescatore agreed, adding that enterprise IS departments with hundreds or thousands of WLAN users face a daunting task in upgrading client software.
Upgrading the WLAN access points, however, should be a relatively easy task that can be managed centrally -- compared to installing new software on notebook and handheld computers used by scattered mobile workers, Pescatore said.
He predicted vendors in the enterprise WLAN hardware market will try to outdo each other devising the easiest "install wizard" to handle the WPA upgrades. Once that's done, enterprises will also need to plan for a WLAN hardware upgrade in 2004 when the 802.1 standard becomes final, Pescatore said.
Current hardware would not be able to run the AES algorithm, he said.