Wireless

Securing Wireless LANs

Markku T. Niem

Interest in Wireless Local Area Network (WLAN) technology has been rising steadily over the last few years, initially for deployment in the corporate sector and more recently for public access. However, the market for WLANs has been inhibited by concerns over the security of the air interface, an issue that the industry is now addressing.

The WLAN standard was originally created in the early 1990s and the security system that was defined reflected current technology. WLAN security is based on the WEP (Wired Equivalent Privacy) algorithm that was intended to define equal level security with current wired Ethernet networks. There are a number of serious problems with WEP in particular its use of the RC4 algorithm and the key length that is only 40 bits. The reasons for choosing such a short key were that at the time there were restrictions in the USA on the export of advanced encryption technology. However, this shortness means the key is vulnerable to attack and there are already programs available on the internet which can be used to break the algorithm.

A number of WLAN vendors, including Nokia, have developed WEP to have a key length of 128 bits although this is not significantly stronger than the 40 bit WEP. In addition, as WEP security is based on shared secret keys there are major problems with key distribution, particularly for large corporates with hundreds of users. This means that WEP cannot be used by large companies or for public access applications. In order to use their WLAN systems large companies are obliged to implement additional security levels above the WEP at the IP level such as Virtual Private Networks (VPNs).

Addressing security

A whole new security framework for WLANs needs to be created and WLAN vendors have taken the initial steps towards this goal with the development of TKIP (Temporary Key Integrity Protocol). TKIP is essentially an enhancement of WEP that can be rapidly brought to the market to address the concerns over security, which are inhibiting WLAN sales. A software upgrade that can be implemented in current WLAN products, TKIP offers a number of improvements to the WEP algorithm. These include; lengthening the key length, redefining the algorithm so that the key can be frequently changed (in WEP the key is always the same) and providing additional security at the packet level. The industry is fast tracking TKIP and the specification was completed by the end of January 2002. WECA, which is responsible for testing the interoperability of WLAN products, expects to complete its tests by the second half of 2002 after which a number of vendors, including Nokia, plan to launch commercial products.

A new standard

The next step in addressing the issue of WLAN security is the creation of a new standard and this work is being undertaken by the IEEE 802.11 Task Group I. As their starting point in this work, the committee selected 802.1x, a security system originally defined for use in wired Ethernet networks. Widely used throughout the IT industry, 802.1x is implemented in Microsoft’s latest operating system Windows XP.

Using 802.1x as the basis, the Task Group has defined a completely new security framework IEEE 802.11I that specifies enhanced security features for WLAN networks. These features include a new upper layer authentication framework based on 802.1x, a key distribution system, enhanced packet security and a new encryption algorithm know as AES (Advanced Encryption Standard). TKIP is part of IEEE802.11I and can be used with the new authentication architecture 802.1x.

A major advance within 802.11I over the previous system is that it offers a variety of different authentication mechanisms. Users can negotiate with the network as to which mechanism they wish to use, and it can all be done from one PC, no additional hardware or software are needed for the different mechanisms.

Authentication can be through certificates, throughout user name and password or by SIM card.

The SIM approach

The SIM authentication approach is of particular interest to mobile operators and is being strongly supported by Nokia. Using the SIM mechanism, mobile operators can extend their offer into the WLAN arena and can give their subscribers the option using the same SIM card for both GSM and WLAN access. This will enable operators to utilise their existing billing and customer management systems to support these new WLAN users. As no new investment is required offering WLAN services will provide a completely new, and virtually free, revenue stream. Nokia and Ericsson have co-authored a IETF contribution on the SIM authentication Interestingly, 3GPP, which has the responsibility for developing the 3G standard, is working on a system requirement work. It is likely in the future that it will be possible to use the 3G SIM as an authentication device in WLAN networks.

In summary, the 802.11i standard defines a new security architecture for WLANs which addresses all the concerns which have been expressed by the user community. It offers a very high level of security, an enhanced key management process and is usable in both corporate and public access applications. The specification of 802.11i will be complete by the end of 2002 and products will be available in 2003. 802.11i products will be available from Nokia in 2002.

(The author is Technology Manager Standards, Nokia)