New encryption technology closes WLAN security loopholes

Arnold G. Reinhold reinhold at world.std.com
Fri Sep 21 18:22:17 EDT 2001 

At 10:34 AM -0400 9/20/2001, Perry E. Metzger wrote:
>"R. A. Hettinga" <rah at shipwright.com> writes:
>> [1] "New encryption technology closes WLAN security loopholes"
>> Next Comm has launched new wireless LAN security technology called
>> Key Hopping. The technology aims to close security gaps in Wired
>> Equivalent Privacy (WEP). It uses the MD5 (message digest, version 5)
>> algorithm that allows for rapid changes in encryption keys used, some
>> as often as every three seconds, denying hackers the time they need
>> to piece together an encryption pattern.
>
>We don't need a new proprietary technology. IPSec tunnels from the
>wireless node to the base station work just fine, and are actually
>secure on top of it!
>

This sounds a lot like a proposal I made to improve 802.11 WEP 
security after the first round of attacks in February. 
http://world.std.com/~reinhold/airport.html#wf1  I've been working on 
updating the proposal in light of the Shamir, et al, paper. One 
difficulty is getting a good upper bound on the number of packets 
transmitted per second. None the less, it's clear that at least with 
the 128-bit versions of 802.11b, you can get reasonable security by 
frequent key changes. With 40-bit it's hard to avoid at least one 
byte being compromised, which would reduce the problem to attacking a 
32-bit encryption every few seconds.  On the other hand, the original 
40-bit WEP encryption could be brute forced with an office full of 
desktop PCs.

As I understand things, and please correct me if I am misinformed, 
IPSec is still quite complex to install and setup. Many 802.11b users 
are individuals or small offices. Until IPSec is user friendly enough 
for them, a solution that restores WEP to a reasonable level of 
privacy is worthwhile.

While we are on the topic, it seems to me that the other implication 
of 802.11 is that the Ethernet backbone in most offices can no longer 
be considered secure. It is too easy for someone to install a 802.11 
base station without permission inside the corporate firewall. It may 
be that the only way to maintain corporate security is for every 
computer in an organization to use IPSec, with keys authorizing 
connection to the network transmitted out-of-band, (e.g. by hand).

Arnold Reinhold



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list