New encryption technology closes WLAN security loopholes
Arnold G. Reinhold
reinhold at world.std.com
Fri Sep 21 18:22:17 EDT 2001
At 10:34 AM -0400 9/20/2001, Perry E. Metzger wrote:
>"R. A. Hettinga" <rah at shipwright.com> writes:
>> [1] "New encryption technology closes WLAN security loopholes"
>> Next Comm has launched new wireless LAN security technology called
>> Key Hopping. The technology aims to close security gaps in Wired
>> Equivalent Privacy (WEP). It uses the MD5 (message digest, version 5)
>> algorithm that allows for rapid changes in encryption keys used, some
>> as often as every three seconds, denying hackers the time they need
>> to piece together an encryption pattern.
>
>We don't need a new proprietary technology. IPSec tunnels from the
>wireless node to the base station work just fine, and are actually
>secure on top of it!
>
This sounds a lot like a proposal I made to improve 802.11 WEP
security after the first round of attacks in February.
http://world.std.com/~reinhold/airport.html#wf1 I've been working on
updating the proposal in light of the Shamir, et al, paper. One
difficulty is getting a good upper bound on the number of packets
transmitted per second. None the less, it's clear that at least with
the 128-bit versions of 802.11b, you can get reasonable security by
frequent key changes. With 40-bit it's hard to avoid at least one
byte being compromised, which would reduce the problem to attacking a
32-bit encryption every few seconds. On the other hand, the original
40-bit WEP encryption could be brute forced with an office full of
desktop PCs.
As I understand things, and please correct me if I am misinformed,
IPSec is still quite complex to install and setup. Many 802.11b users
are individuals or small offices. Until IPSec is user friendly enough
for them, a solution that restores WEP to a reasonable level of
privacy is worthwhile.
While we are on the topic, it seems to me that the other implication
of 802.11 is that the Ethernet backbone in most offices can no longer
be considered secure. It is too easy for someone to install a 802.11
base station without permission inside the corporate firewall. It may
be that the only way to maintain corporate security is for every
computer in an organization to use IPSec, with keys authorizing
connection to the network transmitted out-of-band, (e.g. by hand).
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list