Access Denied: Understanding Wireless-Security Protocols

What's the relationship between 802.11, Wired Equivalent Privacy (WEP), 802.1x, Wi-Fi Protected Access (WPA), and 802.11i?

WEP is the optional encryption feature for the 802.11 family of wireless standards. WEP originally depended on a static shared secret that you had to configure on each Access Point (AP) and wireless client on your network. That design immediately made wireless traffic subject to all the key-distribution and -management risks associated with manually configured shared secrets. For example, WEP doesn't require that keys be changed, and all wireless devices and APs typically share the same key. Moreover, in contrast to better protocols that rekey packets after a certain number of bytes or a specified period of time, WEP has serious key-management problems that let attackers who capture and analyze wireless packets over a relatively short period of time figure out the encryption key used, then decrypt all traffic on the wireless network. Consequently, the Wi-Fi (802.11b wireless standard) industry decided to integrate support for an existing standard, 802.1x, into 802.11.

802.1x (Port Based Network Access Control) provides a secure way to control access to a wired or wireless network. 802.1x uses Extensible Authentication Protocol (EAP) to authenticate the network client, then provides dynamic encryption-key management. With WANs that use 802.1x, the wireless client (called the supplicant in 802.1x terminology) authenticates through the AP (called the authenticator) to a Remote Authentication Dial-In User Service (RADIUS) server (called the authentication server). Because EAP supports any kind of authentication method and the AP is just a middleman, you can use any kind of authentication with 802.1x that your combination of wireless clients and authentication server supports. If you have Windows clients and use Windows Server 2003's Internet Authentication Service (IAS) to implement your RADIUS server, you can integrate your WAN with your Active Directory (AD) forest and control WAN access based on member computer or user credentials—you don't need extra credentials or shared-secret management. For information about configuring such an environment, see the Windows & .NET Magazine article "A Secure Wireless Network Is Possible," May 2004, InstantDoc ID 42273.

Although support for 802.1x mitigates the worst of 802.11's vulnerabilities, some weaknesses remain, including the fact that broadcast and multicast traffic encryption keys aren't changed regularly as well as a vulnerability in how 802.11 handles integrity checking for unicast traffic. To address these problems, the IEEE is working on 802.11i, which should be ratified this year. Until then, the Wi-Fi industry has implemented wide support for an interim solution called WPA. WPA continues to use 802.1x and addresses 802.11's remaining problems. For small networks that don't have a RADIUS server, WPA supports passphrase authentication, which is basically a shared secret. As you'd expect, using WPA with passphrase authentication introduces other vulnerabilities, such as users choosing short, simple passphrases that attackers can guess or crack. If you opt for WPA shared- secret authentication, make sure you use a random passphrase of at least 20 characters and limit knowledge of the passphrase.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.