Fixed Wireless Technology

Better Than WEP

Will concern over the inherent vulnerability of wireless and inadequate security measures erode consumer confidence in wireless LANs? Not if the WECA and the IEEE can stop it.

by Lisa Phifer VP Core Competence, Inc. [February 1, 2002]

The IEEE 802.11 Task Group is making rapid progress on a trio of security improvements for "legacy equipment". Known collectively as the Temporal Key Integrity Protocol (TKIP), these measures are intended to quickly fill the gaping hole left by Wired Equivalent Privacy (WEP).

According to a recent Information Security magazine survey, 74 percent of the information technology (IT), networking, and information security practitioners polled are "very concerned" about the security of corporate wireless networks. Vendors are hoping that TKIP will keep the 802.11b market going strong until heavy-duty security becomes available late next year on next-generation 802.11g platforms.

"The advantage is that [TKIP] can be deployed quickly," said Kim Getgen, RSA BSAFE product marketing manager. "Vendors can patch their existing implementations. The IEEE will adopt other algorithms in the future, but this solves the immediate business problem of being able to distribute a privacy solution."

"We see TKIP as critical for consumers," said Dennis Eaton, Chairman of the Wireless Ethernet Compatibility Alliance (WECA). "WECA is very much in favor of TKIP and we plan to include it in our interoperability test program as soon as possible." WECA hope to begin verifying product compatibility in 3Q02.

A three-part fix
December press releases drew public attention to "fast-packet keying", a key-hashing function proposed to the IEEE by Russ Housley from RSA and Doug Whiting of HiFn. But key-hashing solves only part of the problem. To overcome pitfalls that crippled WEP, key-hashing must be combined with a real message integrity check to prevent forgery and replay, and dynamic key management (rekeying) to keep the ball rolling.

In the current proposal, wireless endpoints begin with a 128-bit shared secret, referred to a temporal key (TK). The transmitter's MAC address is mixed with TK to produce a Phase 1 key. The Phase 1 key is then mixed with an initialization vector (IV) to derive per-packet keys. Each key is used with RC4 to encrypt one and only one data packet. "This defeats the attacks based on the weaknesses in the key scheduling algorithm of RC4 identified by Fluhrer, Mantin and Shamir," said Dorothy Stanley, Agere Systems.

Why stick with RC4? RC4 is a stream cipher commonly used by SSL, where TCP connections prevent packet loss. However, WEP operates at the link level in networks where loss is common. Ultimately, the IEEE is expected to use the Advanced Encryption Standard (AES), a more appropriate cipher for wireless. Unfortunately, AES requires considerably more horsepower than most existing 802.11b cards provide. Keeping RC4 for now means that TKIP can be deployed in firmware updates instead of new chipsets, protecting consumer investment in 802.11b gear.

RSA has already implemented fast-packet keying, said Getgen. "It is available now in professional services, and will be available soon in BSAFE [an RSA SDK]." Given their proactive involvement in TKIP standards, Agere and Cisco may be among the first 802.11b vendors to make TKIP upgrades available to consumers.

Freshness counts
According to Jerry Wang, NextComm chief executive officer, today's WEP keys can be reversed in as little as 15 minutes. "To solve this, you need to do two things. You need to build [encryption] code that is as tight as possible. And you need to change keys frequently enough to defeat key reversal," said Wang.

Lack of key management is why most 802.11b products now rely on manually configured keys. Several vendors ship proprietary solutions for dynamic key management. NextComm's approach is "key hopping;" short-lived keys derived by hashing a shared value with session seeds. "By the time we were finished developing our chipset, others in the industry agreed that WEP keys were a problem that needed fixing," said Wang. "Our strategy is to comply with standards, including 802.11i. But key hopping is available today for those people who want to use it now."

In fact, the IEEE has long been laboring to find a robust, secure key management solution for wireless LANs. Keys, sequence spaces, and replay windows must all be resynchronized frequently without degrading performance or preventing roaming between access points. As it turns out, this challenge must be answered not only in long-term 802.11i standards, but also in the near-term fix for legacy systems.

To avoid key reuse, temporal keys must be changed frequently. How frequently depends upon the packet rate. For example, an access point handling 1900 packets per second would need to be rekeyed every 34 seconds. Clearly, this requires a highly-efficient rekey exchange. According to Housley, IEEE 802.1x (a framework for authenticated MAC-level access control) will be used to manage temporal keys. "The details associated with key management are still being worked out," said Housley.

Security is still job one
Despite pressure to quickly deliver, the IEEE must also make sure that the legacy fix is secure. Failure to do so could further erode consumer confidence. To that end, "the cryptographers that broke WEP have participated in developing TKIP and are torture-testing it now," said WECA's Eaton.

Reviewers of the RSA/HiFn proposal include Ron Rivest, author of RC4, and Scott Fluhrer, a member of the team that cracked the original WEP key scheduling algorithm. "While it needs more cryptoanalysis in the future (very few things get enough cryptoanalytic review), it should be good for now," said Fluhrer.

Eaton is confident in TKIP because cryptographer's standards for robustness are high. "For one thing, it was the cryptographers who pointed out that a solution requires more than rekeying, which is why TKIP is now composed of three elements and doesn't address just one part of the problem," said Eaton. But Eaton also admitted "the traditional approach taken by cryptographers is to propose a solution, let it bake for awhile, and really kick the tires. TKIP will not be time-tested in this manner."

Get ready to roll
Mix-and-match interoperability in the 802.11b market is due in part to WECA's highly-successful WiFi branding program. Any protocol change has potential to create interoperability ripples. To prevent that, WECA will verify compatibility between TKIP implementations and backwards compatibility with older WEP products.

"We have tentative plans to include [TKIP in our Wi-Fi branding program] sometime in the third quarter," said Eaton. "This assumes the IEEE will produce a stable draft in the first quarter. There is some possibility that WECA may take the IEEE standard in draft form and do something with that if our membership feels it is stable enough."

Backwards compatibility is essential to keep today's Wi-Fi market from fragmenting. "TKIP should be backwards compatible - this is one of the things that has caused the standard to take a little longer," said Eaton. "For equipment that cannot be upgraded or that consumers for whatever reason choose not to upgrade, TKIP should be implemented so that you can always fall back to WEP." WECA plans to certify interoperability in both modes.

Will it fly?
Naysayers argue that TKIP is too little, too late. Just throw away WEP and start over with a new AES-encrypted encapsulation, some say. While this argument has technical merit, it ignores the immediate business problem. The industry needs time to find, agree upon, and validate robust security protocols for wireless LANs. Ideally, this long-term, backward compatible solution will coincide with equipment upgrades for 802.11g.

To buy time while keeping today's market strong, vendors must deliver a fix that addresses consumer concern without adversely impacting performance, interoperability, or investment in 802.11b gear. While it is a bit premature to wave the finish flag, recent progress is promising. IEEE 802.11 TGi, WECA, and the entire 802.11 vendor community are highly motivated to make the WEP problem go away as quickly and painlessly as possible. With so many players working together, TKIP has a pretty good shot at achieving this goal.

—End