Many people are working to improve the security of the WLAN. The greatest reason is to upgrade the security functionality. To a lesser degree, but equally important, these efforts also promote assurance to the users and managers of wireless devices. Here are three approaches that have promise for the future of 802.11 WLAN.
nDosa
The future of secure WLAN may rest with products like nDosa Access Point. nDosa Technologies introduced a secure wireless LAN technology based on its nESA (nDosa Enhanced Security Algorithm) that renders its signal invisible to would-be hackers and unauthorized observers, and hence, greatly reduces its vulnerability to hacking and intrusion. It should be noted, however, that although some determined hackers may still be able observe the RF signal and monitor LAN activity over the air, it would be extremely difficult for them to break into the system (Kim & Shin, 2003). Like other WLAN solutions, it is scalable, upgradeable, flexible and can be customized. nDosa secure WLAN users can access not only nDosa secure WLANs but also the standard WLANs deployed widely in public places or in highly secure areas. When needs arise to enhance authentication or key management procedure, nDosa secure WLAN technology can be applied without alteration. Encryption algorithms and security solutions, in general, need to be upgraded continually as they are at war against hackers. According to the literature, nESA is designed to make upgrades simple and easy.
The combination of the proposed wireless LAN scheme with nDosa’s existing secure wireless LAN technology would render the system not only invisible even in the RF band, but also assures that the system will remain relatively impervious to break-ins even if the signal is detected. Implementation of both security measures would provide the wireless LAN with ironclad security that is necessary and appropriate for defense of government applications and data.
WPA
Wi-Fi Protected Access is a specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems. Designed to run on existing hardware as a software upgrade, Wi- Fi Protected Access is derived from and will be forward compatible with the upcoming IEEE 802.11i standard (http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf ). WPA is a proactive response by the industry to offer an immediate and strong security solution. An inexpensive software upgrade is now available to installation at the enterprise or SOHO WLANs. This solution is compatible across multiple vendors and is configurable with authentication servers or as a stand-alone. WPA is a subset of the 802.11i draft standard and will maintain forward compatibility.
Wi-Fi Protected Access was constructed to provide an improved data encryption, which was weak in WEP, and to provide user authentication, which was largely missing in WEP. The improvements are centered on the use of enhanced data encryption through Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a per-packet key mixing function, a message integrity check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through these enhancements, TKIP addresses all WEP’s known vulnerabilities.
|
Table: Comparison Chart |
||||
| WEP | WPA | 802.11i | nDOSA | |
| Cipher | RC4 | RC4 | CTR-CCMP | nESA |
| Key Size | 40 bits | 128 bits encryption 64 bits authentication | 128 bits | 128 ~ 256 bits |
| Key Life | 24-bit IV | 48-bit IV | 48-bits IV | 48-bits IV |
| Packet Key | Concatenated | Mixing Function | Not Needed | Mixing Function |
| Data Integrity | CRC-32 | Michael | CCM | CRC-32 |
| Header Integrity | None | Michael | CCM | nESA |
| Replay Attack | None | IV Sequence | IV Sequence | Encrypted IV |
| Key Management | None | EAP | EAP | EAP & any other methods |
| Header Encryption | None | None | None | nESA |
| Hidden Mode | None | None | None | Yes |
Using the Enterprise-level User Authentication via 802.1x and Extensible Authentication Protocol (EAP) WEP has almost no user authentication mechanism, Wi-Fi Protected Access implements 802.1x and the EAP strengthens user authentication. Together, these implementations provide a framework for strong user authentication. This framework utilizes a central authentication server, such as RADIUS, to authenticate each user on the network before they join it, and also employs “mutual authentication” so that the wireless user does not accidentally join a rogue network that might steal its network credentials.
