On the way: 802.11i and WPA2

Communications News, June, 2004 by Jim Burns

802.11i is the latest standard for 802.11-based wireless LAN security. WPA2 is the Wi-Fi Alliance certification program, based on the support by equipment and software for what it considers to be mandatory features of 802.11i.

The features in IEEE 802.11i and WPA2 are virtually identical. The two most important features beyond WPA to become standardized through 802.11i/WPA2 are: pre-authentication, which enables secure fast roaming without noticeable signal latency: and the use of the CCMP cipher suite in place of TKIP. CCMP is based on the AES cipher. AES yields the high level of data privacy required by some enterprises, government agencies and other organizations. CCMP support is mandatory in both the 802.11i specification and WPA2. Pro-authentication will be optional for both 802.11i and WPA2.

WPA2 certification comes in two flavors: WPA2-enterprise and WPA2-personal. The former includes the full set of WPA2 requirements, with support for Radius/802.1X-based authentication and preshared key (PSK). The latter is for small business and home environments and includes just the use of a PSK.

The Wi-Fi Alliance recognizes that some users will implement WPA2 in a "WPA2-only" mode and that some organizations will implement using mixed mode (WPA2 and WPA) access points. This means that equipment supporting WPA2 must be backward compatible with WPA. WPA2/WEP mixed modes are not allowed by WPA2. however, due to security concerns with WEP.

Although 802.11i and WPA2 are basically the same, they provide for some differences due to their respective roles in the industry. This means there are minor differences in the total set of mandatory features. "The key difference between WPA and 802.11i is the support that the latter will give for fast roaming," says Robert Moskowitz, senior technical director, ICSA Labs and a voting member of the 802.11i task group. "When enterprises begin to look at wireless voice, they are going to need that functionality to prevent signal latency and the dropping of the voice content when roaming. WPA is ready for enterprise use, but lacks certain finishing items, which are in 802.11i. So, 11i provides a more current code set and the ability to do wireless voice."

The major industry groups involved in WLAN security are the IEEE. IETF (Intarnet Engineering Task Force) and the Wi-Fi Alliance. IEEE and IETF are true standards bodies, whereas the Wi-Fi Alliance is an advocacy group that advances the use of wireless LANs through interoperability certification programs. This means that the Wi-Fi Alliance mandates the interoperability between products in order to qualify for WPA2 branding.

Until early April 2004, pre-authentication was set to be mandatory for WPA2 certification by the Wi-Fi Alliance. Many of the hardware manufacturers, however, felt that it was still premature to make this support mandatory.

Ratification of 802.11i is expected to occur this year. WPA2 will go public shortly thereafter. Certification testing will begin soon after the 802.11i standard is ratified by IEEE. This will be an initial, non-mandatory testing period, to be followed in 18 months by the mandatory testing program.

In the short term, WPA, which requires only software upgrades from 802.1X to provide a reasonable level of security for WLANs, is likely to be sufficient to meet the security needs for most enterprises. Many organizations, however, feel the need for standards-based solutions. This includes those groups that have been waiting for 802.11i and its support for CCMP-AES in order to attain a high level of data privacy. In addition, as VoIP/ WLANs become more economically attractive and hardware vendors begin supporting the pre-authentication feature of 802.11i, it will see additional pull-through for its adoption.

For more information from Meetinghouse: www.rsleads.com/406cn-256

This article was provided by Jim Burns, senior software developer for Meetinghouse, Portsmouth, N.H.