Of Supplicants and Keys: The Lowdown on Wi-Fi Security
Wireless security protocols have improved considerably, despite the lackadaisical attitude of most users towards their computer security. This is shocking I know, but remember these are the same people who never lock their doors, leave their keys in the car, and dump their kids on random strangers to babysit. But for those of us who care about security, the wireless world finally has some meaningful tools.
Road warriors must be especially careful. Public hotspots typically don't bother with WPA, or WEP, or anything security-related at all. It is is trivial to sniff an open wireless connection and perpetrate evil deeds like re-directing you to a fake WLAN login page, and then capture all of your secret stuff with ease.
I won't bore you with repeating why the obsolete WEP (define) is as secure as your average sodden paper sack. Let's leap right into the two important wireless security protocols, 802.1x and 802.11i. No wait, that will be our second leap. The first is a definition of the different relevant standards:
802.1x-2004 Port Access Control for all LANs
802.11i-2004 Security enhancements for all wireless LANs
802.11a-1999 High-speed wireless 5 GHz
802.11g-2003 High-speed wireless 2.4 GHz
802.11b-1999 Wireless 2.4 GHz
802.11i is also known as WPA2 (define), or Wi-Fi Protected Access, just to keep it interesting. WPA2 is easier to say, so let's stick with that.
There are two flavors of WPA: WPA and WPA2. WPA2 is the newest standard. Each one uses 128-bit encryption algorithms, and algorithm geeks engage in endless ferocious debates over their respective merits. WPA uses TKIP (Temporal Key Integrity Protocol), and WPA2 uses AES (Advanced Encryption Standard). WPA2 is a complete implementation of the IEEE's 802.1x standard for WLANs. (By now you're probably banging your head and going "aieeee" over all this acronym overload.) WPA2 devices also support WPA, so if you're buying new gear get WPA2. I wouldn't worry about replacing WPA devices, with one exception that you can read about under "WPA Gotchas."
Wireless Device Support
Wireless access points and network interface cards must support WPA/WPA2. Many WEP devices can be upgraded with new firmware or drivers, and WPA devices should be upgradeable to WPA2. Some can't. You're limited by the feeblest member of your WLAN, so if you have any old non-WPA/WPA2 compliant devices still floating around, they need to be upgraded or jettisoned. Most 802.11g devices should be fine, it's the a and b devices that are the likeliest to need upgrading or replacing.
New wireless-G interfaces are inexpensive, but even so don't be in a hurry to chuck those old 802.11a/b NICs, because many of them are upgradeable if you are canny and can find the firmware and drivers. If your vendor does not provide upgrades, try the radio chip manufacturer, like Hermes, Proxim, and Agere. Just run lspci to get this information, and remember you can query Windows PCs the same way with a Knoppix CD.
On March 16, 2006, the Wifi Alliance announced that all devices that want to carry the "Wi-Fi CERTIFIED" mark must support WPA2, so they will be easy to find. They also have an online database of supported products (see Resources, below).
Operating System Support
Linux support comes via device drivers and user-space applications like wpa-supplicant. Mac OS X users merely need to have the latest AirPort or AirPort Extreme software. Windows users, as usual, have a more interesting time of it.
Windows XP users need Service Pack 2 and the "Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update" (see Resources.) Users of other Windows versions are on their own. There are third-party supplicants available, for a fee naturally. Meetinghouse Data Communications' Aegis Client, and Funk Software's Odyssey Client are the two that get a lot of mentions, and will cost $40-$50 per user. Or, you may get lucky and your hardware vendor will include one with your wireless widgets.
What is this "supplicant" stuff? "Supplicant" is the official word in the standard, and all it means is WPA client software. It runs in the background and controls your wireless connections. Supplicant is an interesting word choice, with all of its overtones of humility and abasement. I'd rather have my computers humbly abase themselves, instead of me having to suckup to log into my own WLAN.
Personal or Enterprise WPA
A nice feature of WPA is you can choose from two levels of security, Personal and Enterprise. Personal is simple to implement, but it requires that all users be trustworthy. Everyone on the WLAN uses a shared key, which is the password, so they all share the same password. The key is entered into the router and all clients, and that's all it takes to set it up.
Enterprise mode requires a separate authentication server, like a RADIUS server. Enterprise mode is very flexible and should adapt to just about any existing authentication scheme.
The WPA2 standard is a good thing, as it provides strong encrypted authentication, access controls, and encrypted data traffic. But it does not provide end-to-end encryption, it only encrypts the traffic between your wireless NIC and whatever wireless access point you are connecting to. Anything upstream of that is not affected by WPA. So once you log into your LAN, traffic is sent in the clear. When you leap from there out to the Internet, don't feel all comfy and secure, because that is sent in the clear as well. Except, of course, for the usual application-specific encryption, such as HTTPS, SSH, and TLS-SSL.
For ordinary Web-surfing and email, this is probably not a big deal. But if you make a WAN connection to your remote company network, it likely is a big deal. So you'll still need VPN tunnels or some sort of separate security for those situations.
Some devices that support both WPA and WPA2 do so only in Personal mode.
Next week we'll look at how to configure both Personal and Enterprise WLANs using WPA2, and puncture some of the goofier wireless security myths.