无线保护访问WPA可靠吗？

With wireless (news - web sites) access points proliferating into hotels, airports and convention centers, there is a real need for security enhancements that will make the corporate world more confident in Wi-Fi technology, says Yankee Group wireless/mobile services director Roberta Wiggins. "Enterprises are currently hesitant on extending employee access into the public Wi-Fi arena," she told NewsFactor.

At least part of that hesitancy is due to the low expectations engendered by the notoriously flawed WEP (wired equivalent privacy) security standard. Reacting to a barrage of criticism, the Wi-Fi Alliance now is promoting the use of a new technology called "WPA," or Wi-Fi protected access. But does this new security measure have what it takes to foil the network-busting activities of hackers?

Some wireless-security experts are suggesting -- albeit, cautiously -- that it might.

"One of the fundamental problems with WEP is that it used static keys that could be identified and compromised by a hacker," Wi-Fi Alliance managing director Frank D. Hanzlik told NewsFactor. However, WPA "uses a dynamic key structure under which the key is always changing. This makes it very, very difficult to compromise. That was the fundamental problem, and that's what WPA addresses," he said.

Locking Up Network Security

Initially shared among communicating terminals, the electronic security key is based on a special set of mathematical algorithms that must reside within the decoder's circuitry before any encrypted data can be recovered. Hackers can figure out WEP security keys by intercepting and analyzing large amounts of data -- but that takes time.

WPA replaces WEP's static security key with a secret temporal key (TK) that dynamically changes after just 10,000 packets are transmitted. By altering the encryption keys every five minutes or so, the WPA-enabled Wi-Fi network already has a new code by the time any hacker manages to crack the old one.

The new Wi-Fi security technology also advances beyond WEP by offering different systems for handling LAN access control. In addition, WPA includes a special pre-shared key mode that addresses the security requirements of Wi-Fi systems for home and small-business applications.

Transition to 802.11i

WPA makes use of a new electronic key-management construct, the temporal key integrity protocol (TKIP), which initially was developed for deployment in a new IEEE wireless security standard called "802.11i," which is expected to reach its final form later this year. But, with software for hacking the old WEP security system circulating around the Internet, the Wi-Fi Alliance could not afford to wait.

Though considered a short-term solution, WPA is aligned with the longer-term direction of the forthcoming IEEE 802.11i standard, said Hanzlik -- including TKIP for encryption -- as well as with the IEEE 802.1x protocol for controlling entry to both wired and wireless LANs.

"We looked to 802.11i and found many elements that were good and wrapped our own WPA around those," said Hanzlik, "and [we] will follow up next year with a follow-on solution called 'WPA 2.0' that will provide full coverage of the 802.11i standard." The Wi-Fi Alliance managing director also pointed out that WPA is entirely software-based, which means that the technology can be quickly and economically added to any access point or client device without requiring any hardware changes.

Weighing Network Options

For many IT managers, the question is not whether WPA is better than WEP -- that almost goes without saying -- but whether it is a sufficient improvement to justify taking a corporate network wireless sooner, rather than later. would it make more sense to wait for the new 802.11i standard, which calls for the adoption of the AES (advanced encryption standard) encryption and authentication mechanism?

Not necessarily. "TKIP should provide a robust encryption framework for the next few years," said Gartner vice president of mobile computing Ken Dulaney. Nevertheless, he acknowledged that every security system should be regarded as potentially hackable. "Eventually, the hackers will have enough horsepower to break in, and then we'll really need AES," he said.

But that concern should not deter companies from making use of WPA in the interim, advises Dulaney. "Companies such as Intel (Nasdaq: INTC - news) and Microsoft (Nasdaq: MSFT - news), who are very concerned about security, now have their own Wi-Fi networks," he notes. "Every company has to assess the magnitude of the threat against the cost of the response. I believe, today, that no one should have an excuse for not using wireless LAN -- because it can now be made secure."

Now and Later

The move to AES will require changes on both the hardware and software sides, says Hanzlik. The Wi-Fi Alliance will be introducing follow-on WPA 2.0 technology next year that will support both WPA 1.0 and the AES.

"AES is recently developed and very, very robust," Hanzlik says. "It should ensure that nets that employ it will have a very strong degree of security."

More than twenty new WPA-certified products for plugging previously exploited security holes currently are available from such companies as Broadcom (Nasdaq: BRCM - news), Cisco Systems (Nasdaq: CSCO - news), Dell (Nasdaq: DELL - news), Hewlett-Packard and Intel. Products include access points as well as external and internal Wi-Fi cards.

For networks that require the highest possible level of security, a variety of proprietary third-party systems are designed to "ride on top" of a standard Wi-Fi transmission. In addition, several Wi-Fi manufacturers have developed proprietary encryption technologies for their products that can further enhance network security.