A Technical Comparison of TTLS and PEAP
Subject:   Weak Defense...But Getting Better
Date:   2003-12-18 11:50:10
From:   Trackback from anonymous2
Worried about your wireless network's default security? You should be. Wireless networks send their data in the clear through walls and ceilings, and can be picked up with sensitive antennas -- much more sensitive than the ones your equipment uses -- miles away. With this kind of transparency, you need to protect the data on your network, even if you're a casual home user. The only tool for consumers and small businesses until mid-2003 was the built-in WEP (Wired Equivalent Privacy) encryption that's required as part of the Wi-Fi certification program. But security experts have shown numerous flaws in WEP that prevent it from providing even a minimal reliable level of security for serious applications. Businesses had a strapped-together system they could use called 802.1X/EAP, but standardization for securing it (a separate problem), missing clients in older machines, back-end server requirements, and its reliance on WEP all prevented widespread adoption. Fortunately, in November 2002, the Wi-Fi Alliance, a group trade that certifies 802.11a, b, and g devices as interoperable, released an interim replacement for WEP and other aspects of Wi-Fi security that will change the landscape. This new standard is called WPA (Wi-Fi Protected Access). WEP's Weakness WEP's initial goal was to provide a level of security that conformed to the difficulty of tapping Ethernet network traffic. In the case of wired Ethernet, you would need physical access to a network to sniff packets and intercept data. WEP's minimal security should have met at least that level of protection. Unfortunately, WEP failed because of flaws in the conception and implementation of the protocol. Some of these flaws were a result of computational limits when the specification was being developed: the number crunching expected to be available on the Wi-Fi cards was orders of magnitudes lower than that available even in 1999. Other flaws had to do with then-current export restrictions on strong encryption, which limited one flavor of WEP to just 40 bits. Several articles appeared on Aug. 4, 2001, about an academic paper authored by notable encryption and security experts which that explained how insufficient randomness and insufficient key space meant that a cracker could sniff relatively few packets to crack a WEP key -- just a few million packets of data at most (or a few tens of thousands at least) using software that showed up a few days after the paper was released. The paper and subsequent...