How do companies ensure their customer’s privacy and corporations
rationalize adding wireless networks when the key component of
m-commerce security resembles a rowboat with a fast leak? Maybe
that’s why some people are calling RSA’s patch of the Wired
Equivalent Privacy (WEP) too little, too late.
On Jan. 7, the IEEE committee overseeing WEP and 802.11 approved the
“fast-packet” keying fix RSA and Hifn proposed in December. Wireless
security took a major hit during 2001 when researchers revealed
signals protected by WEP could be easily intercepted and read,
putting in jeopardy the high-flying estimates for mobile commerce.
Rather than encrypting just the initial data sent, RSA and Hifn
proposed to encode each packet with an individual code, making it
more difficult for malicious hackers to use one packet to read the
entire stream of wireless data. But is fixing WEP enough for
consumers to feel safe?
Bob Brace, Nokia security expert, said users already see WEP “as a
weak security system” and compared patching WEP to closing the barn
doors after the horses have already left.
Frank Prince, senior wireless analyst at Forrester Research,
believes that although the fix to RSA’s RC4 algorithm addresses one known
problem with WEP security, the patch doesn’t solve future troubles.
Frost & Sullivan researcher Jose Lopez said any security solution
“should be interoperable and scalable as vulnerable points are likely
to multiply.”
Wireless LAN developer cyberPIXIE decided in December to include
the new government approved Advanced Encryption Standard (AES) in its
suite of WLAN products.
The U.S. Commerce Department’s National Institutes of Standards
and Technology (NIST) chose AES to replace the aging Data Encryption
Standard (DES) to protect unclassified personal and financial data.
How secure is AES? NIST says that a machine decoding one DES key per
second would take 149 trillion years to crack a 128-bit AES Key. The
universe is estimated to be less than 20 billion years old.
Kimberly Getgen, Marketing Manager at RSA Security, said there is
some discussion that AES could be included in future 802.11
standards for wireless LANS.
“The critics are upset that RC4 was selected rather than AES,”
says Getgen. Noting AES was not available when 802.11 added WEP,
Getgen said “So when the committee recently looked to revise the
security in WEP they were looking for a solution which could be
implemented quickly and easily, allowing WLAN vendors to deliver a
patch for vulnerabilities.”
Prince said he saw no reason why AES could not be used in wireless
devices. He views the early call for AES to be included in
m-commerce security as a move which vendors hope will spur further
adoption. Already wireless security company Certicom said it will
incorporate AES into its proprietary WTLS+ protocols for wireless
phones.
AT&T security researcher Avi Rubin thinks the wireless industry
should adopt AES. “They should throw everything away” and use AES in
next-generation wireless networks, said Avi.
Whatever algorithm is chosen in the next round to bolster WEP’s
security — RSA’s RC4 or AES — observers say its implementation will
be key. RSA’s Getgen says security experts should be involved from
the start, something they learned from WEP. Forrester Research’s
Prince said any fix should be sold as part of an 802.11 system and
questions whether IT managers will install a manual fix.
While the initial scare of ‘war-driving’ hackers and AirSnort WLAN
sniffers has subsided, wireless security will remain an issue in
2002. A survey by Information Security Magazine found 75% of network
security people “very concerned” about wireless security. Although
the Wireless Ethernet Compatibility Alliance reported 73% of North
American corporations either already had WLANs or plan deploying
them in the next 18 months, security remains the top factor causing
some firms to hesitate embracing m-commerce.
Lopez and others believe that as wireless devices mature, so will the
level of security. Along with an enhanced WEP, analysts predict more
options will become available for protecting the future of mobile
commerce.