Understanding Public Key Cryptography

802.11’s Wired Equivalent
Privacy
(WEP) encryption uses symmetric, private keys,
which means both the end user’s radio-based network interface card (NIC) and
access point must have the same key. This leads directly to significant difficulties
involved with distributing new keys to each NIC periodically. As a result, keys
remain unchanged on networks for months. With stagnate keys, tools such as Airsnort
and WEPCrack can break through
the relatively weak WEP encryption mechanisms in no time at all.

Because of the key reuse problem and other flaws,
the current standardized version of WEP does not offer strong enough security
for most corporate applications. Newer security protocols, such as 802.11i and
Wi-Fi Protected
Access
(WPA), however, utilize public key cryptography techniques in order to provide effective authentication and encryption between users and
access points.

The Basics

Public key cryptography uses asymmetric keys, with
one that is private and another one that is public. The private key is (as the
name implies) kept secret; the pubic key can be known by anyone. This enables
more effective encryption and authentication mechanisms.

A set of public and private keys match from a cryptographic
standpoint. For example, the sending station (e.g., NIC or access point) can
encrypt data using the public key, and the receiver uses the private key for
decryption. The opposite is also true. The sending station can encrypt data
using the private key, and the receiving station decrypts the data using the
public key. Let’s take a closer look at each of these modes.

Securing Data

If the goal is to encrypt data, the sending station
will use a public key to encrypt the data before transmission. The receiving
station uses the matching private key to decrypt the data upon reception. Each
station keeps their private key hidden in order to avoid compromising encrypted
information.

Public key cryptography works effectively for encrypting
data because the public key can be made freely available to anyone wanting to
send encrypted data to a particular station. A station that generates a new
private key can distribute the corresponding public key over the network to
everyone without worry of compromise. Thus, the public can be posted on a Web
server, sent unencrypted across the network, etc.

Some security protocols distribute a new WEP key
periodically to a station by encrypting it first with the receiving station’s
public key. The receiving station uses its secret private key to decrypt the
encrypted WEP key and then begin using the new WEP key for encrypting data frames.

Mutual Authentication

In addition to protecting information from hackers, stations can use public
key cryptography to authenticate themselves to other stations or access points.
This may be necessary before an access point or controller allows a particular
station to interface with a protected side of the network. Likewise, the client
can authenticate the access point in a similar manner.

A station authenticates itself by encrypting a string of text within a packet
using its private key. The receiving station decrypts the text with the sending
station’s public key. If the decrypted text matches some predetermined text
(e.g., the station’s name), then the receiving station knows that the sending
station is valid. The encryption of a particular string of text acts as a digital
signature.

Stay tuned: In future tutorials, I’ll discuss how various security protocols
implement public key cryptography.

Jim Geier provides independent consulting services to companies developing
and deploying wireless network solutions. He is the author of the book,
Wireless
LANs
and offers computer-based
training (CBT) courses
on wireless LANs.

Join Jim for discussions as he answers questions in the 802.11 Planet Forums.

News Around the Web