Wireless LAN – WLAN
BAT54-Rail/F..
Release
7.54
06/08
3.2
Development of WLAN security
37
3.2.3 WEPplus
As explained in the previous section, the use of 'weak' IV values was the
problem which weakened the WEP process most. A first 'quick shot' to se-
cure WLANs against this kind of program was the simple notion that the weak
IV values are known, and that they could simply be skipped during encryp-
tion—since the IV used is after all transmitted in the packet, this procedure
would be completely compatible with WLAN cards which didn't understand
this extension, dubbed WEPplus. A true improvement in security would nat-
urally only result once all partners in the WLAN were using this method.
In a network equipped with WEPplus, a potential attacker again has the
chore of listening to the entire data traffic, waiting for IV repetitions—simply
waiting for the few packets with weak IVs is no longer an option. This raises
the bar for an attacker once again. Objectively speaking, WEPplus is a slight
improvement--it is suitable for home use, provided that the key of reconfig-
ured often enough. For use in a professional environment, however, this is
not sufficient.
3.2.4 EAP and 802.1x
Obviously, an 'add-on' like WEPplus can't eliminate the basic problem of too-
short IVs, without changing the format of packets on the WLAN, thus render-
ing all existing WLAN cards incompatible. There is, however, a possibility of
solving several of our problems with one central change: no longer use the
formerly fixed WEP key, but to negotiate them dynamically instead. As the
process to be used for this purpose, the Extensible Authentication Protocol
has emerged. As the name suggests, the original purpose of EAP is authen-
tication, that is, the regulated access to a WLAN—the possibility of installing
a valid WEP key for the next session is more or less a byproduct. Figure 2
shows the basic process of a session secured by EAP.
To Next Page
Loading...
Need help?
General
