Here's some good news - the Wi-Fi Protected Access 2 (WPA2) spec is finally with us, and the Wi-Fi Alliance has begun certifying compliant products. "Hurrah," I hear you shout, "finally we can have secure wireless networks."
Now the bad news; starting with the fact that WPA2 is not so much a standard as an interoperability stamp for wireless encryption and authentication technologies conforming to the IEEE's 802.11i spec.
This means we have one set of technologies with two names from two bodies. Moreover, WPA2 joins a confusing and growing list of similar measures, including the original WPA, with which WPA2 is supposed to be backwards compatible, and Wired Equivalent Privacy (WEP), with which it isn't.
Add to all that the fact that a lot of existing hardware won't support WPA2, and celebrations start to seem premature. Plus it's important to note that the technologies involved only address a subset of most people's wireless security worries.
Delve into recent history and the rationale becomes clearer, since the first stab at WPA was never meant to be a long-term solution. Rather it was introduced by the Wi-Fi Alliance to address perceived shortcomings of WEP, until 802.11i could be finalised. This would have been fine if it all hadn't taken so long, and if everyone had added WPA to their products. Unfortunately some vendors didn't bother, especially for older devices. On the plus side, where WPA support has been added, it's been relatively easy to install. In most cases a software download has been the only change required.
WPA2 isn't so straightforward, primarily because it tightens up security by using Advanced Encryption Standard (AES), and this algorithm needs to be implemented in hardware if performance is not to suffer. Some wireless chipsets have this capability built in, but many don't.
Finding out whether your hardware supports WPA2 may be hard. Of course you could always ask the vendor and certified products will be listed on the Wi-Fi Alliance web site. However, that list will take time to grow, since some vendors won't bother to get everything tested. To muddy the waters further there are two implementations of WPA2.
WPA2-Personal uses simple pre-shared keys to encrypt data and does not require users to be separately authenticated. WPA2-Enterprise is for larger firms and uses an 802.1x framework and Extensible Authentication Protocol (EAP) to identify users, typically via a Radius server.
Finally, don't assume that by implementing WPA2 you will have a wireless network as secure as your wired LAN. There are still plenty of other vulnerabilities to worry about, such as the possibility of "rogue" access points.
See what other readers are saying in our Letters blog and add your own comments instantly.
reader comments