RSA announces fix for wireless network security hole

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/docs/news/svfront/049744.htm

Monday, Dec. 17, 2001 

SAN FRANCISCO (Reuters) - RSA Security Inc. Monday will announce new
technology designed to improve the security of wireless networks used
within buildings and protect them from so-called ``drive-by hacks.''

Bedford, Massachusetts-based RSA and Hifn of Los Gatos, California,
have developed a technology patch for the Wireless Equivalent Privacy
(WEP) protocol designed to encrypt communications transferred over
standard 802.11 wireless networks.

Such networks are growing increasingly common within corporations,
warehouses and government offices for laptops and handheld devices
where users need mobility.

``If you are running a wireless LAN (local area network), if someone
was sitting in the parking lot with the correct software and a
(wireless network) scanner they could pick up information flowing over
the network,'' said Mike Vergara, director of product marketing at
RSA. ``They could read all the traffic.''

The current WEP implementation is flawed in that it uses encryption
``keys'' or codes for hiding data that are too similar to each other,
making it relatively easy for someone to figure out the keys, Vergara
said.

There are tools, such as AirSnort, which surreptitiously grab data
moving across wireless networks and analyze it to decode the
encryption, he said.

FAST PACKET KEYING

The new technology, called Fast Packet Keying, ``enables you to
encrypt each packet of data with a different key,'' Vergara said.

The technology has been approved by the Institute of Electrical and
Electronics Engineers (IEEE) standards body as an addendum, or patch,
to the 802.11 standard, he said.

Device makers are upgrading their software, according to Vergara, but
he didn't know when the patches would make it into devices out in the
market.

The patch only addresses the known security vulnerability and does not
address any new holes that might crop up, Vergara conceded.

For that reason, Avi Rubin, a computer security researcher at AT&T
Labs, suggested researchers develop wireless technology using the new
Advanced Encryption Standard (AES), approved by the U.S. government.

AES, which is exponentially more difficult to crack than its
predecessor, is expected to become the standard for securing Internet
communications over the coming years.

Using AES would require new wireless network cards, said Rubin, who
was among the first to discover a way to crack the WEP protocol.

``Band aid approaches may be necessary for the short term,'' he said.  
But ``for the next generation of (wireless network) cards they should
throw everything away and design something with AES.''



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.