Research has indicated that the perceived insecurity of wireless networks is a major inhibitor to further market growth. How the security problems affect the user depends on the user's goals and the type of network that the user is using or building. For example, community networks may be deployed to give away Internet access to the masses, and securing the network from end-user access is not a goal. However, from the opposite perspective, a wireless extension of an internal network at a bank or other financial institution will undoubtedly require strong user authentication to prevent unauthorized users, as well as strong privacy protection to keep information confidential. In the middle are commercial “hot-spot” networks which do not need to provide privacy protection, but do need to restrict use of the network to paying customers.
These examples make light of three of the most significant security concerns that plague wireless networks and, specifically Wireless Local Area Networks (WLANs). First, authenticity of users, i.e., making certain that only those users authorized to use the wireless network are allowed to use the network. Second, the privacy of the signal transmitted through the wireless link, i.e., making certain that the communications that are being wirelessly transmitted are not being intercepted, either intentional or unintentionally, by third parties. And third, the invisibility of the Access Points (APs) to unauthorized adapters.
Up until recently restriction of access to a wireless network in the IEEE (Institute of Electrical and Electronics Engineers) 802.11 standard WLAN communication was limited to one standardized provision that required implementing the Wired Equivalent Privacy (WEP) specification. Although WEP was the first serious attempt to fix the insecurity of wireless LANs, it was hampered from the beginning because it was designed during the era when the U.S. government prevented the export of cryptographic products with long key lengths. As such, WEP secret keys were initially limited to 40 bits, the longest, exportable key length allowed at the time. WEP was also limited by the complexity of 802.11 itself. The 802.11 MAC is quite complex and takes a great deal of processing power to run. The additional burden imposed by cryptography was too much for a number of early products, which simply chose not to implement WEP. In addition to limitations on the strength of the cryptography that could be used, WEP has always been an option feature of the standard. 802.11-compliant products are not required to implement WEP. Increasingly WEP gained acceptance as users became aware of the vulnerability of wireless networks and WEP provided the only viable option.
However, WEP does not provide for foolproof security protection of wireless networks. Detractors have argued that key reuse and weak message authentication plague WEP. In addition, WEP provides weaknesses of 802.11 access control mechanisms, even those based on WEP's cryptographic authentication. The weak message authentication aspect of WEP may make it possible to inject traffic into the wireless network. Subsequent long-key length versions of WEP were released, however, the inherent flaws in WEP were not due to short-key.
A flaw was discovered in the WEP “key scheduling algorithm” of the underlying cryptography, RSA's RC4 algorithm. The flaw determined that a number of RC4 keys were fundamentally weak, and would allow a passive listener to recover the secret WEP key simply by collecting a sufficient number of frames encrypted with weak keys.
While WEP was designed to provide both authentication of users and privacy of the signal transmitted, in actuality it provided limited security in both areas. To address the authentication problem, the 802.11 working group adopted the 802.1x standard, which provided “per-port user authentication”. It was designed to require user authentication before gaining network access. However, because it was designed for a wired network with fixed physical topology and the wireless network has a very different physical topology, it is much easier to inject messages into an authentication sequence or hijack authorized sessions in the absence of strong mutual authentication and integrity checks. Even with these flaws, 802.1x appeared to be a far better user-authentication solution than WEP.
IEEE 802.11i is yet another form of wireless security standardization. It takes 802.1x as its base and adds several features for wireless networks. The most notable addition is that 802.11i includes a key distribution framework, which should replace the static, manually-configured WEP key. 802.11i also allows the use of the AES encryption algorithm.
In addition to WEP, and 802.11i other recent innovations in wireless network security such as Dynamic WEP, Wi-Fi Protected Access (WPA) and the like have also been implemented. WPA provides improved encryption and simple, but robust, user authentication that even home wireless networkers are able to use. However all of the current security solutions currently available only address the first two issues mentioned above; (1) authentication of users and (2) privacy of the signal transmitted through the wireless link. In order to make WLANs as secure as their wired LAN counterparts, the third issue must be properly addressed, namely (3) invisibility of the Access Points (APs) to authorized adapters. With such invisibility of the APs, described herein by the term “hidden mode”, the WLAN becomes identical to a wired LAN.
Additionally, as described above WLAN security is a work in progress and security measures appear to be evolving as need dictates. Today's WLANs, for example need to be able to support multiple security protocols, such as WEP, the Temporal Key Integrity Protocol (TKIP) of WPA and the like. As such, system developers will have no choice but to implement multiple cryptosystems in future WLAN components.
Therefore a need exists to develop a security measure for WLAN implementation that provides for the invisibility of the Access Points to unauthorized adapters and for the protection of information transmitted through radio-links of WLANs. In addition, a need exists to develop a methodology for handling multiple cryptosystems, as well as, a single cryptosystem, to achieve varying degrees of WLAN security. In addition, a need exists to develop security measures that are compatible with current and future standards, such as 802.11, 802.16 and the like. Additionally, the desired security measures must be implemented without negatively affecting the overall performance of the wireless communication, in terms of data rate and range of communication.