Networking / Beginners

AES

Advanced Encryption Standard (AES) is a newer encryption method that was selected by the U.S. government to replace DES as their standard. It is quite strong, and is actually under review for the next version of the wireless 802.11 standard (802.11i). In fact, although it is not yet officially supported in all WLAN hardware, certain vendors have already started implementing it.

AES uses an algorithm known as Rijndael. The algorithm was devised by Joan Daemen and Vincent Rijmen, and it became part of AES by a contest-like selection process that picked the best algorithm from proposed schemes created by the public sector. Other competitors were RSA (maker of RC4), IBM, and various international groups. The contest was hosted by the National Institute of Standards and Technology, which was working for the National Security Agency. The contest was devised as a result of the cracking of the previous standard encryption method (DES), which was broken in 1990. Because of this, an immediate replacement for the encryption method was a necessity. However, "immediate" in terms of a bureaucracy means that it took seven years to start the contest, and a few more years to actually select a winner. Thus, AES was born.

The strength of AES has yet to be truly tested. Barring advances in quantum computing, it is expected that AES will remain the standard form of encryption for many years. The following is a list of the number of guesses it would take to crack AES-protected data. There are three options, because AES allows different sizes of keys, depending on need. The key size directly reflects the strength of the encryption, as well as the amount of processing required to encrypt and decipher the text.

  • 3.4 x 1038 possible 128-bit keys
  • 6.2 x 1057 possible 192-bit keys
  • 1.1 x 1077 possible 256-bit keys

In other words, using the same technology used to crack DES, it would take 149 trillion years to crack AES. Now, this was over a decade ago, but the fact remains that AES is a very good algorithm, and is expected to remain the standard for many decades to come. However, like all encryption, AES will be cracked eventually.

One downside to AES is that it has a larger overhead than RC4. This is because of the extra processing required during the encryption/decryption process, which is more complex than the relatively simple RC4. To illustrate, the entire RC4 algorithm is often coded in about 50 lines of code, whereas AES takes about 350 lines. Although this does make AES more of a resource hog, hardware accelerators and other software tricks can compensate for this.

Nevertheless, AES is destined to be the encryption method of all wireless traffic. Vendors are using AES already in their own proprietary WLANs, and this trend will act as a catalyst to make AES the official standard. However, you will not be able to use AES-ready hardware using the current standard of WEP. They are two entirely different encryption methods, and they will not work together.

SSL

Secure Sockets Layer is a protocol that has been in use for years online. The most popular form uses RC4 to encrypt data before it is sent over the Internet. This provides a layer of security to any sensitive data and has been incorporated into almost all facets of online communication. Everything from Web stores, online banking, Web-based email sites, and more use SSL to keep data secure. The reason why SSL is so important is because without encryption, anyone with access to the data pipeline can sniff and read the information as plaintext.

When building a secure WLAN, one of the important and necessary parts is authentication. Although there is some protection in the preshared password that is used to set up WEP, this will only encrypt the data. The flaw in this is that the system assumes the user is allowed to send data if the correct preshared password is used. In addition, by only using WEP (in conjunction with a DHCP WLAN), there is no way to track and monitor wireless users for security reasons. Thus, authentication of some sort is required.

Although authentication is important and necessary, it is also potentially vulnerable to several different types of attacks. For example, user authentication assumes that the person sending the password is indeed the owner of the account, which might not be true. Another weakness of an online authentication system is that the user information must be sent from the client to the host system. Therefore, the authentication information can be sniffed, which is why SSL is important to the authentication of users.

Because WLANs operate in a world that is meant to be very user-friendly and cross-platform, using proprietary software to encrypt and authenticate users would be tedious, and would be simply another obstacle for a user. Instead of designing an authentication system this way, many vendors are using a system that has been tried and tested for years. By using a Web browser with SSL enabled, an end user can make a secure and encrypted connection to a WLAN authentication server without having to deal with cumbersome software. As most wireless users will be familiar with using secure Web sites, the integration of SSL will go unnoticed. Once the connection is made, the user account information can be passed securely and safely.

IDSs

Intrusion detection systems (IDSs) are to computer networks what burglar alarms are to homes. The simple truth remains that all networks can be hacked. Because of this, we recommend that every network contain at least one form of IDS.

When dealing with wireless networks, using an IDS can be a bit tricky. Because of the nature of WLANs, guests might be connecting all the time and using the Internet or other network resources. Thus, an IDS system would quickly overload and eventually be ignored because of the number of false positives.

It is best to place the IDS on a system behind the firewall. This way, the amount of traffic it has to deal with is lessened, and it can become a reliable part of the security system. This is like trying to use a car alarm on a car that is parked next to the highway-the alarm would have a difficult time trying to distinguish a truck's rumbling from a thief's ministrations. Instead, you would want to park the car on the other side of the building or house to keep it from repeatedly having false alarms.

Thus, install an IDS and let it maintain a watchful eye over your network. Although this part of your security will not provide any direct protection.

[Previous] [Contents]

In this tutorial:

  1. Securing the WLAN
  2. Access Point-Based Security Measures
  3. MAC Filtering
  4. Controlling the Radiation Zone
  5. Defensive Security Through a DMZ
  6. Third-Party Security Methods
  7. VPNs
  8. Funk Steel-Belted Radius
  9. Central User Administration
  10. Central Hardware Administration
  11. Securing Your Wireless LAN
  12. RADIUS Accounting
  13. WLAN Protection Enhancements
  14. AES