Approval Of Landmark IEEE Security Standard Enables Wireless LAN Vendors To Add Stronger Encryption To Product Portfolios
PLEASANTON, Calif. – June 30, 2004 – Trapeze Networksâ„?, the award-winning provider of the wireless LAN (WLAN) Mobility Systemâ„?, today announced that the proposed IEEE 802.11i specification was approved as an amendment to the 802.11 standard on June 24, 2004 during an IEEE-SA standards board meeting.
“The ratification of 802.11i is a big step forward in enabling standards-based multivendor security in wireless LANs,” said Dan Harkins, chief security architect at Trapeze and contributor to the 802.11i specification. “Stronger encryption and authentication can now be deployed in wireless LANs that enable fast roaming between access points.”
802.11i offers a vast improvement over the 802.11-1999 standard that defines Wired Equivalent Privacy (WEP) encryption. After WEP’s vulnerabilities became known shortly after its adoption a few years ago, the Temporal Key Integrity Protocol (TKIP) was introduced as an intermediate fix and codified by the Wi-Fi Alliance as Wi-Fi Protected Access (WPA) 1.0.
“802.11i defines a mode of the Advanced Encryption Standard (AES) cipher, which has received extensive analysis by cryptographers around the world and has not been susceptible to any known attacks,” said Harkins, who was an advisor to the U.S. government in establishing key management specifications for the Federal Information Processing Standard (FIPS) and authored the Internet Key Exchange (IKE) standard for IPsec.
“We’re happy that the fast roaming techniques proposed by Trapeze are part of the ratified 802.11i standard,” said Dan Simone, vice president of product management and co-founder of Trapeze. “We already support much of 802.11i in products we currently ship, so customers can be sure that Trapeze will be compatible with the new standard.”
Technical Background
The entire 802.11i specification defines a key management and authentication protocol that ensures only trusted users get wireless access to the local area network (LAN) resources and establishes an authenticated shared-key between a mobile user’s client device, such as a laptop, and an authenticator, like the Trapeze Networks Mobility Exchangeâ„? switch.
An authenticated shared-key, known as a pairwise master key (PMK), is used with a protocol called “the four-way handshake” to establish per-user session keys that protect a mobile user’s bulk data.
A hand-off occurs when a user roams from one access point (AP) to another. This starts a “discovery phase” and the user’s client begins to scan different channels for an AP with which to associate. When an AP is detected that has the right level of services – such as encryption and quality of service (QoS) – the client performs 802.11 open authentication and association.
The re-authentication process occurs next. Today, full 802.1X/EAP authentication is performed between a mobile user’s client and a back-end network server that provides authentication, authorization and accounting (AAA) services.
With 802.11i, re-authentication can be skipped altogether because the client has already been authenticated. The client and Mobility Exchange switch forgo the key management and authentication protocol using the PMK that was retained in cache, and go straight to the four-way handshake to establish a new set of session keys on a new AP. When session keys are established, the client finishes the hand-off process.
“It can take upwards of 800 milliseconds to complete a full re-authentication step,” notes Harkins. “Independent analysis has shown that the four-way handshake can be done in 25 milliseconds. PMK caching, combined with the 802.11k task group’s efforts to develop ways to enable clients to decide where to go and when, make fast roaming possible.”
Eliminating the re-authentication step and trimming up to 800 milliseconds off the hand-off time when mobile users roam from AP to AP makes the deployment of delay-sensitive applications like voice over wireless much more practical and reliable.
About Trapeze Networks
Trapeze Networks delivers the power of business applications and services to the mobile enterprise workforce. The company’s wireless LAN Mobility System enhances productivity, introduces new efficiencies and accelerates business response time by delivering secure mobility for roaming users, sophisticated services for both users and IT, all while offering the lowest total cost of ownership of any WLAN infrastructure provider. Trapeze has been the recipient of seven industry awards in recognition of its product and technology strength. Founded in March 2002, Trapeze raised $50 million in venture funding to date and is headquartered in Pleasanton, Calif., U.S.A. For more information, please visit www.trapezenetworks.com.