• By (Deleted User)

    A bit slow...but catching on?

    1. AES is likely to defeat TIKP as US government's WLAN security protocol

    The National Institute of Standards and Technology (NIST) is about to issue new government-wide WLAN security guidelines, which will be mandatory for federal agency purchases of WLAN equipment. Sources within NIST's security technology group say that the agency is debating whether to accept the 802.11i -- approved by the IEEE last July -- as the government's own security standard for encryption and authentication. The technology people at NIST are not sure. They are especially concerned about the Temporal Key Integrity Protocol (TKIP): the TKIP is the key management protocol in 802.11i, and it uses the same encryption engine and RC4 algorithm which was defined for the troubled, and exceedingly weak, Wired Equivalent Privacy (WEP) protocol. The 40-bit WEP's weakness stemmed from its too short key length and a poor key management scheme for encryption. The 128-bit TKIP offers a "wrapper" around WEP encryption. The problem is that TKIP is backward compatible with WLAN hardware that used WEP.

    The NIST has already approved an alternative -- the 128-bit Advanced Encryption Standard (AES) -- which requires a hardware change for most older WLAN equipment and thus is deemed much more secure than TKIP. What is more, the RC4 encryption algorithm is not a Federal Information Processing Standard (FIPS), and likely will never be, because RC4 is regarded as weak when it comes to message authentication and integrity.

    NIST is thus leaning toward approving AES for WLAN security (last summer NIST published document 800-38C for encryption, which includes the AES algorithm). NIST may well also introduce a new key management technology it has developed jointly with the National security Agency (NSA). There is a growing pressure within the government to purchase WLAN equipment, but many departments and agencies are holding back until the NIST makes its decision.

Page 1 of 1
  • 1