NIST mulls new WLAN security guidelines By Ellen Messmer The National Institute of Standards and Technology, the federal agency responsible for defining security standards and practices for the government, plans to issue new guidelines pertaining to wireless LANs in the near future.
The decisions NIST reaches, possibly as early as this month, will broadly affect federal agency purchases of WLAN equipment, because federal agencies are required to follow NIST recommendations. According to William Burr, manager of NIST's security technology group, the agency is focusing on whether to approve the IEEE's 802.11i WLAN security standard for encryption and authentication as a government standard. The IEEE approved 802.11i last July, but Burr says NIST is not keen on some aspects of it. Specifically, NIST has reservations about the so-called Temporal Key Integrity Protocol (TKIP), which is the key management protocol in 802.11i that uses the same encryption engine and RC4 algorithm that was defined for the Wired Equivalent Privacy protocol (WEP). The 40-bit WEP, used in many early WLAN products, was criticized widely in the past two years as having too short a key length and a poor key management scheme for encryption. TKIP is a "wrapper" that goes around WEP encryption and ensures that TKIP encryption is 128 bits long. TKIP was designed to ensure it could operate on WLAN hardware that used WEP. In contrast, the 128-bit Advanced Encryption Standard (AES), which NIST already has approved, requires a hardware change for most older WLAN equipment. "We just don't feel that the TKIP protocol cuts the grade for government encryption," Burr says. He adds that the RC4 encryption algorithm is not a Federal Information Processing (FIPS) standard and probably won't ever be because network professionals see RC4 as rather weak in terms of message authentication and integrity. NIST is more inclined to approve AES for WLAN security, and in fact Burr pointed to the NIST document 800-38C, published last summer, for encryption that includes the AES algorithm. As far as the key management scheme for key exchange and setup is concerned, NIST might introduce a new key-management technology that's been jointly developed with the National Security Agency. _______________________________________________________________ Senior Editor Ellen Messmer covers security for Network World. Contact her at <mailto:[EMAIL PROTECTED]>. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]