hi - replying to myself...
i mentioned the whitepaper before but didn't say where it can be found. shame on me! so, update here. and another thing to think about: WPA defines a new "mixed mode", meaning that WEP and WPA can be used at the same AP simultaneously. please be concsious that in such case ALL hardware will run in the less secure classic WEP mode if only ONE device demands WEP. so, you have to upgrade EVERYTHING if you want to use WPA reasonably. so, here is the "whitepaper": http://www.wifialliance.com/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf it's a little bit commercial and sometimes even wrong but it's official :-) wrong is for example that: <citation> Enterprise-level User Authentication via 802.1x and EAP WEP has almost no user authentication mechanism. To strengthen user authentication, Wi-Fi Protected Access implements 802.1x and the Extensible Authentication Protocol (EAP). Together, these implementations provide a framework for strong user authentication. This framework utilizes a central authentication server, such as RADIUS, to authenticate each user on the network before they join it, and also employs �mutual authentication� so that the wireless user doesn�t accidentally join a rogue network that might steal its network credentials. </citation> the 802.1X framework DOES NOT employ mutual authentication. in contrary, EAP methods *can* provide mutual authentication (like EAP/TLS does), but 802.1X itself is one-sided (client is authenticated) and has been much critisized for (client never sends Requests, only Responses). but well, be it... anyway, most important citation: <citation> Wi-Fi Protected Access and IEEE 802.11i Comparison Wi-Fi Protected Access will be forward-compatible with the IEEE 802.11i security specification currently under development by the IEEE. Wi-Fi Protected Access is a subset of the current 802.11i draft, taking certain pieces of the 802.11i draft that are ready to bring to market today, such as its implementation of 802.1x and TKIP. These features can also be enabled on most existing Wi-Fi CERTIFIED products as a software upgrade. The main pieces of the 802.11i draft that are not included in Wi-Fi Protected Access are secure IBSS, secure fast handoff, secure de-authentication and disassociation, as well as enhanced encryption protocols such as AES-CCMP. These features are either not yet ready for market or will require hardware upgrades to implement. The IEEE 802.11i specification is expected to be published at the end of 2003. </citation> so, as I said: no AES (despite what has been said on the list). more information can be found at http://www.wifialliance.com/OpenSection/secure.asp#resources ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
