Email Delivery

Receive new posts as email.

Email address

Syndicate this site

RSS | Atom


About This Site
Contact Us
Privacy Policy


November 2010
Sun Mon Tues Wed Thurs Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Stories by Category

Basics :: Basics
Casting :: Casting Listen In Podcasts Videocasts
Culture :: Culture Hacking
Deals :: Deals
Future :: Future
Hardware :: Hardware Adapters Appliances Chips Consumer Electronics Gaming Home Entertainment Music Photography Video Gadgets Mesh Monitoring and Testing PDAs Phones Smartphones
Industry :: Industry Conferences Financial Free Health Legal Research Vendor analysis
International :: International
Media :: Media Locally cached Streaming
Metro-Scale Networks :: Metro-Scale Networks Community Networking Municipal
Network Types :: Network Types Broadband Wireless Cellular 2.5G and 3G 4G Power Line Satellite
News :: News Mainstream Media
Politics :: Politics Regulation Sock Puppets
Schedules :: Schedules
Security :: Security 802.1X
Site Specific :: Site Specific Administrative Detail April Fool's Blogging Book review Cluelessness Guest Commentary History Humor Self-Promotion Unique Wee-Fi Who's Hot Today?
Software :: Software Open Source
Spectrum :: Spectrum 60 GHz
Standards :: Standards 802.11a 802.11ac 802.11ad 802.11e 802.11g 802.11n 802.20 Bluetooth MIMO UWB WiGig WiMAX ZigBee
Transportation and Lodging :: Transportation and Lodging Air Travel Aquatic Commuting Hotels Rails
Unclassified :: Unclassified
Vertical Markets :: Vertical Markets Academia Enterprise WLAN Switches Home Hot Spot Aggregators Hot Spot Advertising Road Warrior Roaming Libraries Location Medical Public Safety Residential Rural SOHO Small-Medium Sized Business Universities Utilities wISP
Voice :: Voice


November 2010 | October 2010 | September 2010 | August 2010 | July 2010 | June 2010 | May 2010 | April 2010 | March 2010 | February 2010 | January 2010 | December 2009 | November 2009 | October 2009 | September 2009 | August 2009 | July 2009 | June 2009 | May 2009 | April 2009 | March 2009 | February 2009 | January 2009 | December 2008 | November 2008 | October 2008 | September 2008 | August 2008 | July 2008 | June 2008 | May 2008 | April 2008 | March 2008 | February 2008 | January 2008 | December 2007 | November 2007 | October 2007 | September 2007 | August 2007 | July 2007 | June 2007 | May 2007 | April 2007 | March 2007 | February 2007 | January 2007 | December 2006 | November 2006 | October 2006 | September 2006 | August 2006 | July 2006 | June 2006 | May 2006 | April 2006 | March 2006 | February 2006 | January 2006 | December 2005 | November 2005 | October 2005 | September 2005 | August 2005 | July 2005 | June 2005 | May 2005 | April 2005 | March 2005 | February 2005 | January 2005 | December 2004 | November 2004 | October 2004 | September 2004 | August 2004 | July 2004 | June 2004 | May 2004 | April 2004 | March 2004 | February 2004 | January 2004 | December 2003 | November 2003 | October 2003 | September 2003 | August 2003 | July 2003 | June 2003 | May 2003 | April 2003 | March 2003 | February 2003 | January 2003 | December 2002 | November 2002 | October 2002 | September 2002 | August 2002 | July 2002 | June 2002 | May 2002 | April 2002 | March 2002 | February 2002 | January 2002 | December 2001 | November 2001 | October 2001 | September 2001 | August 2001 | July 2001 | June 2001 | May 2001 | April 2001 |

Recent Entries

In-Flight Wi-Fi and In-Flight Bombs
Can WPA Protect against Firesheep on Same Network?
Southwest Sets In-Flight Wi-Fi at $5
Eye-Fi Adds a View for Web Access
Firesheep Makes Sidejacking Easy
Wi-Fi Direct Certification Starts
Decaf on the Starbucks Digital Network
Google Did Snag Passwords
WiMax and LTE Not Technically 4G by ITU Standards
AT&T Wi-Fi Connections Keep High Growth with Free Service

Site Philosophy

This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator. Part of the FM Tech advertising network.


Entire site and all contents except otherwise noted © Copyright 2001-2010 by Glenn Fleishman. Some images ©2006 Jupiterimages Corporation. All rights reserved. Please contact us for reprint rights. Linking is, of course, free and encouraged.

Powered by
Movable Type

« Boingo Adds Mac Client | Main | Actiontec Multiport Wi-Fi Print Server »

January 6, 2005

Another Take on Simple Security

SesBroadcom and Atheros's new easy-to-use Wi-Fi security enablers aren't as far apart as I thought: I was looking through the details this morning for SecureEasySetup and JumpStart for Wireless systems, respectively by Broadcom and Atheros, and found that while they work somewhat differently, they're closer than I thought in nature and intent.

Both systems try to remove the complexity from turning on encryption on networks. Broadcom's is more generally aimed at consumer electronics and devices with no real interface; Atheros's feels more computer- and adapter-oriented, but they make a good case about how it could be integrated into CE, as well. I spoke to Broadcom on Tuesday; Atheros this morning. Let's compare and contrast.

JumpstartInitial setup. Broadcom has you push a button on the access point which causes it to create a key and store it internally, ready for the first client connection. This can be a hardware button on the device itself, or it can be a software button in a Web or client interface. Atheros has you connect to the access point via Ethernet to click a button, and create a password that's used to sign a key exchange that happens later. JumpStart also stores a WPA key.
Comparison: Neither version requires configuration of security options or key creation. Broadcom can push their button advantage, but consumers do need to run a wizard or other configuration software in any case to set up their DSL, cable modem, or LAN settings. By adding a step, Atheros increases security in the next step, but requires typing or key entry. Atheros also requires an Ethernet configuration (only for this stage) but derives additional security from this requirement. Broadcom can optionally run SES over Ethernet, but each device would have to connect via Ethernet. Both change the SSID and create a sufficiently long WPA key. Atheros's version can create an WPA2 (AES) key if that's available.
Conclusion: No advantage to either party at this stage in the process, although Atheros users might run into a problem if and only if they didn't have an Ethernet-equipped computer to handle the first step.
Note: It's clear that if ISPs worked with manufacturers, they could create a stub boot mode on gateways that would install the configuration for that client and enable the Wi-Fi security removing all LAN/WAN and security setup. This is the idea behind Microsoft's Wireless Provisioning System for hotspots.

Add a client computer. Broadcom has you push a button on the access point to put it into the right mode to communicate with a client PC Card. You can also use software on the access point to initiate this mode. On the client, users either push a button or use a client manager or menu to initiate communication. The AP and the client talk, the AP passes a key over a tunnel, and the client is ready to go. Atheros requires that you connect to the AP and have it start its communication mode. If the AP detects another JumpStart session, it backs off. Visual confirmation of the mode comes through flashing LEDs on the AP. On the client machine, you enter the same password used on the AP. This password is used to sign a Diffie-Hellman key that's used to establish a secure session over which the WPA key is sent.
Comparison: Broadcom leaves a window open here for an insertion in which a waiting client could grab a key from an AP before the intended client gets the key. There's no out-of-band confirmation that allows a rogue client to be rejected. Atheros, by using a password, increases complexity, but provides a way of securing the initiation of the SSL tunnel that's used to provide the key.
Conclusion: Broadcom lacks a Wi-Fi-based out-of-band confirmation option that would prevent malicious attacks from automated software that would attempt a denial of service on a user's network. Such software could be written because Broadcom and Atheros plan open standards. Broadcom does allow Ethernet to be used as a physically isolated and secure method of running SES, and it does notify users if a rogue client slipped in before the desired client connected. But there's no solution for a malicious DoS coupled with no Ethernet or no ease of using Ethernet. Atheros scores in edge cases with malicious DoS attacks.

Add a consumer electronic device, like a Wi-Fi DVD player: In Broadcom's case, push a button on the AP and push a button or trigger a menu on the DVD player. Atheros would require some kind of menu that would allow the entry of a key.
Comparison: Atheros seems to be at a disadvantage for entering alphanumerics on home entertainment devices without keyboards.
Conclusion: Broadcom may have a less secure method, but it does have a simpler process that will make CE adoption much smoother. On the other hand, CE devices may only have Wi-Fi and no Ethernet, which could make them more susceptible to being unable to join a network experiencing automated DoS.

In talking with Atheros this morning, they didn't convince me that JumpStart had a more secure end-to-end process. I'd already realized this and have a query out to Broadcom about the details. In home networks, it may be less critical that someone is ready to jump on, but an automated malicious attack is a real possibility for an open standard.

[Read the rest of this story...]

The reason to have out-of-band elements in a secure system is to provide verification that is outside of the medium that you admit is untrusted. If you don't pre-install public-key certificates in every device that provides that out-of-band security--such as in EAP-TLS, the first version of EAP used with 802.1X--then you have to figure out some other method. With PGP or GPG, one method is to send someone your public key via email and then call or fax them with the fingerprint that allows them to confirm that it's correct. Otherwise, someone could be a man in the middle who provides their own public keys in each direction to the two parties trying to establish a secure interchange. This is another reason for public key directories, which are assumed to have a certain level of trust without total verification of identity.

Public-key cryptography plus out-of-band confirmation is considered reliable, and is the basis of SSL and TLS that use certificate-authority-signed documents, whether the authority is Thawte or a company's own authority certificate. It's also part of the process by which Atheros secures its connection. Atheros uses a TLS style transaction in which the initial key is signed by the password that a user has entered in the access point out of band.

Atheros was pretty rambunctious about discussing Broadcom's SecureEasySetup in contrast with their own JumpStart. I spoke with Colin Macnab, Atheros's vice president of marketing and business development, and Kevin Hayes, one of the developers of this standard for Atheros who is actively involved in security at the Wi-Fi Alliance and the 802.11i Task Group at the IEEE.

For starters, Macnab though that adding a button to an AP is more of a stumbling block than Broadcom wants to maintain. He notes that getting the entire AP's cost of goods below $20 is the goal now, and that adding wire and a button could actually be a significant issue for commodity equipment. He also noted that the lack of an out-of-band element mean that Broadcom is relying entirely on timing for security. Hayes said, "What I see in Broadcom is clearly some marketing-driven solution."

But they both turned conciliatory: they like some aspects of SecureEasySetup, and Hayes said, "If we blend these technology, then the industry would take that." Macnab agreed, noting, "That's probably the correct answer. There may be some places in which people might want to do buttons." But Macnab suggested setting up a hacking contest in a real-world scenario, like an apartment building, and seeing which easy setup method "survives." Atheros intends that JumpStart be available for general industry use.

Hayes and Macnab both agreed that competition in the industry was going to help the consumer by pushing easier and easier methods out on the application level instead of deeper in the box. Hayes said, "We look at the ease of use part as a transport for security. This security is completely under the covers."

Ultimately, some combination of Atheros and Broadcom's technology through the Wi-Fi Alliance should result in a completely secure method that also has multiple ways to let consumers have security without frustration. Atheros could use Broadcom's simplicity as a first step; Broadcom could use Atheros's password as a fallback.

1 TrackBack

Another Take on Simple Security from Lockergnome's Hardware Help on January 6, 2005 10:24 PM

While many of us might think that most Wi-Fi enablers are pretty much the same for the most part, I think this article from Wi-Fi Networking News pretty much says it all. Read for yourself.... Read More