802.11's Wired Equivalent Privacy (WEP)  encryption uses symmetric, private keys, which means both the end user's radio-based network interface card (NIC) and access point must have the same key. This leads directly to significant difficulties involved with distributing new keys to each NIC periodically. As a result, keys remain unchanged on networks for months. With stagnate keys, tools such as Airsnort and WEPCrack can break through the relatively weak WEP encryption mechanisms in no time at all.

Because of the key reuse problem and other flaws, the current standardized version of WEP does not offer strong enough security for most corporate applications. Newer security protocols, such as 802.11i and Wi-Fi Protected Access (WPA), however, utilize public key cryptography  techniques in order to provide effective authentication  and encryption between users and access points.

The Basics

Public key cryptography uses asymmetric keys, with one that is private and another one that is public. The private key is (as the name implies) kept secret; the pubic key can be known by anyone. This enables more effective encryption and authentication mechanisms.

A set of public and private keys match from a cryptographic standpoint. For example, the sending station (e.g., NIC or access point) can encrypt data using the public key, and the receiver uses the private key for decryption. The opposite is also true. The sending station can encrypt data using the private key, and the receiving station decrypts the data using the public key. Let's take a closer look at each of these modes.

Securing Data

If the goal is to encrypt data, the sending station will use a public key to encrypt the data before transmission. The receiving station uses the matching private key to decrypt the data upon reception. Each station keeps their private key hidden in order to avoid compromising encrypted information.

Public key cryptography works effectively for encrypting data because the public key can be made freely available to anyone wanting to send encrypted data to a particular station. A station that generates a new private key can distribute the corresponding public key over the network to everyone without worry of compromise. Thus, the public can be posted on a Web server, sent unencrypted across the network, etc.

Some security protocols distribute a new WEP key periodically to a station by encrypting it first with the receiving station's public key. The receiving station uses its secret private key to decrypt the encrypted WEP key and then begin using the new WEP key for encrypting data frames.

Mutual Authentication

In addition to protecting information from hackers, stations can use public key cryptography to authenticate themselves to other stations or access points. This may be necessary before an access point or controller allows a particular station to interface with a protected side of the network. Likewise, the client can authenticate the access point in a similar manner.

A station authenticates itself by encrypting a string of text within a packet using its private key. The receiving station decrypts the text with the sending station's public key. If the decrypted text matches some predetermined text (e.g., the station's name), then the receiving station knows that the sending station is valid. The encryption of a particular string of text acts as a digital signature.

 Jim Geier is an independent consultant and founder of Wireless-Nets, Ltd (www.wireless-nets.com), a consulting firm assisting municipalities, enterprises, hospitals, airports, and equipment providers with the development and deployment of wireless networks.