Contact:http://www.packetnexus.com
Subject: WLAN/ Response of WEP Security Importance: High Response from the IEEE 802.11 Chair on WEP Security Recent reports in the press have described the results of certain research efforts directed towards determining the level of security achievable with the Wired Equivalent Privacy algorithm in the IEEE 802.11 Wireless LAN standard. While much of the reporting has been accurate, there have been some misconceptions on this topic that are now spreading through the media. Befitting the importance of the issue, I am inclined to make a response from the Chair to clarify these issues with the following points: 1. Contrary to certain reports in the press, the development of WEP as an integral part of the IEEE 802.11 standard was accomplished through a completely open process. Like all IEEE 802 standards activities, participation is open to all interested parties, and indeed the IEEE 802.11 committee has had a large and active membership. 2. The acronym WEP stands for Wired Equivalent Privacy, and from the outset the goals for WEP have been clear, namely to provide an equivalent level of privacy as is ordinarily present with a wired LAN. Wired LANs such as IEEE 802.3 (Ethernet) are ordinarily protected by the physical security mechanisms within a facility (such as controlled entrances to a building), and the IEEE wired LAN standards do not incorporate encryption. Wireless LANs are not necessarily protected by physical security, and consequently to provide an equivalent level of privacy it was decided to incorporate WEP encryption into the IEEE 802.11 standard. However, recognizing that the level of privacy afforded by physical security in the wired LAN case is limited, the goals of WEP are similarly limited. WEP is not intended to be a complete security solution, but, just as with physical security in the wired LAN case, should be supplemented with additional security mechanisms such as access control, end-to-end encryption, password protections, authentication, virtual private networks, and firewalls, whenever the value of the data being protected justifies such concern. 3. Given the goals for Wired Equivalent Privacy, WEP has been, and continues to be, a very effective deterrent against the vast majority of attackers that might attempt to compromise the privacy of a wireless LAN, ranging from casual snoopers to sophisticated hackers armed with substantial money and resources. 4. The active attacks on WEP reported recently in the press are not simple to mount. They are attacks, which could conceivably be mounted given enough time and money. The attacks in fact appear to require considerable development resources and computer power. It is not clear at all whether the payoff to the attacker after marshalling the resources to mount such an attack would necessarily justify the expense of the attack, particularly given the presence of cheaper and simpler alternative attacks on the physical security of a facility. Key management systems also reduce the window of these attacks succeeding. 5. In an enterprise or other large installation, the complete set of security mechanisms typically employed in addition to WEP would make even a successful attack on WEP of marginal value to the attacker. 6. In a home environment, the likelihood of such an attack being mounted is probably negligible, given the cost of the attack versus the typical value of the stolen data. 7. IEEE 802.11 is currently working on extensions to WEP for incorporation within a future version of the standard. This work was initiated in July 1999 as Task Group E, with the specific