Essential Wi-Fi

In last month's newsletter, we covered WEP, 802.11's original security and authentication method.  WEP may be fine for SOHO and home use, but it is inadequate for enterprise use for two reasons: its encryption is too easily broken and it is too difficult to administrate when the number of wireless stations is large.  The 802.11 committee moved to address these issues in 802.11i, but customers needed stronger security while 802.11i was still being developed.  Cisco moved to address this need with Lightweight Extensible Authentication Protocol, or LEAP.

LEAP's first improvement over WEP was to authenticate users to a central server, instead of using WEP keys manually configured on each client.  This simplified administration and improved security, since a user's password could be changed or a user could be added or removed from the system in a central location, rather than having to reconfigure the user's laptop.  In addition, LEAP uses a protocol called RADIUS to interact with the central authentication server.  Many enterprises already use a RADIUS server for other types of authentication, such as logging in to a machine or logging into a VPN, so LEAP allowed them to integrate their wireless authentication into their pre-existing authentication methods.

Another improvement that LEAP made was to use a username and password as the primary authentication method instead of the WEP key.  This meant that users didn't have to worry about long, 40-bit or 128-bit numbers; they could simply log in to the wireless network using the same username and password that they used to log in everywhere else.  This, in and of itself, might not have improved security, but the designers of LEAP also chose to assign WEP keys dynamically, on a per-user, per-session basis.  That means that, instead of assigning a single WEP key to all stations, the RADIUS server would assign a unique WEP key to each user, each time the user logged in.  This increased security, since, even if an attacker managed to crack a WEP key, the attacker would only be able to decrypt one station's traffic.

Of course, assigning a unique WEP key to each station (and other LEAP-specific functionality) requires that the client, AP, and RADIUS server all support LEAP.  This was one of the early hurdles to adopting LEAP, since in the beginning, only Cisco APs supported LEAP.

One of the challenges with enhancing 802.11 security was that the hardware on the cards had only been designed to perform the very-fast and very-simple RC4 encryption.  Moving to more secure forms of encryption was not an option, since the cards simply wouldn't have had the processor power to handle it.  Therefore, although LEAP improved on WEP encryption in some ways (for example, by causing stations to automatically change their WEP key periodically), it continued to use the relatively weak RC4 encryption method.

Although LEAP offered many improvements over standard WEP, like WEP, it is now considered to be too weak for enterprise use.  LEAP used a form of authentication called MS-CHAP, that had the known weakness of not encrypting the authentication process.  Therefore, it is possible for an attacker to spy on the initial authentication and use that information to attempt to access the network.  Exploits have been released to demonstrate this attack.  LEAP is further obviated by the release of more secure authentication and encryption standards such as 802.1x, WPA, and 802.11i.

 Technology and Engineering

A fundamental specification of an 802.11 card is its receive sensitivity. The receive sensitivity is the minimum power level at which a signal can be reliably received. For example, a NIC manufacturer may indicate that their particular card has a receive sensitivity of –96 dBm at 1Mb/sec. If the actual RF energy present at that card were less than –96 dBm, then the card would no longer be able to differentiate between signal and noise. The NIC would not detect the incoming packet at all, and the packet would be lost.  But how do vendors measure receive sensitivity and what are the implications of their methods for assessing an 802.11 card's performance?

We asked a major vendor of 802.11 hardware how they measured receive sensitivity in their cards. They told us that to measure receive sensitivity, the WLAN card is placed into an RF-shielded room. This guarantees that the test signal will be the only RF transmission in the room, and no background noise in the environment will interfere with the test. The test receiver is placed on a rotating turntable so that measurements can be taken (and then averaged) for all possible horizontal orientations of the receiving antenna. The vendor then transmits packets at weaker and weaker power levels. As the power level decreases, the bit error rate as measured by the card increases. The receive sensitivity of the card will be the minimum power level at which the bit error rate remained below a certain threshold. Therefore, a lower receive sensitivity value (-93 dBm) is better than a higher one (-85 dBm), since it means that the card was able to “reliably receive” data at lower power levels.

Of course, different data rates, having more and less complex encoding and modulation methods, and being more and less resistant to corruption, will result in different receive sensitivities. As data rate increases, receive sensitivity decreases. To put it another way, the higher the data rate, the stronger the signal strength must be for the packet to be reliably received. This is why 802.11 cards drop to lower data rates when interference is present or when they are at the edges of their coverage range. For example, an 802.11b card might have specifications like this:

Receive sensitivity -95 dBm at 1 Mbps
Receive sensitivity -91 dBm at 2 Mbps
Receive sensitivity -89 dBm at 5.5 Mbps
Receive sensitivity -85 dBm at 11 Mbps

While receive sensitivity might seem like a reliable way of comparing two vendors’ cards, we know of no organization that certifies the veracity of the vendor’s results. Therefore, there is the potential for vendors to manipulate the thresholds of their tests to influence their chipset’s receive sensitivity numbers. For example, a vendor that uses a BER threshold of one error in every 1,000,000,000 bits) will end up with lower receive sensitivities than a vendor that uses a BER threshold of one error in every 100,000,000 even though the second vendor’s card may actually be better at receiving bits.  Fortunately, some vendors make their BER threshold available in their card's documentation.


To Infinity... and Beyond!

Gigabit Wi-Fi ?

Siemens, the German electronics manufacturer, has done research at their labs in Munich and achieved a wireless data transmission speed of 1 Gigabit / second. This is the fastest wireless data rate that anyone has been able to reach thus far in the evolving landscape of wireless Ethernet. The speed was achieved through the combination of clever OFDM technology in conjunction with an intelligent antenna system. The engineering of the system takes advantage of OFDM's spread spectrum bit encoding but builds on basic OFDM technology by transmitting multiple signals simultaneously over the single wireless transmission path. OFDM as implemented in current 802.11g and 802.11a Wi-Fi sends a single bit stream over the entire OFDM transmission path in the 2.4 or 5.8 GHz band (respectively). The antenna system augmented the basic engineering of the radio system by using a MIMO antenna to mix multiple flows of data over the same radio channel.

Taking Gigabit Wi-Fi from the lab to the marketplace will be a matter of economics. The algorithms used in the design exceed the capabilities of the current generation of Wi-Fi chipsets and the MIMO antenna systems are more expensive than the simple dipole antennas so common on 802.11 access points today. The experimental Gigabit radios were tested in the 5 GHz band. Siemens has not suggested a date when the new technology will be available for use in the commercial market. Additional information is available from InfoWorld.

FCC Ruling Paves Way for Ground-to-Air Data Transmission

On December 15th, the FCC announced that it will auction licenses for 4 MHz of spectrum in the 800 MHz band that is currently used exclusively for Verizon's Airfone service.  These licenses will cover "voice, data, broadband Internet, etc..."

Although the air-to-ground band has existed for years, Verizon was the only vendor to make use of it.  Verizon's Airfone service is slow, limited almost exclusively to voice (although it is possible to dial up through it, the data rates are too low to be useful), and expensive.  By comparison, a new system, designed for data from the ground up, could provide access at rates of approximately 100 Kbps to 400 Kbps.  The FCC announced that Verizon's would be granted a non-renewable five-year license to continue offering its Airfone service, but that it would be limited to 1 MHz of the 4 MHz band.

In-air data services currently exist, but must either piggyback on top of Verizon's system (as Tenzing does) or use expensive satellite uplinks (as Connexion does).  A dedicated ground-to-air system would make higher data rates and cheaper access possible.

The FCC will auction the licenses for the 4 MHz spectrum in three possible allocations: a 1 MHz and a 3 MHz band, two overlapping 3 MHz bands (with a 2 MHz overlap in the middle of the band), or a 3 MHz and a 1 MHz band.  Whichever configuration receives the highest combination of gross bids will win, and no one vendor is allowed to acquire both licenses.  Some vendors have argued that a 1 MHz band is not competitive with a 3 MHz band, and so the 1/3 and 3/1 options in effect create a monopoly.  They argue that the FCC should have offered only the 3/3 configuration.

In the same press release, the FCC announced that it was considering allowing passengers to use standard wireless handsets and other devices via a picocell in the plane.  Currently, FCC regulations allow certain wireless transmitters (such as the 802.11 Access Points that have been installed in some commercial airplanes) but cell phones are explicitly prohibited.

At 802.11, we see this announcement as having great potential for convergence of wireless voice and data services.  An 802.11 AP on the plane could provide access to an 800 MHz ground-to-air uplink.  If VoIP-capable cell phones were ubiquitous, passengers could use the data connection to route their voice calls to the ground and a cellular picocell would not be necessary.  It remains to be seen whether that will actually develop.

Michigan man convicted of "wardriving"

The Associated Press reports that three Michigan men who hacked the Lowe's hardware store's computer system by entering through a Wi-Fi link have been convicted. One of them received a 9-year federal prison sentence, the longest prison term ever handed down in a computer crime case in the United States. Another of the three men was convicted and is awaiting sentencing for "wardriving" in the case - the act of driving around with a Wi-Fi antenna looking for vulnerable wireless access points.

In an unrelated earlier case (October 2004) a Hollywood, California man pleaded guilty to "war-spamming", war driving and then pushing spam to people using unprotected Wi-Fi networks. This was the first conviction under the CAN-SPAM Act of 2003

Lowe's Hardware Hacker Gets Nine Years // Lowe's Hacker - Another Article // CAN-SPAM Conviction for War Spamming

Special Section: Connect802 provides network design for Benin, Africa !

Connect802 is engaged in a project to provide Wi-Fi coverage for an educational and medical compound in Benin, Africa. This project presents a number of interesting challenges with its combination of in-buliding (poured concrete walls) and inter-building, outdoor Wi-Fi connectivity.

	The Republic of Benin, Africa became a French colony in 1872 and achieved independence in 1960. The country is slightly smaller than the State of Pennsylvania, USA (about 1/2 the size of the United Kingdom). The telephone system in Benin depends heavily on microwave radio relay and cellular connections with some fiber optic submarine cables and satellite connectivity. With roughly 66,000 wired telephone connections compared to over 236,000 cellular subscribers the awareness of wireless communication is well established.
	Connect802 Corporation was engaged to provide the in-building client Wi-Fi and inter-building outdoor wireless connectivity design for an educational and medical compound in Benin. Our design would become part of an overall project plan to establish a microwave link 18 kilometers to the telephone company office. {Note: The photographs are representative of the area but are not actually pictures of the installation location.}
	We were initially surprised at the fact that the buildings were much smaller than corresponding use buildings would be in the United States. Since all the architectural plans represented building dimensions in centimeters our RF team was initially confused. We had assumed that the plans would be metric, but we assumed that they would simply be measured in meters (not centimeters). When we saw a building with the dimensions "4 175" by "2 590" we found it difficult to imagine what the metrics could mean. This translates to 137-feet by 85-feet (4,175 cm X 2,590 cm). The confusion lay in the fact that we couldn't have imagined that the buildings were so small, relative to what might be expected in the United States. A "Cafeteria" building was only 137X85 - but it was.
	The 3-story communication's building housed a server farm and the cellular switch equipment. The design goal was to provide Wi-Fi coverage for data only in all buildings and on the grounds. Our engineering partners in Benin were erecting the tower to tie back to the main city, and they were providing the cellular connectivity.