November 2008
Working the Polls (5 November 2008)
Will Google Need a Bailout Some Day? (24 November 2008)
Making Security Incomprehensible (28 November 2008)

Making Security Incomprehensible

28 November 2008

For various reasons, the wireless portion of my home network has been using WEP (Wired Equivalent Privacy). While I’m certainly aware of the security issues, I’ve continued to use WEP because (a) some of my client machines didn’t properly support anything better; (b) I perceive a minimal threat model (I live on a very quiet suburban street); and (c) the computers in the house are hardened and encrypt just about everything anyway.

That said, I decided it was time to switch to WPA2 (WPA itself has its own security problems). Accordingly, I looked at various boxes around the house to see what the options looked like.

The first thing to check, of course, was the access points: a pair of Linksys WAP54Gs with v2.0 hardware and 2.07 firmware. They offered WEP, RADIUS, WPA-Preshared Key, and WPA Radius. Hmm — no WPA2. On to my iPhone (with 2.2 firmware): it offers WEP, WPA, WPA2, WPA Enterprise, and WPA2 Enterprise. So — is "WPA Radius" the same as "WPA Enterprise"? Is "WPA" the same as "WPA-Preshared Key"? For fun, I upgraded the access points to v3.04 firmware, even though the Linksys web site didn’t say anything about other security modes being added via that upgrade. It helped: I can now use WEP, WPA-Personal, WPA2-Personal, WPA2-Mixed, WPA-Enterprise, and RADIUS. Perhaps "Personal" is the same as "Preshared Key", though I generally avoid getting too personal with cryptographic devices. But "RADIUS" is now separate from "Enterprise", and I have yet to figure out what "Mixed" is. Of course, some of the options only permit hex keys (more secure, but impossible to type properly on, say, an iPhone), while some like ASCII. Also, there’s now a completely separate option for authentication; the choices for it are "Open System" and "Shared Key". This, of course, is under "Advanced Wireless Settings", rather than "Wireless Security".

I next looked at my NetBSD laptop. NetBSD (and many other Unix clones, including some Linux distributions), use wpa_supplicant for security. It offers WPA-PSK, WPA-EAP, IEEE8021X, plus "NONE" which for some reason covers WEP. But I also get to specify a choice of several different authentication algorithms: OPEN, SHARED, and LEAP. Furthermore, I can pick an encryption algorithm, such as AES or TKIP. There’s no sign of that on the other clients, though the access points will offer that as a choice (sometimes) if you ask on the right menu.

Windows is different still. XP lets me choose among WEP, WPA-PSK, 802.1x, or 802.1x EAP (Cisco LEAP). (This is on a Thinkpad, with an IBM add-on for managing connections.) A Dell laptop running Vista offered a choice of None (Open), Shared, WPA2 Personal, WPA Personal, WPA2 Enterprise, WPA Enterprise, and 802.1x. To make life interesting, however, those choices were under "Authentication", not "Security" or "Encryption".

And Ubuntu 8.10? It offers a choice of WEP 40/128-bit key, WEP 128-bit Passphrase, LEAP, Dynamic WEP (802.1x), WPA and WPA2 Personal, and WPA and WPA2 Enterprise. The interesting thing is that it combines the WPA and WPA2 options, implying that it can figure out the difference while no one else can.

Right….

It’s pretty clear that the choices are very confusing. There is no standard nomenclature, nor even standard categorization. There are unanswerable questions, such as why XP has a "Cisco" option, but the access points — remember that Linksys is a subsidary of Cisco — do not.

The more interesting question is what should be done. Some of the options reflect evolution over time (i.e., WEP vs. WPA vs. WPA2). Others reflect different environments: the Enterprise options require a login name and password, and often a certificate and associated private key. In other words, the differences are not just cosmetic; there are substantive distinctions, and there really are preferred choices for different environments. But how should this be presented to the user?

https://www.cs.columbia.edu/~smb/blog/2008-11/2008-11-28.html