With the recent news of WPA being broken, we have a large customer using 8846s asking if there is any type of add-on or third party product that would provide AES encryption on the 8846.i have already explained to them that AES was never developed for 8846 since it is CPU intensive, in some ways key-guard is more secure than WPA, any encryption can be broken, there are no silver bullets, security is a layered approach with authentication, encryption, 24/7 monitoring, pro-active Intrusion protection, auditing and reporting.Just need to do due diligence and find if there is any possibility of AES support on the 8846 ppc2003.
AES encryption for 8846 PPC2003// Expert user has replied. |
4 Replies
The attack has been formally published. But it is not clear to me if they are able to use this method in the wild? I assume they are working toward this. The exploit will only work on APs using QoS features. It doesn't appear that the key itself is attacked. They seem to deduce from a process of probability and elimination what an ARP packet's message will be. I assume the concept is that with enough ARP pakets you eventually reverse engineer a temporal key? Wonder what affect Group Key rotation would have on this exploit? http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Fa... Agree that its just a layer - authentication required. More reason for the smaller guys to buy our gear with inbuilt Radius!!!
Ahshin; It is not WPA that cannot be supported on the PPT8846, its AES in particular, which is an encryption standard that is not practical to support on such a device without hardware support that is lacking in the radio on that device. You can implement other parts of WPA by using the Aegis client which is available to be added to the PPT8846, and is available for download from the following link: http://support.symbol.com/support/search.do?cmd=displayKC&docType=k… Using the Aegis client, they can do WPA PSK with TKIP, which is substantially better than WEP. They can also do WPA with various authentication modes where the TKIP key is established as part of authentication instead of being fixed and shared. One thing to be aware of, however, is that there is not and never will be support via MSP to configure the Aegis client, due to the unwillingness of the vendor of it to work with us on external configuration of their software.
Just an addition from Allan's comments, for the PPT8846, if a customer is concerned about the recent break of WPA-PSK (using TKIP), they can add authentication. Although the details of this crack in WPA-PSK were not available last I looked, I believe it was only the PSK method, not a full Authenticaiton method. A good option would be to implement PEAP with TKIP using the AEGIS client on the PPT8846.
One additional option would be the SSL Mobile VPN, formerly known as AirBEAM Safe. This could be positioned to ease end user re-authentication activities that might be required with WPA Enterprise authentication while also providing encryption at a customer configured level- with or without certificates, 3DES-or-AES, etc. Depending on the customer's wireless client environment, this could be used to "standardize" security configuration activities for wireless and let us have at least a client license for laptops or other devices on the network. The last PMB I found on the product is here: http://www.eng.symbol.com/agile/images/002/250/924/agile225092444.pdf&n…; Our public facing page for this product, including spec sheet information can be found here: http://www.motorola.com/Business/US-EN/Business+Product+and+Services/So…;