Wireless Popularity 2: Security Concerns, Continued - Integrated Application Protocol Encryption
(Page 3 of 4 )
VPN solutions similar to the one I have described above do not solve the underlying cause of this problem. VPN works basically as a bandage, like WEP and WPA, encrypting all traffic as it goes in and out of the client. On top of this, it requires that all outbound and inbound traffic be sent through some third server, thus often adding a great number of extra hops to a packet’s travel. What is really necessary to solve this problem is a change in the way that our application level protocols handle data, that is, some sort of security integrated into these protocols themselves. Luckily, this service has recently been added to most of these major protocols mentioned above.
In the guise of SSL encryption on top of these protocols, FTP and IMAP have both implemented this solution. It works by using the SSL algorithm to encrypt data specifically as it is sent between a client and the destination server. This is the same process used to scramble e-commerce communications between a Web server and a client. A specific description of SSL itself is beyond the scope of this article, however, I will cover some of the highlights and how these are related specifically to the problem or wireless
SSL works by encrypting traffic bound from a client to a specific server and from that server back to the client in such a way that there is no need to pass encryption keys around beforehand in plaintext, while still preventing any malicious third parties from reading the traffic, re-routing the traffic, or impersonating a trusted server. In terms of regular HTTP e-commerce, for which SSL was originally designed, often, the last two of these security requirements are the most important; however, when thinking about wireless security, we are primarily concerned with the first.
Since wireless communications travel across the open radio waves, there is little we can do to prevent its being intercepted by malicious parties. However, what we can do with SSL is make certain that if the traffic IS intercepted, it is absolutely worthless to the person who intercepted it.
The traffic encrypted by SSL is very difficult to break using commercial grade equipment in a time frame that would be useful to a hacker. In addition, the amount of traffic passed is usually small enough to prevent a hacker from getting a large enough baseline to get a handle on breaking the encryption anyway.
In terms of efficiency, SSL is a far better solution than VPN for several reasons. First, SSL does not require a third leg in the journey. There is no extra server required to decrypt and reroute traffic as there would be in a VPN setup. This means that all packets travel only exactly as far as is necessary to reach their destination. All encryption is performed by the client and server machines themselves, but only on the traffic required to be encrypted.
This particular aspect has added benefits. This solution does not encrypt unnecessary data. For instance, only the IMAP traffic to and from a client system for a certain server gets encrypted. Other traffic, like regular HTTP traffic, or general control traffic, and so forth that carries no sensitive data is not encrypted, allowing it to flow quickly and efficiently, without having to wait for processing time to perform encryption on it. In terms of currently widely available solutions, this sort is by far the most effective and efficient one.
However, there are some drawbacks in terms of this particular approach. First of all, most email, FTP, IM, and various other servers do not have this particular feature enabled or set up. For SSL to work correctly for a public audience, a server must have an SSL certificate granted by a trusted certificate authority. This certificate must be generated and then submitted to a certificate authority for it to be digitally signed by them, which also incurs a nominal monetary cost on the person registering the certificate. While this cost in and of itself is not great, it does require time and effort to create the certificate, and then to configure, test, and certify that the server is working correctly with the certificate installed. As well, it requires all client software to have SSL built in and configured correctly, sometimes and issue for large populations of end users.
Next: University Campus Issues >>
More Opinions Articles
More By Michael Swanson
