Following on the heels of the release of Mac OS X 10.3 Panther, Apple last week pushed out the AirPort 3.2 Update, which features the expected addition of Wi-Fi Protected Access (WPA) encryption, a new security method for providing robust encryption over wireless connections between an AirPort Extreme Card and an AirPort Extreme Base Station. The AirPort 3.2 software includes the AirPort Extreme Firmware 5.2 update for the AirPort Extreme Base Station; a separate installer for the firmware update is also available as a 1.1 MB download from Apple’s Web site.
The addition of WPA encryption support is big news for users and administrators of wireless networks. WPA is the fixed version of the original Wired Equivalent Privacy (WEP) encryption found in 802.11 wireless standards. WEP was proven to have so many flaws and weaknesses that a cracker using freely available software could easily obtain a WEP key by passively sniffing wireless traffic for a period of time ranging from 15 minutes to several days, depending on the volume of traffic over the base station (see "Wireless Fishbowls" in TidBITS-592).
WPA uses a simple passphrase – a set of letters, numbers, and punctuation – to derive an encryption key, which is exactly how Apple has always hidden the complexity of WEP’s approach. Behind the scenes, however, WPA fixes the several ways in which WEP failed, making it a reliable way to protect wireless traffic. (To protect a network comprised of both wired and wireless traffic, you might need a virtual private network connection; Apple offers two kinds of VPN clients and servers in Panther and Panther Server.) With WPA installed, the only way to break into a wireless network is through social engineering: convincing someone to give you the password.
Early WPA Hurdles — Unfortunately, this first implementation of WPA is disappointing for three reasons. The interface for entering a "WPA Personal" key (Apple’s term for what is more commonly known as a "pre-shared key") doesn’t resemble the interfaces for Linksys and Buffalo wireless devices we’ve seen. You can choose to enter a password of 8 to 63 text characters or a Pre-Shared Key, which is 64 hexadecimal characters. Good gravy, that’s a lot of characters to enter, and it’s unclear if the hex version can be used on other devices; I recommend you stick with a text-based passphrase. (Apple also supports what they call WPA Enterprise, which lets an AirPort Extreme card user have their user name and password confirmed by a RADIUS server, which also provides a unique encryption key to that user.) In the interfaces for Buffalo and Linksys gear, you enter a passphrase that can be 8 to 32 text characters. Neither seems to offer the hexadecimal version of the pre-shared key.
The second disappointment is that even though WPA allows for older machines that understand only WEP to join networks running WPA (by allowing WEP and WPA keys to both work, even though that reduces security), Apple currently allows only all-WEP or all-WPA networks.
The final crushing bit is that, at least for now, users of 802.11b AirPort cards and AirPort Base Stations, along with Mac OS 8.6/9.x users, do not have access to this advanced and secure method of protection – in short, everyone using older hardware is currently out of luck with regard to WPA. It doesn’t have to be that way: WPA was specifically designed to be a firmware upgrade option for all existing 802.11b devices. For all we know, Apple and Agere – the makers of Apple’s 802.11b equipment – may be furiously working on this problem, and Proxim, the current owner of the consumer-level hardware that’s equivalent to the AirPort cards has posted a white paper that claims WPA support fairly soon. However, that doesn’t mean that all existing 802.11b devices were built with such upgrades in mind: our current impression is that Apple’s AirPort Base Station will not be upgradable to WPA. Since there’s no revenue involved, it’s hard to know what Apple’s priority might be, except to avoid millions of irritated customers.
These disappointments aside, if you’re on an all-AirPort Extreme network, we recommend installing and using this update immediately, since it provides fundamentally good security for any installation, no matter how small or large.
The AirPort 3.2 upgrade, a 7 MB download, works only with Mac OS X 10.3 or later, and Apple recommends it for both AirPort and AirPort Extreme cards and base stations. However, it appears that the update for the non-Extreme AirPort devices seems entirely oriented for providing error messages about WPA being unavailable.
Adam Engst and I have just finished a massive revision to our book, The Wireless Networking Starter Kit, which has an extensive explanation of how to use WPA and the security underpinnings of it, among dozens of new topics. The second edition will be available later this month.
PayBITS: Did Glenn’s explanation clarify the boundaries of
the AirPort update? Consider sending him a few bucks via PayBITS!
Read more about PayBITS: <http://www.tidbits.com/paybits/>