In 1996, Edney co founded InTalk, Inc., the first IEEE 802.11 company to develop WLAN access points. After InTalk was acquired by Nokia Corporation, he focused on the application of Wi-Fi to public access networks. He is an active member of the IEEE 802.11 TGi security group.
How did you get interested in wireless security?
I've been involved in IEEE802.11 since the early days. In the early 1990's there was hardly more than a roomful of people involved in the standards work - now there are more than 500 people at every meeting. In those days the application were specialized and small scale but some of us could see the potential for the technology to challenge Ethernet. The first requirement was to get to 10Mbps (the original standard was only 1-2 Mbps). The second issue was security. Every customer was concerned about security and, quite frankly, a lot of bunk was talked on the issue. There was no real security in the original standard. Everybody knew that WEP was only a lightweight privacy protocol because with the short key (40bits) it was open to brute force attack. The intent, even at that time, was that it you needed "military grade" security you had to add this on top. The problem really set in when vendors started marketing "128 bit" security. They lengthened the key but did not look at the protocol to see where the other weaknesses were. It raised expectations among customers that could not be achieved in practice. In my opinion it was the introduction of "128 bit" WEP keys that created a problem - something that was never adopted by the official IEEE802.11 standard.
When the weaknesses of WEP became public and the IEEE802.11 standards group opened up a task group on security I welcomed the opportunity to sign-up. There were only about 10 people in the early meetings but this grew to 70 or 80 people at the peak. Security is a fascinating subject embracing advanced mathematics, systems analysis, lateral thinking and plain cunning.
How long did it take you to write "Real 802.11 Security: Wi-Fi Protected Access and 802.11i" and what was it like? Any major difficulties?
It took about one year to write the book and another six months to get it polished and into production. Different writers have different styles. My approach is to set a word goal to be accomplished every day - mine was 1000 words a day, seven days a week. I didn't make it - I averaged about 700! As you might expect the main problem was describing a moving target. In order to be as up to date as possible I had to write the book while the standard was progressing. Sometimes things would change direction. I had to throw away half a chapter when AES/OCB mode was dropped as the mandatory cipher for RSN! In the end the book as published is pretty close to the final draft of the standard. There have been a few tweaks since publication but nothing that really changes the picture.
What are your favorite tools for dealing with security when it comes to wireless networks and why?
Well up to now there have not been too many options. At home I turn everything on that I have. I run WEP and I also use MAC Address filtering. It wouldn't keep out a determined attacker but I think it keeps out the neighbors. At some point I'll upgrade my home stuff to IEEE802.11g and finding cards with WPA will be a priority.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.