The Register: MS to use PEAP in new wireless products

The Register reportsthat Microsoft may ship its newly announced home and office 802.11 gear with Protected Extensible Authentication Protocol (PEAP) support in order to provide secure authenticated access over the wireless connection. PEAP is a form of EAP negotiation that essentially wraps TLS (aka SSL) around an otherwise unencrypted EAP session. Microsoft also has posted its July "Cable Guy" article, entitled "PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access" which goes into more depth on how PEAP works and how to integrate it into a current Windows crypto infrastructure.

So, a few comments: First of all, this does solve a significant problem present today with 802.11 wireless communication, that of performing authentication in a secured fashion, even over an insecure channel. There are a few problems - first of all, each access point must now have a TLS certificate, which is fine if you're VeriSign or if you're shelling out the dough for Microsoft's CA implementation across your organization. Second, it means that the APs need to have the ability to handle multiple TLS sessions at one time, which means significantly more CPU horsepower than is currently associated (sorry, bad pun) with the APs out there. Lastly, it implies that you have PEAP support on the client, which is fine if you're running Windows XP SP1 (rumored to have a PEAP client incluided in its upcoming release) but is not so good if you're using a more commodity device.

Let's call this a step in the right direction, but still way too complicated for any but the most technically astute geeks.