Update on PEAP and musings on Microsoft's 802.11 strategy

John Lettice over at The Register has written a follow-up article confirming Microsoft's security enhancements to its 802.11 offerings. Funny, I must have been out of coffee last night when I wrote my original post on the subject, but after looking over Microsoft's Cable Guy column again this morning, I saw 2 important points that I had missed.

First off, Microsoft confirmed in the article that the PEAP extension is in Windows XP Service Pack 1. So that moves the discussion out of the rumor category. Second, the folks at Microsoft explained how to set up PEAP and MS-CHAP V2 with an authentication server, simply using the AP as a pass through device.

That eliminates the need for a beefier AP, since the TLS sessions will get set up between the authentication server and the client. It also plays well into Microsoft's best interests, including its "digital hub" strategy, and its recent announcements about "Soft WiFi" where AP functionality will be built into a beefier computer that has an 802.11 radio installed. These strategies hinge on the house having at least one PC sitting on the wired net next to the cable modem/DSL box, and that PC acts as the "digital hub" of the house. Now that box can function as the RADIUS and MS-CHAP-V2 server for secured 802.1x authentication as well. This only fails to work if you've got one computer and a wireless combo box with no home PC in the equation. Hmmm, potential trouble for the combo box manufacturers.

There are a number of issues surrounding the use of a PEAP scheme to protect a home wireless network. First off is the issue of a valid TLS (aka SSL) certificate on the AP; most home networks don't have an internal Certification Authority, which menas that MS would have to preinstall a certificate on each box they build, or offer a deal through one of the known public CAs, like Verisign or Baltimore, etc. That costs the end user $$$. Second is the issue of complexity - one of the biggest problems we had even before we found out that WEP was broken was that about 80% of people weren't even using WEP - they just plugged in the AP and didn't change a single out-of-the-box setting. Of course, you can blame the user in that instance, but I think tha opening up a new significant vulnerability in a network is something that the vendor should not do, even in the name of simplicity and user friendliness. You gotta work harder than that to make a really compelling product - it should be simple, user friendly, AND secure out-of-the-box.

Next comes the issue of legacy device interoperability. You know, legacy devices like your new Mac TiBook, your Linux box, or that handspring Treo. The problems with implementing a new handshake protocol into the network connection phase is that all of the devices that haven't been built with that capability obviously can't get on to the network. I'm sure that if MS stays true to form, they'll put out a release of the Pocket PC OS that will have PEAP capabilities.

Of course, you've still got the whole trusted certificate issue to deal with, so if I was Microsoft, I'd start selling inexpensive renewable certificates for these mini-IAS servers. The other option for a home user is to self-sign their certificate, and then go through a manual process of accepting the certificate on each client that will be part of the network. This opens you up to some man-in-the-middle attacks, especially for people who are connecting for the first time, but it is certainly a level of protection higher than what is out there today. The big problem remains is the geekiness factor - you have to be a geek to use this stuff, sign your own certificates, walk new users through accepting the certificates, and so on, which menas that for most home users, this will remain a feature that they leave turned off, fitting squarely into the "silly bunch of checkboxes on that security tab that I just leave unchecked".

Of course, that fits nicely into MS' strategy as well - in order to really secure your home network, you need to have a desktop PC plugged into the wall - after all, it is holding all of the music and movies you downloaded off of that cable modem, right? :-)

And your Mac or Linux box won't work, at least not until they have PEAP clients that authenticate against MS-CHAP-V2, and do they have patents on that protocol? Gotta go ask someone on the Samba team...

Sorry, I really have to watch my evil empire bashing. :-)

All in all, considering the market power that Microsoft wields, this is pretty good news - PEAP is an IETF draft standard, and the world does need big players to help push standard strong authentication and security over wireless networks. And of course, that means more people will need good tools to manage those networks.