PARC wants to make networks smarter, easier
New device lets users quickly and securely sign on to a wireless LAN
Follow @infoworldPalo Alto Research Center (PARC), the storied institution backed by Xerox Corp. that has spawned easy-to-use technologies including Ethernet and the computer mouse, still remembers how to invent things that busy users can just plug in and forget about.
PARC researchers announced Tuesday they have come up with a device that lets new users securely sign on to a wireless LAN in less than five minutes, as well as a way for otherwise incompatible digital consumer devices to exchange data.
The wireless LAN "enrollment station," which has been under development for about a year and is already in use at the Palo Alto, California, facility, uses a PKI (Public Key Infrastructure) to automatically authenticate a client device to a wireless LAN. As it is implemented at PARC now, users essentially walk up to the station with a notebook computer or other device, line up its infrared port with that of the station and wait for the device to be signed on to the network. It cuts the process down from several steps and more than an hour to two steps and about two minutes, with no choices for the end user to make during the process, said Dirk Balfanz, a researcher in PARC's security group. The process would only have to happen once for every user on that LAN.
At the heart of the system is the IEEE 802.1x standard, a specification for authenticating clients on LANs. The enrollment station uses EAP-TLS (Extensible Authentication Protocol-Transport Level Security), one of the authentication protocols that is optional under 802.1x. It is compatible with the WPA (Wi-Fi Protected Access) mechanism introduced last year, Balfanz said. In an enterprise that already has a PKI for its wireless LAN, the station can be integrated into the existing system through the standard, which can support a wide range of current PKI technologies.
When the user brings a client system up to the enrollment station, at first the devices exchange a cryptographic key pair. Then the client requests a digital certificate, which can be approved or rejected automatically based on preset policies or by a network administrator via e-mail. When the client gets approved, it receives a certificate and is automatically configured to use the wireless LAN, according to PARC.
Though useful in enterprises, the technology might have more potential for home networks, Balfanz said. The enrollment station, consisting mostly of software, could be integrated with a combination access point and router, making it easier and safer for end users to sign on to a home LAN. Getting the LAN going would be as easy as plugging in the combination device and setting it up with a broadband Internet service, then putting portable devices in front of the enrollment station, Balfanz said. Digital certificates could be approved without the need for a network administrator. As an alternative to infrared, such a device could use a USB dongle: The dongle would first be plugged into a USB port on the station and then into the client's USB port.
The system would be susceptible to break-ins if an interloper got close enough to the enrollment station to authenticate a portable device, Balfanz acknowledged.
"You never get a hundred percent secure solution anyway. The key is to understand the risks and understand how you're exposed," he said. For the average user, the risks with this device would be easier to understand than those with existing authentication systems, Balfanz argued. Current PKIs tend to involve keys and other elements on the client system that the user may not know how to handle safely, he said.
