Overview

High-profile security vulnerabilities in the first generation of IEEE 802.11-based wireless networks kept them from being deployed by many corporations.  Today's best available standards for securing wireless networks, IEEE 802.1x (and follow-on standards WPA and 802.11i) can be very difficult to configure and deploy. In their most secure configuration, they require every network client to obtain and install a digital certificate and participate in a Public Key Infrastructure (PKI). Even large corporations can find this to be too difficult to deploy in practice, and it is well out of the reach of small office or home users.

PARC's approach takes this industrial-grade security technology and makes it simple and easy to configure and use -- bringing it within reach of even home users and small businesses.  PARC's approach reduces wireless network security to physical security -- a simple, intuitive model that all users understan. PARC's "Network-in-a-Box" technology allows an average user to add a computer to an 802.1x-secured wireless network in less than 60 seconds by following two simple steps.

Imagine a user wanting to set up a small network.  The first time they plug in their new access point enabled with PARC's technology, it autoconfigures itself to form a secure network. The first time a user wants to access that secure wireless network with a new device, she simply takes that device, and "points out" PARC-enabled access point serving that network, using any of a number of location-limited channels. In the figure, a user is shown using infrared to "point out" the small, white Network-in-a-Box access point. After exchanging a small amount of cryptographic information to establish trust over the infrared link, the laptop is able to make a secure wireless connection to the access point. Over this secure, authenticated connection, the access point issues a digital certificate to the new device, which automatically installs it and configures itself to use the new network securely. PARC's approach reduces wireless network security to physical security -- a simple, intuitive model that all users understand.

Securing Enterprise Wireless Networks

In an enterprise setting, PARC's technology makes it easy for systems administrators to enable users to configure their own wireless devices according to the organization's security policy.

A user would take her new laptop to an "enrollment station", and uses a location-limited channel to point to it, indicating her desire to enroll the laptop in the corporate wireless network. Such an enrollment station could optionally allow a human operator to intercede in each request; verifying employee identity or adding configuration information particular to this machine. After this initial exchange of trust information, the user can return to her routine.

At a later point, potentially after additional offline operator review, the user is informed by email that her digital certificate is ready. Using PARC's enrollment software, her laptop retrieves and installs her digital certificate, and configures her laptop according to any policy settings provided by the enterprise's IT staff. This entire enrollment process can be performed securely using the corporate WLAN without requiring the user's laptop to have any alternative source of network access, wireless or wired. The entire enrollment process requires less than 2 minutes of the user's time, while traditional approaches to certificate enrollment and network configuration can take on the order of 2 hours.

PARC's technology can be applied to consumer use, small office/home office settings, ad-hoc networks, and can be scaled to manage enterprise-class wireless networks. As PARC's approach takes existing standards and makes them easy to use, it is interoperable with a wide variety of commercial devices and technology. In particular, PARC's approach to simplifying PKIs and network configuration has been used to manage the configuration of Virtual Private Network client software, and could be easily extended to simplify almost any PKI-enabled application. Further technical details can be found in our paper.