OIT moves to WPA for wireless security

Over 15,000 people on Tech’s campus use the Local Area Walkup and Wireless Network (LAWN) to access the Internet every day. Now, the Office of Information Technology (OIT) is planning to transfer this wireless network from the Wired Equivalent Privacy (WEP) system to the Wi-Fi Protected Access (WPA) system.

Wired Equivalent Privacy (WEP) is an algorithm designed in 1997 to provide the confidentiality and privacy of a traditional wired network. However, cryptologists quickly found numerous weaknesses in the system that could easily lead to security breaches.

In 2003, WPA officially superseded WEP as the wireless security protocol standard. Despite this action, many systems still utilize the WEP protocol for wireless communication.

Currently, in order to use the wireless network at Tech, a person has to first connect their laptop, PDA or phone to GTWireless with a web key. Then the person is redirected to a captive portal for LAWN, where they have to login to the network with their GT account username and password.

The main issue with this system is inconvenience experienced by the user. For security reasons, the user is logged out of LAWN every time the device is shut off. This means that during the course of a normal day, a typical student or faculty member will have to log into the network several times.

“There were many complaints about this aspect of the network. [That is] why the GTLogin application for iPhone was created,” said Ron Hutchins, associate vice provost for Research and Technology and chief technology officer at OIT. “The problem with this application and [others like it] is that it necessarily makes your private information less secure.”

According to Hutchins, another purpose of the LAWN captive portal is to ensure that the state of Georgia’s resources for the wireless network are not being used by persons not affiliated with Tech.

Since its first introduction in 1999, LAWN has been constantly updated and improved, but even though it has worked so far and is continuing to work for the campus community, OIT is planning on turning over to the WPA system because it is both more convenient and more secure.

In the new WPA system, the username and password of the student or faculty member is stored in the device itself, and each time he or she accesses the wireless network, the WPA-enabled device will send a “signature” to an access point. The access point checks the “signature” and confirms the identity against the Georgia Tech Active Directory.

This system is more secure, because unlike WEP, the username and password of the person does not leave the device and thus cannot be intercepted by someone watching the communication between wireless devices.

It also means that the device itself will automatically connect to the wireless network whenever the user accesses the Internet. This makes the act of entering in usernames and passwords no longer necessary.

“It has been very successful so far in a controlled environment,” Hutchins said. “We’re working hard to be able to roll out the system as soon as we can, but of course we can’t expect it to be perfect on day one.”

WPA at Tech is still in the testing stage and is available only in certain spots on campus. There is also the issue of some devices not yet supporting the WPA security protocol.

A group of “friendly users” is providing feedback to OIT, which is in the process of maturing the product for future mass implementation. These “friendly users” are working with the WPA to ensure that all safety measures are being handled in the correct fashion.

“Oftentimes, when a new system with tangible benefits comes out, everyone immediately wants to use it and become angry when they run into problems. What we’re going to ask from students with WPA is that they be patient and allow us time to improve the system for them first,” Hutchins said.