Wireless local area networks CHAPTER 5.1 Finally, we should note that there is no provision whatsoever in the standard to allow a client to authen- ticate the access point to which it is associating, so that an attacker with a shared key can set up a spoof access point and intercept traffic intended for a legitimate network. All the above attacks depend on another weakness in the standard: no provision was made for how the shared secret keys ought to be exchanged. In practice, this meant that in most systems the secret keys are manually entered by the user. Needless to say, users are not eager to change their keys every week, to say nothing of every day, and manual reentry of shared keys more than once an hour is impractical. Further, manual key exchange over a large community of users is an administrative nightmare. As a consequence, it is all too likely that WEP shared secret keys will remain fixed for weeks or months at a time, making the aforesaid attacks relatively easy to carry out. Some of the problems noted above can be solved completely within the existing standards. Weak IVs can be avoided proactively, and some vendors have already implemented filters that ensure that weak IVs are never used by their stations. If all stations on a network avoid weak IVs, the FMS attack cannot be carried out. Weak hashing algorithms for short keys can be avoided by en- data rates, so there are no repeated cipher streams to intercept. A sophisticated integrity checking mechanism is also included to guard against an attacker injecting slight variations of valid transmitted packets. WPA addresses all the currently known attacks on WEP, though total security also depends on proper se- lection and implementation of algorithms within the 802.1x authentication process. It is certainly secure enough for home networks and for most enterprise/in- dustrial implementations. At the time of this writing (mid-2004), the 802. 11i task group has approved an enhanced standard based on the Advanced Encryption Standard rather than the WEP RC4 algorithm, which will provide an adequate level of security for most uses. Enterprises that have serious concerns about sensitive data can also implement end to end security through the use of VPNs and SSL web security. The advantage of this security approach is that protection against eavesdrop- ping at any stage of the communications process, not just the wireless link, is obtained. However, VPNs are com- plex to set up and maintain and may not support roaming of the wireless device from one access point to another, particularly if the IP address of the mobile device un- dergoes a change due to the roaming process.