Anyone who assumes 802.11 wireless local area networking (WLAN) systems are inherently secure will get a wake-up call next week with the release of a report that claims there are significant weakness in the RC4 encryption algorithm used to secure such systems.

In their report Weaknesses In The Key Scheduling Algorithm For RC4, slated for release at next week's Selected Areas In Cryptography conference in Toronto, cryptographers Adi Shamir and Itsik Mantin of the Computer Science Department of the Weizmann Institute in Rehovot, Israel, and Scott Fluhrer of Cisco Systems intend to show how the key scheduling algorithm of RC4 can be retrieved, giving access to encrypted data. RC4 is a standard encryption algorithm from RSA Security Inc. and is used in a number of applications, but most specifically in the Wired Equivalent Privacy encryption scheme used with 802.11 WLAN systems. WEP uses a 40-bit key, which experts believe is too short for full security. The report says other weaknesses in RC4 add to security concerns.

While it's impossible to make any network completely secure, analysts say administrators often make the mistake of accepting default security or simply assuming a system is secure. "Whatever you do with your wireless LAN, turn security on anyway," says Craig Mathias, principal with Farpoint Group. "You're not going to make it impossible to break in, but at least make it difficult. We always recommend the use of the proprietary encryption techniques or a virtual private network technology."

The IEEE-802.11i Task Group is developing a WEP2 standard, which uses a 128-bit security key for 802.11 WLAN systems.