PARC wants to make networks smarter, easier

Palo Alto Research Center (PARC), the storied institution backed by Xerox that has spawned easy-to-use technologies including Ethernet and the computer mouse, still remembers how to invent things that busy users can just plug in and forget about.

PARC researchers announced Tuesday they have come up with a device that lets new users securely sign on to a wireless LAN in less than five minutes, as well as a way for otherwise incompatible digital consumer devices to exchange data.

The wireless LAN "enrollment station," which has been under development for about a year and is already in use at the Palo Alto, California, facility, uses a PKI (Public Key Infrastructure) to automatically authenticate a client device to a wireless LAN. As it is implemented at PARC now, users essentially walk up to the station with a notebook computer or other device, line up its infrared port with that of the station and wait for the device to be signed on to the network. It cuts the process down from several steps and more than an hour to two steps and about two minutes, with no choices for the end user to make during the process, said Dirk Balfanz, a researcher in PARC's security group. The process would only have to happen once for every user on that LAN.

At the heart of the system is the IEEE 802.1x standard, a specification for authenticating clients on LANs. The enrollment station uses EAP-TLS (Extensible Authentication Protocol-Transport Level Security), one of the authentication protocols that is optional under 802.1x. It is compatible with the WPA (Wi-Fi Protected Access) mechanism introduced last year, Balfanz said. In an enterprise that already has a PKI for its wireless LAN, the station can be integrated into the existing system through the standard, which can support a wide range of current PKI technologies.

When the user brings a client system up to the enrollment station, at first the devices exchange a cryptographic key pair. Then the client requests a digital certificate, which can be approved or rejected automatically based on preset policies or by a network administrator via e-mail. When the client gets approved, it receives a certificate and is automatically configured to use the wireless LAN, according to PARC.

Though useful in enterprises, the technology might have more potential for home networks, Balfanz said. The enrollment station, consisting mostly of software, could be integrated with a combination access point and router, making it easier and safer for end users to sign on to a home LAN. Getting the LAN going would be as easy as plugging in the combination device and setting it up with a broadband Internet service, then putting portable devices in front of the enrollment station, Balfanz said. Digital certificates could be approved without the need for a network administrator. As an alternative to infrared, such a device could use a USB dongle: The dongle would first be plugged into a USB port on the station and then into the client's USB port.

The system would be susceptible to break-ins if an interloper got close enough to the enrollment station to authenticate a portable device, Balfanz acknowledged.

"You never get a hundred percent secure solution anyway. The key is to understand the risks and understand how you're exposed," he said. For the average user, the risks with this device would be easier to understand than those with existing authentication systems, Balfanz argued. Current PKIs tend to involve keys and other elements on the client system that the user may not know how to handle safely, he said.

PARC is seeking licensing deals with companies that could include makers of access points and vendors of current wireless LAN security systems, he said. The researchers believe most of the technology is ready now.

"As far as we're concerned, we would like to have this thing on the shelves some time before the end of the year," Balfanz said. He did not estimate pricing.

Farther out is PARC's Obje interoperability platform. This system is designed to allow devices -- especially consumer electronics -- to share files even if they weren't built or programmed to work with each other. One device can teach another device how to get and use a file by sending Obje software across a network.

Even devices built for different kinds of connectivity -- Ethernet, Wi-Fi, Bluetooth and so on -- could share files, said Hermann Calabria, principal of business development for Obje. One device that can use multiple kinds of networks can act as a bridge between other devices that don't share a network technology. For example, a handheld computer with Bluetooth connectivity could send a document file to a printer that uses Wi-Fi if there were a PC in between that had both wireless technologies in it.

PARC's vision is that when consumers walk into a room, all the devices in that room will be able to find each other and the user will be able to access any data or service from any of the devices on any other device, Calabria said.

"Instead of people trying to figure out what works with what ... we would like the software to figure these things out. These things are difficult for people to do, but we don't think it's difficult for computers to do it," he said.

To do that, the devices have to be able to share both transport protocols and rendering protocols. For a WMA (Windows Media Audio) file located on a PC to be played on a digital music player, the music player would need software to support both the transport protocol the PC uses (one example is FTP, or file transfer protocol) and the rendering technology, in this case WMA. Obje is designed so the PC can send those bits of software to the music player to "teach" it to receive and play the file.

One device wouldn't even have to know about what the other could do with the data, he added. In the example of a handheld computer sending a file to a printer, there would not even have to be printing software on the handheld. It would simply recognize that the printer was there and send the file, and the job could be carried out at the printer.

Calabria likened Obje to HTTP (Hypertext Transfer Protocol) and HTML (Hypertext Markup Language), the lowest-common-denominator technologies that allow Web content to be viewed on many types of browsers and devices. The result may not be optimal, but it is widely available.

"What we've learned from the Web is that you can still get a pretty good user interface and a good user experience through the browser," he said.

The technology is working in prototype form at PARC, Calabria said. A critical issue still to be worked out is licensing requirements for the codecs (coding and decoding software) that vendors such as Microsoft provide for rendering documents or playing multimedia streams, he said. In many cases it may not be legal for those codecs to be freely shared among all the devices in a user's home.

PARC is already talking with consumer electronics makers about commercializing Obje. Representatives of existing industry protocol groups also have joined those discussions, Calabria said. An industry consortium might be the best way to implement and promote the technology, as there would also be considerable consumer education required, he said. However, because one device on a network can send the software out to other devices, not all vendors would have to get on board and build the software into their products. Calabria suggested it could be made available as a free software download.

Ultimately, Obje would ride two waves to success, Calabria said: the convergence of consumer electronics and computing, and the growing storage and processing capabilities of consumer hardware. Those two trends are likely to grow strongly over the next two years or so, he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Consumer ElectronicsIEEEINSMicrosoftSecurity SystemsXerox

Show Comments