Securing Wireless LAN
Wired Equivalent Privacy (WEP): Difficult to change and manage encryption keys. Keys have to be changed at each access point (base station) and end user wireless card client. Long-lived keys on the other hand, can be guessed with tools such as AirSnort and WEPcrack. WEP does not include a mechanism for data integrity.
Wi-Fi Protected Access (WPA):
Use Temporary Key Integrity Protocol (TKIP) for short-lived keys. Backward compatible with WEP. Short-term solution to fix WEP weaknesses. WPA is basically TKIP and 802.1X.
WPA2:
Wi-Fi Alliance came up with it to certify vendor products. Uses AES as encryption algorithm. AES uses CCMP (CBC-MAC encryption protocol) for packet encapsulation. Backup compatible with WPA. WPA2 is a subset of 802.11i. AES is more CPU intensive than RC4 used in WEP and TKIP. AES provides both data confidentiality and integrity. Recommended for use by many security standards, including US FIPS 140-2. WPA2 enterprise uses 802.1X port access control to authenticate users by consulting with an authentication server. WPA2 personal provides a group-level authentication with a pre-shared secret key (PSK). WPA2 is not backward compatible with WEP as AES requires hardware support. Migration may involve co-existance. Many AP can be configured with multiple ESSIDs. Checkout WPA2 certified products from Wi-FI Alliance before implementation or migration. Microsoft WPA2 patch adds built-in OS support for AES-CCMP encryption, 802.1X authentication or PSK, pair-wise master key caching and pre-authentication. Radius server should speak chosen EAP type for WPA2 enterprise.
802.11i:
IEEE standard that is a upgrade of 802.11 and plugs its security holes. Foils replay attacks. Supports fast roaming. Wireless clients can transparently roam within the same extended service set (shared network of APs). However repeating the entire 802.1X with roaming introduces delay that can disrupt latency-sensitive applications like voice or streaming video. Fast roaming includes Key caching and Pre-authentication. Client can re-use keys, when roaming. A unique identifier is assigned to each station's pairwise master key (PMK) and supplied to the new AP. If AP finds the PMK in its cache, most of 802.1X is skipped and PMK is used to continue encrypting traffic. Cisco's Central Key Management (CCKM) implements sharing of PMKs between APs. Pre-authentication lets client authenticate simultaneously with multiple APs. Clients can use existing association to send 802.1X to another AP, assuming those APs can communicate over a back-end (wired) network. Back-end communication between AP for both of these fast-romaing options is beyond the scope of 802.11i. An upcoming standard, 802.11r will provide this piece.
802.1X:
Provides port-based network authentication. Supports dynamically varying encryption keys. Can be used with or without encryption methods. Uses a protocol, Extensible authentication protocol (EAP) for both wired and wireless LAN media to support multiple authentication methods such as token card, kerberos, one-time password, certificate and public key authentication. It is a transport protocol and an authentication mechanism optimized for authentication. Communication begins with an unauthenticated client attempting to connect to an authenticator (access point). Access points (APs) allows the passage of only EAP packets from client to an authentication server located on the wired side of AP. AP blocks all other traffic until it verifies client's identity from the authentication server (e.g RADIUS). Other traffic is only allowed after successful authentication. Sequence of activities are listed below:
1) Client sends an EAP-start message.
2) AP replies with EAP-request identity message.
3) Client sends an EAP-response packet.
4) Authentication server uses an authentication algorithm to verify client's identity.
5) Authentication server sends an accept or reject message to the AP.
6) AP sends an EAP-success packet to the client.
7) AP will transition client's port to authorized and forward additional traffic.
Dynamic keys can be sent by the authentication server along with the accept message to the AP. Those keys can be used to build, sign and encrypt an EAP key message sent to the client after the success packet. Client then uses the message to define applicable encryption keys.
802.1X requires choosing EAP type, such as EAP-TLS, EAP-TTLS, PEAP to define how the authentication takes place. Software supporting the specific EAP type resides on the authentication server and within OS or application on the client. AP only acts as pass-through, meaning any EAP type can be used without upgrading an 802.1X-compliant AP. 802.1X plays a major role in 802.11i standard.
Wi-Fi Protected Access (WPA):
Use Temporary Key Integrity Protocol (TKIP) for short-lived keys. Backward compatible with WEP. Short-term solution to fix WEP weaknesses. WPA is basically TKIP and 802.1X.
WPA2:
Wi-Fi Alliance came up with it to certify vendor products. Uses AES as encryption algorithm. AES uses CCMP (CBC-MAC encryption protocol) for packet encapsulation. Backup compatible with WPA. WPA2 is a subset of 802.11i. AES is more CPU intensive than RC4 used in WEP and TKIP. AES provides both data confidentiality and integrity. Recommended for use by many security standards, including US FIPS 140-2. WPA2 enterprise uses 802.1X port access control to authenticate users by consulting with an authentication server. WPA2 personal provides a group-level authentication with a pre-shared secret key (PSK). WPA2 is not backward compatible with WEP as AES requires hardware support. Migration may involve co-existance. Many AP can be configured with multiple ESSIDs. Checkout WPA2 certified products from Wi-FI Alliance before implementation or migration. Microsoft WPA2 patch adds built-in OS support for AES-CCMP encryption, 802.1X authentication or PSK, pair-wise master key caching and pre-authentication. Radius server should speak chosen EAP type for WPA2 enterprise.
802.11i:
IEEE standard that is a upgrade of 802.11 and plugs its security holes. Foils replay attacks. Supports fast roaming. Wireless clients can transparently roam within the same extended service set (shared network of APs). However repeating the entire 802.1X with roaming introduces delay that can disrupt latency-sensitive applications like voice or streaming video. Fast roaming includes Key caching and Pre-authentication. Client can re-use keys, when roaming. A unique identifier is assigned to each station's pairwise master key (PMK) and supplied to the new AP. If AP finds the PMK in its cache, most of 802.1X is skipped and PMK is used to continue encrypting traffic. Cisco's Central Key Management (CCKM) implements sharing of PMKs between APs. Pre-authentication lets client authenticate simultaneously with multiple APs. Clients can use existing association to send 802.1X to another AP, assuming those APs can communicate over a back-end (wired) network. Back-end communication between AP for both of these fast-romaing options is beyond the scope of 802.11i. An upcoming standard, 802.11r will provide this piece.
802.1X:
Provides port-based network authentication. Supports dynamically varying encryption keys. Can be used with or without encryption methods. Uses a protocol, Extensible authentication protocol (EAP) for both wired and wireless LAN media to support multiple authentication methods such as token card, kerberos, one-time password, certificate and public key authentication. It is a transport protocol and an authentication mechanism optimized for authentication. Communication begins with an unauthenticated client attempting to connect to an authenticator (access point). Access points (APs) allows the passage of only EAP packets from client to an authentication server located on the wired side of AP. AP blocks all other traffic until it verifies client's identity from the authentication server (e.g RADIUS). Other traffic is only allowed after successful authentication. Sequence of activities are listed below:
1) Client sends an EAP-start message.
2) AP replies with EAP-request identity message.
3) Client sends an EAP-response packet.
4) Authentication server uses an authentication algorithm to verify client's identity.
5) Authentication server sends an accept or reject message to the AP.
6) AP sends an EAP-success packet to the client.
7) AP will transition client's port to authorized and forward additional traffic.
Dynamic keys can be sent by the authentication server along with the accept message to the AP. Those keys can be used to build, sign and encrypt an EAP key message sent to the client after the success packet. Client then uses the message to define applicable encryption keys.
802.1X requires choosing EAP type, such as EAP-TLS, EAP-TTLS, PEAP to define how the authentication takes place. Software supporting the specific EAP type resides on the authentication server and within OS or application on the client. AP only acts as pass-through, meaning any EAP type can be used without upgrading an 802.1X-compliant AP. 802.1X plays a major role in 802.11i standard.
posted by Usman Wahid at
1:20 PM
|
0 comments
