6.3 Given a scenario, install and configure wireless security settings Flashcards
Cryptographic Protocols
A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used. A sufficiently detailed protocol includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program.
Cryptographic protocols are widely used to secure application-level data transport. A cryptographic protocol usually incorporates at least some of these aspects:
+ Key agreement or establishment
+ Entity authentication
+ Symmetric encryption and message authentication material construction
+ Secured application-level data transport
+ Non-repudiation methods
+ Secret sharing methods
+ Secure multi-party computation
For example, Transport Layer Security (TLS) is a cryptographic protocol that is used to secure web (HTTPS) connections. It has an entity authentication mechanism, based on the X.509 system; a key setup phase, where a symmetric encryption key is formed by employing public-key cryptography; and an application-level data transport function. These three aspects have important interconnections. Standard TLS does not have non-repudiation support.
More on this:
https://en.wikipedia.org/wiki/Cryptographic_protocol
Cryptographic Protocols - WPA
The WPA protocol implements much of the IEEE 802.11i standard. Specifically, the Temporal Key Integrity Protocol (TKIP) was adopted for WPA. WEP used a 64-bit or 128-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP.
More info on this:
https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
Cryptographic Protocols - WPA2
- 11i supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have security vulnerabilities. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of a draft of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2, also called RSN (Robust Security Network).
- 11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 stream cipher.
More on this:
https://en.wikipedia.org/wiki/IEEE_802.11i-2004
Cryptographic Protocols - CCMP
Counter Mode Cipher Block Chaining Message Authentication Code Protocol (Counter Mode CBC-MAC Protocol) or CCM mode Protocol (CCMP) is an encryption protocol designed for Wireless LAN products that implements the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM mode) of the Advanced Encryption Standard (AES) standard. It was created to address the vulnerabilities presented by Wired Equivalent Privacy (WEP), a dated, insecure protocol.
More on this:
https://en.wikipedia.org/wiki/CCMP_(cryptography)
Cryptographic Protocols - TKIP
Temporal Key Integrity Protocol (TKIP /tiːˈkɪp/) is a security protocol used in the IEEE 802.11 wireless networking standard. TKIP was designed by the IEEE 802.11i task group and the Wi-Fi Alliance as an interim solution to replace WEP without requiring the replacement of legacy hardware. This was necessary because the breaking of WEP had left Wi-Fi networks without viable link-layer security, and a solution was required for already deployed hardware. However, TKIP itself is no longer considered secure and was deprecated in the 2012 revision of the 802.11 standard.
More on this:
https://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol
Authentication Protocols
An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for the transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity (e.g. Client connecting to a Server) as well as to authenticate itself to the connecting entity (Server to a client) by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.
More on this:
https://en.wikipedia.org/wiki/Authentication_protocol
Authentication Protocols - EAP
EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely used in IEEE 802.3, IEEE 802.11(WiFi) or IEEE 802.16 as a part of IEEE 802.1x authentication framework. The latest version is standardized in RFC 5247. The advantage of EAP is that it is only a general authentication framework for client-server authentication - the specific way of authentication is defined in its many versions called EAP-methods. More than 40 EAP-methods exist, the most common are:
\+ EAP-MD5 \+ EAP-TLS \+ EAP-TTLS \+ EAP-FAST \+ EAP-PEAP
Authentication Protocols - PEAP
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.
The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided. ***
Authentication Protocols - EAP-FAST
Flexible Authentication via Secure Tunneling (EAP-FAST; RFC 4851) is a protocol proposal by Cisco Systems as a replacement for LEAP. The protocol was designed to address the weaknesses of LEAP while preserving the “lightweight” implementation. Use of server certificates is optional in EAP-FAST. EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified.
More on this:
https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP_Flexible_Authentication_via_Secure_Tunneling_(EAP-FAST)
Authentication Protocols - EAP-TLS
EAP Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard that uses the Transport Layer Security (TLS) protocol and is well-supported among wireless vendors. EAP-TLS is the original, standard wireless LAN EAP authentication protocol.
EAP-TLS is still considered one of the most secure EAP standards available, although TLS provides strong security only as long as the user understands potential warnings about false credentials, and is universally supported by all manufacturers of wireless LAN hardware and software.
…
Unlike most TLS implementations of HTTPS, such as on the World Wide Web, the majority of implementations of EAP-TLS require client-side X.509 certificates without giving the option to disable the requirement, even though the standard does not mandate their use.[6][7] Some have identified this as having the potential to dramatically reduce adoption of EAP-TLS and prevent “open” but encrypted access points.
More on this:
https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP_Transport_Layer_Security_(EAP-TLS)
Authentication Protocols - EAP-TTLS
EAP Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. It was co-developed by Funk Software and Certicom and is widely supported across platforms.
The client can, but does not have to be authenticated via a CA-signed PKI certificate to the server. This greatly simplifies the setup procedure since a certificate is not needed on every client.
After the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection (“tunnel”) to authenticate the client. It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from eavesdropping and man-in-the-middle attack. Note that the user’s name is never transmitted in unencrypted clear text, improving privacy.
***
Authentication Protocols - IEEE 802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols.
When looking to control which devices can be used to connect to a wireless network or wired LAN, you can use 802.1X with the Extensible Authentication Protocol over LAN (EAPOL).
802.1X Stages of Communication
When preparing for the Security+ certification exam, it is important to know the stages of 802.1X communication and the protocols used at each stage. The following are
the stages of communication between the 802.1X components:
- EAPOL Start
Communication starts with the client machine, or supplicant, sending an EAPOL Start message. This is a layer-2 frame requesting access to the switch or wireless access point. - EAPOL Identity Request
The switch or wireless access point, also known as the authenticator, sends an EAPOL frame back to the supplicant requesting the supplicant identify itself. - EAPOL Identity Response
The supplicant sends an EAPOL response message that includes its authentication information. This could be a username and password or it could be a certificate. - Credentials sent
The authenticator uses RADIUS to send an IP packet containing the credentials to the authentication server. - RADIUS Access: Accept/Reject
The authentication server sends back a RADIUS Access message to the authenticator that includes either an accept or reject status. If the credentials were verified, it sends an Access-Accept message, and if the credentials were incorrect, it sends an Access-Reject message. - EAPOL Success/Fail
Finally, the authenticator sends an EAPOL message to the supplicant with a success or fail status. With a Success message, the client system is granted access to the network.
More on this:
https://en.wikipedia.org/wiki/IEEE_802.1X
Authentication Protocols - RADIUS Federation
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc. in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force (IETF) standards.
Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by Internet service providers (ISPs) and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services. These networks may incorporate modems, digital subscriber line (DSL), access points, virtual private networks (VPNs), network ports, web servers, etc.
RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP as transport. Network access servers, the gateways that control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication as well.
The RADIUS server is usually a background process running on a UNIX or Microsoft Windows server.
More on this:
https://en.wikipedia.org/wiki/RADIUS
Methods
.
Methods - PSK vs. Enterprise vs. Open
PSK
WPA Personal is also known as WPA-PSK, which means WPA preshared key. With WPA Personal, you configure the access point with a starting key value, known as the pre-shared key, which is then used to encrypt the traffic. This mode is used most by home users and small businesses.
Enterprise
WPA Enterprise, also known as WPA-802.1X, is a WPA implementation that uses a central authentication server such as a RADIUS server for authentication and auditing features. WPA Enterprise is used by larger organizations so that they can use their existing authentication server to control who has access to the wireless network and to log network access.
Open
An open wireless network does not require any password to connect and does not use any form of encryption to keep the wireless data secret from prying eyes. Naturally, it is not recommended to leave your wireless network open (you should implement WPA2) or to connect your client system to an open network that you are not familiar with.
