Encryption, security, PSK/dot1X

Question 1

What did 802.11i bring?

Answer 1

Robust Wireless Security, also called RSN (Robust Security Network)

Question 2

What are the 5 categories of wireless security?

Answer 2

Data privacy and integrity
Authentication, authorization, and accounting (AAA)
Segmentation
Monitoring
Policy

Question 3

What is a cipher?

Answer 3

An algorithm used to perform encryption.

Question 4

Which the best cipher to use for wireless?

Answer 4

AES

Question 5

What is AES?

Answer 5

A block cipher much stronger than RC4. Uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

Question 6

What amendment introduced protection for authentication and association frames?

Answer 6

802.11w

Question 7

What happened to the 802.11 data frame if data encryption is enabled?

Answer 7

If data encryption is enabled, the MAC Service Data Unit (MSDU) inside the body of any 802.11 data frame is protected by layer 2 encryption. Most of the encryption methods discussed in this chapter use layer 2 encryption, which is used to protect the layer 3–7 information found inside the body of an 802.11 data frame.

Question 8

What is authentication? Give an example.

Answer 8

Authentication is the verification of identity and credentials. Users or devices must identify themselves and present credentials, such as usernames and passwords or digital certificates.

Question 9

What is authorization? Give an example.

Answer 9

Authorization determines if the device or user is authorized to have access to network resources. This can include identifying whether you can have access based upon the type of device you are using (laptop, tablet, or phone), time of day restrictions, or location. Before authorization can be determined, proper authentication must occur.

Question 10

What is accounting?

Answer 10

Accounting is tracking the use of network resources by users and devices. It is an important aspect of network security, used to keep a historical trail of who used what resource, when, and where.

Question 11

What is segmentation and give examples as to how they would be segmented?

Answer 11

Segmentation is separating user traffic within a network. VLANS are used to segment the network.

Question 12

What is open systems authentication?

Answer 12

Basically ensures that both devices are 802.11. Authenticates the devices not the users.

Open System authentication provides authentication without performing any type of user verification. It is essentially a two-way exchange between the client radio and the access point:

1. The client sends an authentication request.
2. The access point then sends an authentication response.

Question 13

What cipher did WEP use?

Answer 13

RC4.

Question 14

How long is a MAC address?

Answer 14

12 digit hexadecimal.

Question 15

What happens when you cloak your SSID?

Answer 15

When you implement a closed network, the SSID field in the beacon frame is null (empty), and therefore passive scanning will not reveal the SSID to client stations that are listening to beacons.

However, listening to transmissions from other clients reveals the SSID because they include it in their data/control frames

Question 16

Does cloaking your SSID also hide you from active scanning?

Answer 16

Yes it does, because the request probes will have a null SSID. The AP will then respond with a null SSID field, or will be ignored. AP will only respond to clients that are trusted or have associated before and their SSID field is filled with the correct SSID and not null.

Question 17

How are hidden networks, with masked ID’s discovered?

Answer 17

By using a layer 2 scanning tool or protocol analyzer and listening to the CLIENTS send data\control frames to the AP.

Question 18

What is the most common wireless authentication method used in small businesses?

Answer 18

PSK (Pre Shared Key), aka WPA2-Personal

Question 19

What is the default encryption method for 802.11 - 2012?

Answer 19

CCMP/AES encryption is the default encryption method

Question 20

When 802.11i was ratified what certification was given to devices that where compliant?

Answer 20

WPA2 certification. WPA2 is a more complete implementation of the 802.11i amendment and supports both CCMP/AES and TKIP/RC4 dynamic encryption-key generation.

Question 21

What happens during a client interaction on a robust security configured network? When the clients first communicate?

Answer 21

Two stations (STAs) must authenticate and associate with each other, as well as create dynamic encryption keys through a process known as the 4-Way Handshake. This association between two stations is referred to as an RSNA. In other words, any two radios must share dynamic encryption keys that are unique between those two radios.

Question 22

An RSN can be identified by what field in a frame? What is the name of this field?

Answer 22

An RSN can be identified by a field found in beacons, probe response frames, association request frames, and reassociation request frames. This field is known as the RSN Information Element (IE). This field may identify the cipher suite capabilities of each station.

Question 23

What is an Authentication and Key Management Protocol (AKMP), and where is it used?

Answer 23

A system that require both authentication processes and the generation and management of encryption keys. Can be either a preshared (PSK) or an EAP protocol used during 802.1X authentication.

Question 24

What are some ways that vendors are combating the issues with wireless preshared keys?

Answer 24

Creating databases that each user can have his\her own password. Simpler than setting up a radius server.

Question 25

What are the 3 components/network devices that 802.1x is made of?

Answer 25

Supplicant - A host with software that requests authentication and access to network resources is known as a supplicant. Each supplicant has unique authentication credentials that are verified by the authentication server.

Authenticator - An authenticator device blocks traffic or allows traffic to pass through its port entity. This allows or blocks traffic using 2 virtual ports, uncontrolled which allows EAP authentication traffic to pass through, and the controlled port blocks all other traffic until supplicant has been authenticated.

Authentication Server (AS) - the authentication server validates the credentials of the supplicant that is requesting access and notifies the authenticator that the supplicant has been authorized.

Question 26

What is EAP? Which device authenticates the other?

Answer 26

Extensible Authentication Protocol. EAP is a layer 2 protocol that is very flexible.

Mutual authentication - Mutual authentication not only requires that the authentication server validate the client credentials, but the supplicant must also authenticate the validity of the authentication server. By validating the authentication server, the supplicant can ensure that the username and password are not inadvertently given to a rogue authentication server. A root certificate is installed on the RADIUS server and a CA cert is installed on the clients.

Question 27

What part of the security triangle does EAP and 802.1X satisfy?

Answer 27

Authentication and Authorization

Question 28

What is the 4 way handshake?

Answer 28

Two stations (STAs) must establish a procedure to authenticate and associate with each other as well as create dynamic encryption keys through a process. These final keys are created during a four-way EAP frame exchange that is known as the 4-Way Handshake.

The four-way handshake is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the AP and client encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK.

Question 29

What is a Group Master Key (GMK) and the Pairwise Master Key (PMK)

Answer 29

Part of the RSNA (Robust Security Network Association) process involves the creation of two master keys, used to seed the 4-Way Handshake

If an PSK/802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server.

Question 30

What is a PMK (Pairwise Master Key)

Answer 30

The PMK is created as a result of the 802.1X/EAP authentication. These master keys are the seeding material used to create the final dynamic keys that are used for encryption and decryption.

Question 31

What is a PTK (Pairwise Transient Key)? What is the GTK (Group Transient Key)?

Answer 31

The PTK is used to encrypt/decrypt unicast
traffic. The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address

The handshake also yields the GTK (Group Temporal Key) which is used to encrypt/decrypt broadcast and multicast traffic.

Question 32

What is PSK and how does it work?

Answer 32

this method involves manually typing matching passphrases on both the access point and all client stations that will need to be able to associate to the wireless network. A formula is run that converts the passphrase to a Pairwise Master Key (PMK) used with the 4-Way Handshake to create the final dynamic encryption keys.

Question 33

What is TKIP?

Answer 33

The optional encryption method defned for a robust security network is Temporal Key Integrity Protocol (TKIP). This method uses the RC4 cipher just as WEP encryption does. As a matter of fact, TKIP is an enhancement of WEP encryption that addresses many of the known weaknesses of WEP. The problem with WEP was not the RC4 cipher but how the encryption key was created. TKIP was developed to rectify the problems that were inherent in WEP.

Question 34

Why does TKIP slow down wireless significantly?

Answer 34

TKIP slow down wireless because of the additional overhead used. A total of 20 bytes of overhead is added to the body of an 802.11 data frame.

Question 35

What does CCMP stand for?

Answer 35

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).

Question 36

What cipher does CCMP use?

Answer 36

AES.

Question 37

What is the key size for CCMP?

Answer 37

CCMP/AES uses a 128-bit encryption-key size and encrypted in 128-bit fixed-length blocks.

Question 38

What is the added overhead cost for using CCMP and what is that downside?

Answer 38

CCMP/AES encryption will add an extra 16 bytes of overhead to the body of an 802.11 data frame. Because the AES cipher is processor intensive, older legacy 802.11 devices do not have the processing power necessary to perform AES calculations.

Question 39

How would you get your users to use a single SSID but still be separated into VLANS based on roles?

Answer 39

Using a RADIUS server, RADIUS attributes can be leveraged for VLAN assignment when using 802.1X authentication on the employee SSID. When a RADIUS server provides a successful response to an authentication request, the ACCESS-ACCEPT response can contain a series of Attribute-Value Pairs (AVPs). One of the most popular uses of RADIUS AVPs is assigning users to VLANs dynamically, Based on the identity of the authenticating user.

Question 40

How does SSL VPN work?

Answer 40

The traffic between the web browser and the SSL VPN server is encrypted with the SSL protocol or Transport Layer Security (TLS). TLS and SSL encrypt data connections above the Transport layer, using asymmetric cryptography for privacy and a keyed message authentication code for message reliability.

Question 41

What is one of the primary reasons behind a captive portal?

Answer 41

One of the most important aspects of the captive web portal page is the legal disclaimer. A good legal disclaimer informs the guest users about acceptable behavior while using the guest WLAN. Businesses are also legally protected if something bad should happen to a guest user’s WLAN device, such as being infected by a computer virus.

Question 42

What is a captive portal?

Answer 42

Most hotspots and guest networks are secured by a captive portal. A captive portal is essentially the integration of a firewall with an authentication web page. When a user connects to the guest network, whether wired or wireless, any packets that the user transmits are intercepted and blocked from accessing a gateway to the network resources until the user has authenticated through the captive portal.