Securing Wireless Networks Flashcards
Authentication with Pre-Shared Keys
WPA, WPA2, WPA3
Authentication with 802.1x
WPA, WPA2, WPA3
Encryption with MIC with TKIP
WPA
Encryption with MIC with AES and CCMP
WPA, WPA2
Encryption with MIC with AES and GCMP
WPA3
This authentication method uses the RC4 cipher algorithm to make every wireless data frame private and hidden from eavesdroppers. The same algorithm encrypts data at the sender and decrypts it at the receiver. The algorithm uses a string of bits as a key, commonly called a WEP key, to derive other encryption keys—one per wireless frame. As long as the sender and receiver have an identical key, one can decrypt what the other encrypts.
Wired Equivalent Privacy (WEP)
Because WEP was defined in the original 802.11 standard in 1999, every wireless adapter was built with encryption hardware specific to WEP. In 2001, a number of weaknesses were discovered and revealed, so work began to find better wireless security methods. By 2004, the 802.11i amendment was ratified and WEP was officially deprecated. Both WEP encryption and WEP shared-key authentication are widely considered to be weak methods to secure a wireless LAN.
Deprecated
As its name implies, this method is is extensible and does not consist of any one authentication method. Instead, it defines a set of common functions that actual authentication methods can use to authenticate users. This method can integrate with the IEEE 802.1x port-based access control standard. When 802.1x is enabled, it limits access to a network media until a client authenticates. This means that a wireless client might be able to associate with an AP but will not be able to pass data to any other part of the network until it successfully authenticates.
Consists of Supplicant, Authenticator, and Authentication Server (AS)
802.1x/EAP
Extensible Authentication Protocol
To authenticate, the client must supply username and password credentials. Both the authentication server and the client exchange challenge messages that are then encrypted and returned. This provides mutual authentication; as long as the messages can be decrypted successfully, the client and the AS have essentially authenticated each other.
LEAP (Lightweight EAP)
Deprecated
Authentication credentials are protected by passing a protected access credential (PAC) between the AS and the supplicant. The PAC is a form of shared secret that is generated by the AS and used for mutual authentication. This method is a sequence of three phases:
Phase 0: The PAC is generated or provisioned and installed on the client.
Phase 1: After the supplicant and AS have authenticated each other, they negotiate a Transport Layer Security (TLS) tunnel.
Phase 2: The end user can then be authenticated through the TLS tunnel for additional security.
EAP-FAST (Flexible Authentication by Secure Tunneling)
This Authentication method uses an inner and outer authentication; however, the AS presents a digital certificate to authenticate itself with the supplicant in the outer authentication. If the supplicant is satisfied with the identity of the AS, the two will build a TLS tunnel to be used for the inner client authentication and encryption key exchange. The digital certificate of the AS consists of data in a standard format that identifies the owner and is “signed” or validated by a third party. The third party is known as a certificate authority (CA) and is known and trusted by both the AS and the supplicants. The supplicant must also possess the CA certificate just so that it can validate the one it receives from the AS. The certificate is also used to pass a public key, in plain view, which can be used to help decrypt messages from the AS.
PEAP (Protected EAP)
The client does not have or use a certificate of its own, so it must be authenticated within the TLS tunnel using one of the following two methods: MSCHAPv2: Microsoft Challenge Authentication Protocol version 2 GTC: Generic Token Card; a hardware device that generates one-time passwords for the user or a manually generated password
In this Authentication method, the AS and the supplicant exchange certificates and can authenticate each other. A TLS tunnel is built afterward so that encryption key material can be securely exchanged.
Along with the AS, each wireless client must obtain and install a certificate. Manually installing certificates on hundreds or thousands of clients can be impractical. Instead, you would need to implement a Public Key Infrastructure (PKI) that could supply certificates securely and efficiently and revoke them when a client or user should no longer have access to the network. This usually involves setting up your own CA or building a trust relationship with a third-party CA that can supply certificates to your clients.
EAP-TLS
EAP-TLS is practical only if the wireless clients can accept and use digital certificates. Many wireless devices, such as communicators, medical devices, and RFID tags, have an underlying operating system that cannot interface with a CA or use certificates.
EAP-TLS is considered to be the most secure wireless authentication method available; however, implementing it can sometimes be complex.
Adds the following security features using legacy hardware and the underlying WEP encryption for data integrity:
Time Stamp, Sender’s MAC address, Sequence counter, Key mixing algorithm, Longer initialization vector (IV)
TKIP
Deprecated
Data integrity protocol uses AES counter mode encryption and Cipher Block Chaining Message Authentication Code (CBC-MAC) used as a message integrity check (MIC)
Before it can be used to secure a wireless network, the client devices and APs must support the AES counter mode and CBC-MAC in hardware. It cannot be used on legacy devices that support only WEP or TKIP. Needs WPA2 designation
Counter/CBC-MAC Protocol (CCMP)
consists of two algorithms: AES counter mode encryption Galois Message Authentication Code (GMAC) used as a message integrity check (MIC). Is used in WPA3
The Galois/Counter Mode Protocol (GCMP)