Topic 7B: Compare Wireless Security Protocols
Temporal Key Integrity Protocol:
The first version of Wi-Fi Protected Access (WPA) was designed to fix critical vulnerabilities in the earlier wired equivalent privacy (WEP) standard. Like WEP, version 1 of WPA uses the RC4 symmetric cipher to encrypt traffic but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to try to mitigate the various attacks against WEP that had been developed.
QUIZ: True or false? WPA3 personal mode is configured by selecting a passphrase shared between all users who are permitted to connect to the network.
4 of 4 True. WPA3-Personal uses group authentication via a shared passphrase. The simultaneous authentication of equals (SAE) mechanism by which this passphrase is used to generate network encryption keys is improved compared to the older WPA2 protocol, however.
QUIZ: What two factors must a user present to authenticate to a wireless network secured using EAP-TLS?
Extensible Authentication Protocol (EAP) allows for different types of mechanisms and credentials. The Transport Layer Security (TLS) method uses digital certificates installed on both the server and the wireless station. The station must use its private key and its certificate to perform a handshake with the server. This is one factor. The user must authenticate to the device to allow use of this private key. This device authentication—via a password, PIN, or bio gesture—is the second factor.
QUIZ: True or false. TKIP represents the best available wireless encryption and should be configured in place of AES if supported.
False. Advanced Encryption Standard (AES) provides stronger encryption and is enabled by selecting Wi-Fi Protected Access (WPA) version 2 with AES/CCMP or WPA3 encryption mode. The Temporal Key Integrity Protocol (TKIP) attempts to fix problems with the older RC4 cipher used by the first version of WPA. TKIP and WPA1 are now deprecated.
Kerberos:
In theory, an access point could allow a user to authenticate directly to a directory server using the Kerberos protocol. On Windows networks, Kerberos allows a user account to authenticate to a domain controller (DC) over a trusted local cabled segment. Kerberos facilitates single sign-on (SSO). As well as authenticating the user on the network, the Kerberos server issues authorization tickets that give the user account rights and permissions on compatible application servers. In practice, there are no access points with direct support for Kerberos. Access points use RADIUS or TACACS+ and EAP to tunnel the credentials and tokens that allow a domain user connecting via a wireless client to authenticate to a DC and use SSO authorizations.
WPA3 Personal Authentication:
While WPA3 still uses passphrase-based group authentication of stations in personal mode, it changes the method by which this secret is used to agree session keys. In WPA3, the simultaneous authentication of equals (SAE) protocol replaces the 4-way handshake.
WIFI Protected Access:
Wireless LANs require careful configuration to make the connection and transmissions over the link secure. The main problem with wireless is that because it is unguided, there is no way to prevent anything within range from listening to the signals. If the wireless traffic is unencrypted, this could allow the interception of data or the unauthorized use of the network.
WPA3: Weaknesses have also been found in WPA2, however, which has led to its intended replacement by WPA3. The main features of WPA3 are as follows:
-Simultaneous Authentication of Equals (SAE)—WPA2 uses a 4-way handshake to allow a station to associate with an access point, authenticate its credential, and exchange a key to use for data encryption. This 4-way handshake mechanism is vulnerable to manipulations that allow a threat actor to recover the key. WPA3 replaces the 4-way handshake with the more secure SAE mechanism. -Updated cryptographic protocols—WPA3 replaces AES CCMP with the stronger AES Galois Counter Mode Protocol (GCMP) mode of operation. -Protected management frames—Management frames are used for association and authentication and disassociation and deauthentication messages between stations and access points as devices join and leave the network. These frames can be spoofed and misused in various ways under WPA and WPA2. WPA3 mandates use of encryption for these frames to protect against key recovery attacks and DoS attacks that force stations to disconnect. -Wi-Fi Enhanced Open—An open Wi-Fi network is one with no passphrase. Any station can join the network. In WPA2, this also means that all traffic is unencrypted. WPA3 encrypts this traffic. This means that any station can still join the network, but traffic is protected against sniffing.
For example, EAP with Transport Layer Security (EAP-TLS) is one of the strongest types of multifactor authentication:
1. Both the server and the wireless supplicant are issued with an encryption key pair and digital certificate. 2.On the wireless device, the private key is stored securely in a trusted platform module (TPM) or USB key. The user must authenticate with the device using a PIN, password, or bio gesture to allow use of the key. This is the first factor. 3.When the device associates with the network and starts an EAP session, the server sends a digital signature handshake and its certificate. 4.The supplicant validates the signature and certificate and if trusted, sends its own handshake and certificate. This is the second factor. 5.The server checks the supplicant's handshake and certificate and authenticates it if trusted.
QUIZ: In AAA architecture, what type of device might a RADIUS client be?
AAA refers to Authentication, Authorization, and Accounting and the Remote Access Dial-in User Service (RADIUS) protocol is one way of implementing this architecture. The RADIUS server is positioned on the internal network and processes authentication and authorization requests. The RADIUS client is the access point, and it must be configured with the IP address of the server plus a shared secret passphrase. The access point forwards authentication traffic between the end-user device (a supplicant) and the RADIUS server but cannot inspect the traffic.
Enterprise Authentication Protocols:
As an alternative to personal authentication, WPA's 802.1X enterprise authentication method implements the Extensible Authentication Protocol (EAP). EAP allows the use of different mechanisms to authenticate against a network directory. 802.1X defines the use of EAP over Wireless (EAPoW) to allow an access point to forward authentication data without allowing any other type of network access. It is configured by selecting WPA2-Enterprise or WPA3-Enterprise as the security method on the access point. Enterprise authentication uses the following general workflow: 1. When a wireless station (a supplicant) requests an association, the AP enables the channel for EAPoW traffic only. 2.It passes the credentials submitted by the supplicant to an Authentication, Authorization, and Accounting (AAA) server on the wired network for validation. The AAA server (not the access point) determines whether to accept the credential. 3.When the user has been authenticated, the AAA server transmits a master key (MK) to the wireless PC or laptop. The wireless station and authentication server then derive the same pairwise master key (PMK) from the MK. 4.The AAA server transmits the PMK to the access point. The wireless station and access point use the PMK to derive session keys, using either the WPA2 4-way handshake or WPA3 SAE methods. The enterprise authentication method means that the access point does not need to store any user accounts or credentials. They can be held in a more secure location on the AAA server. Another advantage of EAP is support for more advanced authentication methods than simple usernames and passwords. Strong EAP methods use a digital certificate on the server and/or client machines. These certificates allow the machines to establish a trust relationship and create a secure tunnel to transmit the user credential or to perform smart card authentication without a user password. This means the system is using strong multifactor authentication.
WPA2:
Neither WEP nor the original WPA version are considered secure enough for continued use. Even with TKIP, WPA is vulnerable to various types of replay attack that aim to recover the encryption key. WPA2 uses the Advanced Encryption Standard (AES) cipher deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES replaces RC4 and CCMP replaces TKIP. CCMP provides authenticated encryption, which is designed to make replay attacks harder.
RADIUS:
Remote Authentication Dial-in User Service (RADIUS) is one way of implementing the AAA server when configuring enterprise authentication. The wireless access point is configured as a client of the RADIUS server. Rather than storing and validating user credentials directly, it forwards this data between the RADIUS server and the supplicant without being able to read it. The wireless access point must be configured with the host name or IP address of the RADIUS server and a shared secret. The shared secret allows the RADIUS server and access point to trust one another.
TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is another way of implementing AAA. TACACS+ was developed by Cisco but is also supported on many third-party implementations. Where RADIUS is often used to authenticate connections by wireless and VPN users, TACACS+ is often used in authenticating administrative access to routers, switches, and access points.