7.1 Networking with 802.11
802.1X
A port-based authentication standard for connections between networks and a client/supplicant, it usually requires authentication from the connecting client and sometimes the user as well. It creates a connection between the supplicant and authenticator and runs EAP within the authenticator. It can use a number of security protocols and authentication protocols and is interoperable with a number of remote access services and protocols as well as centralized authentication databases, enabling wireless clients to authenticate to traditional infrastructures using these different types of services. It is seen in wired and wireless infrastructures, making it easier for the two to interoperate, and the most common place to see EAP used. The built-in wireless client in Windows usually lacks the features to connect to 802.1X networks, so third-party clients are often required. It is also known as EAP over Ethernet, or EAP over 802.11, works with wired and wireless connections
Authenticator
A wireless access point that uses 802.1X authentication methods.
AES
Advanced Encryption Standard The official encryption standard for the U.S. Government. It is based upon the Rijndael encryption algorithm, and uses key sizes of 128, 182, and 256 bits. It is a symmetric block algorithm with 128-bit block sizes. It is stronger than RC4, which is a streaming algorithm.
WPA and WPA2 Similarities
Both wireless protocols are geared towards 802.1X authentication, though they support using a pre-shared key as well. They are both are vulnerable to having credentials stolen and during the 4-way handshake authentication process and then cracked.
CCMP
Counter-Mode(CTR) Cipher Block Chaining Message Authentication(CM-MAC) AES uses this as its mode of operation in WPA2. It has a 128-bit key and 128-bitblock size, and a 48-bit IV.
WPA-ENT or WPA-Enterprise
Developed for a larger infrastructure, this WPA implementation is robust but complex and hard to use. It requires the use of the 802.1X authentication protocol and authentication to a RADIUS server.
EAP-TLS
EAP Transport Layer Security EAP that uses the TLS protocol and requires both client and server certificates.
EAP-TTLS
EAP Tunneled Transport Layer Security EAP that uses TLS exchange method but only requires server certificate, unlike EAP-TLS. It adds a tunnel to provide better security and is functionally equivalent to PEAP.
EAP-MD5
EAP that hashes password into a MD5 hash and works similarly to MSCHAP.
EAP-PSK
EAP using predetermined symmetric keys(pre-shared keys) so that no key exchange needed since they're already built in.
EAP
Extensible Authentication Protocol A flexible, extensible authentication framework, not a protocol, that is capable of using different security protocols and authentication methods. This security framework that runs inside a protocol, working as an extension to the protocol making the connection, and handles authentication, providing for varied authentication methods. It Is widely seen in both wireless and remote communications. It is the best security framework to use with NAC.
EAP-FAST
Flexible Authentication via Secure Tunneling Cisco's replacement for LEAP to address LEAP's security issues. It is lightweight but uses TLS tunnels to add security during authentication.
Passphrase
In WEP it is the key. In WPA and WPA2 it is not the key itself but is used to generate the 256-bit pre-shared key that must be entered into all wireless devices on the same wireless network. In WPA and WPA2 it can be from 8 to 63 case-sensitive ASCII characters or 64 hexadecimal characters.
LEAP
Lightweight Extensible Authentication Protocol A proprietary version of EAP with a password within a TLS tunnel, it is used almost exclusively by Cisco wireless products. It uses MS-CHAP for mutual authentication between a wireless client and a RADIUS server. It also uses dynamic WEP keys, requiring wireless clients to re-authenticate periodically and use a new WEP key when they do. It was supplanted by EAP-FAST.
Dynamic Keys
Keys generated on a per-packet basis so that keys are not repeated for different transmission. Each individual packet requires a different encryption key.
PEAP
Protected EAP An authentication protocol that uses a password function based on MS-CHAPv2 with the addition of an encrypted TLS tunnel similar to EAP-TLS. This version of EAP uses TLS with the EAP within a TLS tunnel like LEAP and is similar to EAP-TTLS, requiring a digital certificate on the server side of a connection to create a secure TLS tunnel. There are different versions depending on the implementation and OS, but typically all use digital certificates or smart cards for authentication. It is no longer used because the passwords are easy to hack.
RC4
Rives Cipher 4 A symmetric streaming cipher popularly used in WEP, SSL , and earlier version of TLS. It uses key sizes that range from 40 to 2048 bits.
TKIP
Temporal Key Integrity Protocol The encryption mechanism used with WPA. It still uses RC4 but removes most of the IV problems seen in WEP. It enables dynamic keys so each transmitted packet is sent with a different key, making it difficult to conduct an initialization vector attack on the protocol. It uses 128-bit keys and a 48-bit initialization vector.
IEEE 802.11
The IEEE subcommittee that defined the standards for wireless communications in the 2.4 and 5.0 GHz frequency ranges
Authentication Server
The source providing the authentication services to the wireless network in 802.1X.
Supplicant
The wireless client device in 802.1X.
WPA-Personal or WPA-PSK
WPA using a pre-shared key. It was conceived for personal or small business infrastructure networks and can be used to authenticate wireless client devices and wireless access points manually.
WPA2-Enterprise
WPA2 implementation using 802.1X, dynamic keys, and authentication to a RADUIS server.
WPA2-Personal
WPA2 implementation using a pre-shared key.
WPA
Wi-Fi Protected Access A wireless security protocol developed by a consortium of vendors that addresses the weaknesses of WEP, intended as a temporary measure while awaiting the adoption of the official IEEE 802.11i standard , also known as WPA2. It offers security enhancements such as dynamic encryption key generation(keys are issued on a per-user and per-session basis), an encryption key integrity-checking feature, user authentication though EAP, and other advanced features that WEP lacks. It uses TKIP for generating encryption keys and combines it with the RC4 stream cipher to provide encryption.
WPA2 or 802.11i
Wi-Fi Protected Access, version 2 The official standard which includes the use of the Advanced Encryption Standard as the de facto encryption algorithm. It is also backward-compatible with the WPA standard In most cases, since it can fall back to using the TKIP, the standard encryption mechanism for WPA.
WPS
Wi-Fi Protected Setup Automated and semi-automated process to connect a wireless device to a WAP. The process can be as simple as pressing a button on the device or pressing the button and then entering a PIN code. WPS has several security issues, and was later proven to be ineffective in establishing a secure wireless network. WPS PINs or keys are very weak. They are 8 digits and one is a checksum bringing it down to 7 digits. Then when they are transmitted and confirmed they are split into two groups, bringing the number of possible permutations even lower. Thus they are not difficult to crack.
WEP
Wired Equivalent Privacy The first attempt at wireless security protocols, it was introduced in the older IEEE 802.11b standard and provides basic authentication and encryption on a wireless network. It uses RC4 as its encryption algorithm and a shares key that is either 64-bits or 128-bits. It is easy to hack as it is susceptible to many attacks, including initialization vector attacks and weak keys attacks.