Module 7-1: Networking with 802.11
WPA/WPA2 passphrase
Can be from 8 to 63 case-sensitive ASCII characters, or 64 hexadecimal characters. Now, this passphrase is not the actual WPA/WPA2 key; the passphrase is used to generate the 256-bit pre-shared key that must be entered into all wireless devices on the same wireless network.
Cryptographic protocols
Protocols meant to ensure security via encryption and cryptography, with varying degrees of effectiveness, which have been implemented in wireless networks over the years
Temporal Key Integrity Protocol (TKIP)
used by WPA for generating encryption keys. TKIP makes it possible to use dynamic keys, which are generated on a per-packet basis(meaning that keys require a different encryption key for each individual packet). TKIP combined with an improved implementation of the same RC4 stream cipher that WEP uses provides WPA encryption. TKIP enables backward-compatibility with legacy WEP, uses 128-bit keys, and uses a 48-bit initialization vector.
Wired Equivalent Privacy (WEP)
The first security iteration of 802.11, used a shared password encryption scheme that within a few years was discovered to be mathematically crackable. The primary reason for this weakness came from poor key usage with the RC4 encryption. WEP poorly implemented the RC4 protocol. Never use WEP in modern wireless networks.
Lightweight Extensible Authentication Protocol (LEAP)
a proprietary protocol developed by Cisco and was used in their wireless LAN devices for authentication; uses dynamic WEP keys and provides for mutual authentication between wireless clients and a centralized RADIUS server; LEAP required wireless clients to reauthenticate periodically, and when they do they must use a new WEP key.
Protected Extensible Authentication Protocol (PEAP)
uses TLS; developed as an open protocol by several vendors such as Microsoft, RSA, and Cisco; requires a digital certificate on the server side of a connection to create a secure TLS tunnel; there are different versions of PEAP, depending on the implementation and operating system, but all typically use digital certificates or smart cards for authentication
some characteristics of WPA
*uses dynamic keys and larger key sizes than WEP key sizes; *open mode (called by some manufacturers) requires no authentication *Enterprise mode (WPA-ENT) requires authentication to a RADIUS server. Robust but complex and hard to use, was developed for larger infrastructures and requires the use of 802.1X authentication protocol. *pre-shared key (PSK) setup called WPA-Personal/WPA-PSK. was originally conceived for personal or small business infrastructure networks. Can be used to authenticate wireless client devices and wireless access points mutually.
RADIUS Federation
The ability to authenticate devices regardless of vendor hardware, operating system, or application software, since RADIUS is an interoperable open standard; involves the use of a common authentication system and credentials database that multiple entities use and share;
Extensible Authentication Protocol (EAP)
a security framework that provides for varied authentication methods; many different protocols fit into the EAP framework; EAP recognizes that there are several different authentication methods
EAP-TTLS (EAP Tunneled Transport Layer Security)
goes beyond the TLS protocol, adding a tunnel to provide better security; only requires a server-side certificate; considered functionally superior to PEAP
Rivest Cipher version 4 (RC4)
A symmetric stream cipher that can use key sizes between 40 and 2,048 bits; was built into WEP as its encryption protocol and was very efficient because it rapidly encrypts 1 bit (rather than entire blocks) of plaintext at a time. found in other secure protocol implementations beyond WEP.
Wi-Fi Protected Access (WPA)
The original set of protections from the Wi-Fi Alliance in 2003 designed to protect both present and future wireless devices; was really a stopgap measure in the interim to replace WEP when the vulnerabilities of WEP were discovered.
802.11 standard
The standard that specifies how two wireless computers or devices communicate via radio waves with each other
Wi-Fi Protected Access 3 (WPA3)
WPA3 is a new authentication launched in 2018 by the Wi-Fi Alliance. Provides better protection against password guessing attempts by replacing PSK with Simultaneous Authentication of Equals (SAE). If you set up an open SSID with a WPA3-capable WAP, SAE automatically forces every WPA3-capable device connecting to that WAP to use Diffie-Hellman-style authentication/encryption process. Offers 192-bit cryptographic strength, giving additional protection for networks dealing with sensitive data
EAP-FAST (EAP Flexible Authentication via Secure Tunneling)
addresses LEAP's security issues; Cisco replaced LEAP with this; lightweight but uses TLS tunnels to add security during authentication
Advanced Encryption Standard (AES)
adopted as the official encryption standard for the United States by NIST after an open competition with several different competing algorithms. uses the Rijndael encryption algorithm uses Counter-mode/CBC-MAC Protocol (CCMP) within WPA2 to encrypt traffic. CCMP uses a 128-bit key and 128-bit block size (it is a block symmetric cipher), and 48-bit initialization vectors (the larger IV size aids in preventing replay attacks against the WPA2).
Weaknesses of WEP
poor implementation of WEP; small initialization vectors; small key size; static key repetition
EAP Transport Layer Security (EAP-TLS)
for years the primary EAP variation used on high security wireless networks; uses the same TLS protocol used on secure Web Pages; requires both a server-side certificate and a client-side certificate (client-side certificates are a headache because every device on the network must have a unique certificate); the ultimate in 802.11
Wi-Fi Protected Setup (WPS)
introduced in 2006 by the Wi-Fi Alliance. goal is to enable anyone to join a WPS-capable device to a WPS-enabled wireless network just by pressing two buttons. Alternatively, every WPS-enabled WAP comes with a fixed eight-digit PIN code to allow devices without a WPS button to connect to the WAP.
802.1x
is an IEEE standard, can be used in wired networks as well as wireless; encountered most often on corporate wireless networks as the preferred form of authentication and access management control; called a port-based access control method and can use a wide variety of different security protocols. a wireless client device is known as a supplicant in an 802.1X environment. a wireless access point that uses 802.1X authentication methods is called the authenticator the source providing authentication services to the wireless network is called the authentication server can use several different types of authentication protocols (many different iterations of EAP) interoperable with a number of remote access services and protocols
Wi-Fi Protected Access 2 (WPA2)
name of the first official implementation of the 802.11i wireless security protocol standard developed by the Institute of Electrical and Electronics Engineers (IEEE). replaces TKIP with AES, a 128-bit symmetric block cipher that's much more robust but is backward-compatible due to its inclusion of TKIP in its protocol suite. WPA2-Personal (uses pre-shared key) WPA2-Enterprise
weaknesses of WPA 2
pre-shared key. Anyone with a single PSK can give it to others and they can use it to access the network. there are a number of attacks - in particular the infamous KRACK on-path (MITM) attack which work on any WPA2 network.
so what do we use
the Wi-Fi Alliance states that if you install a 802.11 network then you must use either WPA2-ENT or WPA2-PSK with a robust password.