5.9 Security Fundamentals - Describe wireless security protocols (WPA, WPA2, and WPA3)

Ace your homework & exams now with Quizwiz!

What type of server is commonly used as an 802.1x authentication server

RADIUS Server

WEP uses the ______ cipher algorithm to make every wireless data frame private and hidden from eavesdroppers

RC4

T or F, When you configure user authentication on a wireless LAN, you will not have to select a specific EAP method. Instead, you select 802.1x on the WLC so that it is ready to handle a variety of EAP methods.

True

T or F, WPA was based on parts of 802.11i and included 802.1x authentication, TKIP, and a method for dynamic encryption key management

True

The __1__ and __2__ to determine which EAP-Based Authentication they will use

1) Client 2) Authentication Server (AS)

What were the only two choices to authenticate a client in the original 802.11 standards

1) Open Authentication 2) WEP

What version of WPA support AES

2 and 3

This version of WPA leverages stronger encryption by AES with the Galois/Counter Mode Protocol (GCMP). It also uses Protected Management Frames (PMF) to secure important 802.11 management frames between APs and clients

3

This IEEE standard, allows EAP to integrate with it to provide Port-Based Access

802.1x

When _______ is enabled, it limits access to a network media until a client authenticates. This means that a wireless client might be able to associate with an AP but will not be able to pass data to any other part of the network until it successfully authenticates

802.1x

WPA2 is based around the superior ______ CCMP algorithms, rather than the deprecated TKIP from WPA

Advanced Encryption Standards (AES)

Notice that these version (1, 2, or all 3) WPA versions support two client authentication modes: a pre-shared key (PSK) or 802.1x, based on the scale of the deployment. These are also known as personal mode and enterprise mode

All 3

In LEAP, what device did the client authenticate to

Authentication Server

In the 802.1x standard, this role is the device that takes user or client credentials and permits or denies network access based on a user database and policies

Authentication Server (AS)

In the 802.1x standard, this role is the network device that provides access to the network

Authenticator

The difference between PEAP and EAS-FAST is where the AS PEAP uses a digital ____________ to authenticate itself witht he supplicant in the outer authentication process

Certificate

This protocol is considered to be more secure than TKIP. It consists of two algorithms: ■ AES counter mode encryption ■ Cipher Block Chaining Message Authentication Code (CBC-MAC) used as a message integrity check (MIC)

Counter/CBC-MAC Protocol (CCMP)

LEAP used (Static / Dynamic) WEP Keys

Dynamic

Cisco's more secure protocol that replaced LEAP is called

EAP Flexible Authentication by Secure Tunneling (EAP-FAST)

What EAP protocol is a step above PEAP and now requires a certificate installed on both the AS as well as every client that wants to connect to the network

EAP Transport Layer Security (EAP-TLS)

With __________, the AS and the supplicant exchange certificates and can authenticate each other. A TLS tunnel is built afterward so that encryption key material can be securely exchanged

EAP Transport Layer Security (EAP-TLS)

The wireless LAN controller becomes a middleman in the client authentication process, controlling user access with 802.1x and communicating with the authentication server using the _____ framework

Extensible Authentication Protocol (EAP)

This scalable authentication framework in the 802.11 standard does not consist of any one authentication method. Instead, it defines a set of common functions that actual authentication methods can use to authenticate users

Extensible Authentication Protocol (EAP)

T or F, CCMP can be used on legacy devices that support only WEP or TKIP

False

T or F, In PEAP both the supplicant and the AS have their own certificate and both are signed by a CA

False

T or F, LEAP is still offered and as such, is safe to use

False

T or F, You can use EAP-TLS when there are devices that will connect to the network, such as communicators, medical devices, and RFID tags, that cannot interface w/ a CA or use certificates.

False

With the RC4 cipher algorithm in WEP, there is an encryption key generated for each wireless ________ that is sent over the air

Frame

TKIP added various security features, this one uses an algorithm which computes a unique 128-bit WEP key for each frame.

Key Mixing Algorithm

An AP can have unique encryption _______ so individual clients on a WLAN can talk securely w/ the AP while group encryptions ________ are used when the AP needs to send encrypted data to all clients in its cell at one time

Keys

What was the early attempt to address the weaknesses in WEP from Cisco called

Lightweight EAP (LEAP)

TKIP added various security features, this one doubled the size of the feature from 24 to 48 bits, making it virtually impossible to exhaust all WEP keys by brute-force calculation

Longer Initialization Vector

TKIP added various security features, this one used an efficient algorithm which added a hash value to each frame as a message integrity check to prevent tampering; commonly called "Michael" as an informal reference

MIC

A _____________ is a security tool that can protect against data tampering

Message integrity Check (MIC)

Before CCMP can be used to secure a wireless network, the client devices and APs (must / should) support the AES counter mode and CBC-MAC in hardware

Must

How many authentication and encryption schemes should each WLAN support

One

An AP set to use the authentication option only requires that a client must use an 802.11 authentication request before it attempts to associate with an AP. No other credentials are needed.

Open Authentication

802.1x is referred to as __________ access

Port-Based

In Cisco's EAP-FAST, authentication credentials are protected by passing a ___________ between the AS and the supplicant

Protected Access Credential (PAC)

Used in EAP-FAST, this authentication credential is a form of shared secret that is generated by the AS and used for mutual authentication

Protected Access Credential (PAC)

The subsequent EAP based Protocol from EAP-FAST is

Protected EAP (PEAP)

Since managing and installing certificates for every client that wants to connect to the network (in EAP-TLS) is impractical, you would implement a ___________, through a CA, to supply certificates securely and efficiently and revoke them when a client or user should no longer have access to the network

Public Key Infrastructure (PKI)

TKIP added various security features, this one includes the __________ as evidence of the frame source

Sender's MAC Address

WEP is known as a _________-key security method. The same key must be shared between the sender and receiver ahead of time, so that each can derive other mutually agreeable encryption keys

Shared

Rather than a client authenticating against a server or AP, in this WPA3 authentication method, the client and AP can initiate the authentication process equally and even simultaneously in a method called

Simultaneous Authentication of Equals (SAE)

In the 802.1x standard, this role is the client device that is requesting access

Supplicant

TKIP added various security features, this feature provides a record of frames sent by a unique MAC address, to prevent frames from being replayed as an attack

TKIP Sequence Counter

When devices were still using WEP, what was developed which added security features to the legacy hardware stuck with WEP

Temporal Key Integrity Protocol (TKIP)

TKIP added various security features, this one is added into the MIC to prevent replay attacks that attempt to reuse or replay frames that have already been sent.

Time Stamp

T or F, All 3 versions of WPA support 802.1x

True

T or F, EAP-FAST requires a RADIUS server that must also operate as an EAP-FAST server to be able to generate PACs, one per user

True

T or F, EAP-TLS is considered to be the most secure wireless authentication method available; however, implementing it can sometimes be complex

True

T or F, Networks using the 802.1x standard, the client uses open authentication to associate with the AP, and then the actual client authentication process occurs at a dedicated authentication server instead of at the authenticator (such as an AP or WLC) itself

True

T or F, TKIP was eventually deprecated for more secure 802.11 methods and should no longer be used.

True

T or F, The 802.1x standard simply allows the communication between the supplicant and the authenticator but instructs the supplement and authenticator that there will be additional authentication between the supplicant and an AS via the various protocols available w/in the 802.1x standard

True

T or F, The AS's digital certificate used in PEAP is signed by a Certificate Authority (CA) and both the supplicant and the AS must possess the CA certificate so that the supplicant can validate the AS certificate up reciept

True

T or F, The PEAP method also uses an inner and outer authentication; however, the Authentication Server presents a digital certificate to authenticate itself with the supplicant in the outer authentication

True

T or F, There are two separate authentication processes occur in EAP-FAST —one between the AS and the supplicant and another with the end user

True

The RC4 cipher algorithm uses a string of bits as a key, commonly called a _________, to derive other encryption keys

WEP Key

What type of device is typically the Authenticator for the 802.1x standard

WLC

in this WAP Version, although the Pre-Shared Key itself is never shared during the initial 4 way handshake between the AP and client, the encrypted key this created using the Pre-Shared Key is openly exchanged over the air allowing a hacker to obtain the encrypted key and use a dictionary attack to try and determine the Pre-Shared Key

WPA and WPA 2

What 802.11 standard (WEP, WPA, WPA2) supports CCMP

WPA2

This WPA Version eliminated the Dictionary attack on the encrypted key by strengthening the key exchange between clients and APs through a method known as Simultaneous Authentication of Equals (SAE)

WPA3


Related study sets

2 - The Firm and Market Structures

View Set

Life Insurance Underwriting and Policy Issue

View Set

CISCO - test 6 (VPN, IPsec, SNMP, Netflow...)

View Set

All Lewis chapters except Ch 64 and Ch 66

View Set

Communication in Sport Final Exam

View Set