Linux

 

Linux tools, Howtos

 

Tools Index

 

Wireless Commands

 

FC6 Build Howto

 

FC5 Build Howto

 

FC4 Build Howto

 

Live Linux Distros

 

 

Site Search

 

 

 

 

Windows

 

WIN32 tools, Howtos

 

Tools Index

 

 

Get Firefox!

 

 

General

 

Miscellaneous WI-FI

 

Default WI-FI Settings

 

Rogue AP Howtos

 

WI-FI Certifications

 

802.11 Standards

 

STEP BY STEP Guides

 

Formats / Extensions

 

WI-FI Home Security

 

Useful Links

 

 

 

 

802.11 (and related) Standards

 

 

802.11i

STATIC WEP

WPA

WPA2

802.1x/EAP

EAP AUTHENTICATION METHODS

    EAP-MD5

    LEAP

    EAP-TLS

    EAP-TTLS AND PEAP

RELATED SITES

 

 

802.11i:

 

"802.11i is an amendment to the 802.11 standard specifying security mechanisms for wireless networks. The draft standard was ratified on 24 June 2004, and supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have severe security weaknesses. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2 . 802.11i makes use of the Advanced Encryption Standard (AES) block cipher. WEP and WPA use the RC4 stream cipher." -Wikipedia.

 

 

STATIC WEP: 

 

Static WEP (Wired Equivalent Privacy) provides simple authentication and encryption based on unchanging shared keys that are preconfigured on all access points and client machines.

WEP is now recognised as being wholly flawed see the Fluhrer, Mantin and Shamir whitepaper: www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf

Using tools such as Aircrack and Airsnort WEP can be broken in under 30 minutes or if the WEP key is based on a dictionary word it can be broken in under a minute (utilising WepAttack) as long as at least one encrypted packet has been collected.

WEP is better than using no security at all, but only just!

 

 

WPA: 

 

WPA (Wi-Fi Protected Access) is a set of modifications and improvements to WEP.  WPA's improvements include:

  • An improved Message Integrity Check (MIC) the Michael MIC to reduce the likelihood of packets being tampered with in transit.

     

  • Increase from 24 (used in by WEP) to 48 bits for the Initialisation Vector (IV) making key reuse less likely.

     

  • TKIP sequence numbers are introduced reducing the likelihood of replay attacks.

     

  • Whilst a static WEP key (master key) still needs to be entered on each device this key is never utilised directly.  This master key is combined with a clients MAC address and the 48 bit IV to produce the key that will encrypt the data.  Thus each device utilises a different keystream to encrypt their data.

     

  • WPA also provides the administrator with the ability to configure key change intervals (generally configured in seconds).

WPA offers a solid security solution for legacy hardware devices and whilst its implementation will degrade the performance of a network (due to the data overhead required for the extra security mechanisms) it is the best alternative to WEP available until WPA2 enabled hardware can be made available.

"Although WPA2 has been released, WPA will continue to play a valuable role in meeting the security needs for both enterprise and consumer Wi-Fi users." -WIFI Alliance

 

 

WPA2: 

 

WPA2 (Wi-Fi Protected Access 2) puts the industry two generations beyond WEP and is based on the final IEEE 802.11i amendment to the 802.11 standard.  WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm. 

 

Personal and Enterprise versions of WPA2 are available. In the Personal mode of operation, a pre-shared key (password) is used for authentication, while in the Enterprise mode of operation, authentication is achieved via 802.1X and the EAP.  Personal mode requires only an access point and client device, while Enterprise

mode typically requires a RADIUS or other authentication server on the network.

 

WPA2 is backwards compatible with WPA the primary difference between WPA and WPA2 is the type of encryption used; RC4 and AES respectively

 

 

802.1x / EAP: 

 

802.1x or Extensible Authentication Protocol (EAP) is an IEEE standard for port based access control that is utilised to authenticate and authorise devices (is does not encrypt non-authentication traffic) attached to a LAN.  802.1x is not unique to wireless networks and is used extensively in wired LAN configurations.

 

 

802.1x/EAP provides:

  • User based identification (e.g. passwords, certificates).  Machine based static WEP keys are no longer used for authentication.

  • Mutual authentication between the client and the authentication server (except EAP-MD5).

  • All non-802.1x traffic is filtered until the client has successfully authenticated to the network.

  • Dynamic aka Session Key Management (except EAP-MD5).

     

EAP AUTHENTICATION METHODS: 

EAP-MD5 is a password based authentication method.  EAP-MD5 is not recommended for WLAN use due to the fact that:

  • Only one way authentication is utilised (client authenticating server)

  • The server challenge and client hashed response of the server challenge may be sniffed by an attacker

  • Dynamic Key Management is not available (e.g. after authentication the WLAN may revert to the use of static WEP keys)

  • Susceptible to Man-in-the-Middle attacks

     

LEAP is Cisco's proprietary Lightweight EAP protocol it is solely password based (client and server).  Improvements it offers over EAP-MD5 are mutual authentication and Dynamic Key Management.  LEAP is susceptible to passive dictionary attacks (see Joshua Wright's asleap).

 

 

EAP-TLS is an authentication method based on the Secure Socket Layer (SSL) that is used for the majority of todays secure web transactions.  EAP-TLS provides mutual authentication and Dynamic Key Management whist suffering from none of the problems associated with EAP-MD5.

NOTE: EAP-TLS requires a Public Key Infrastructure (PKI) in place to manage both client and server certificates.  

 

 

EAP-TTLS and Protected EAP (PEAP) are both similar authentication mechanisms providing an extension to the EAP-TLS authentication scheme which eliminates the requirement for certificates on the client side, yet still provides mutual authentication.  The authentication process for both is as follows:

  • The server still requires a certificate and this is used to authenticate with the client and establish an encrypted tunnel. 

  • The client now securely authenticates to the server using which ever method is chosen e.g. passwords, secure tokens or certificates may also still be used.

EAP-TTLS and PEAP are the most secure enterprise authentication schemes available today.  Client certificate deployment and use rather than passwords would be ideal solution; due to the standard issues of users choosing poor passwords and concerns of brute force attacks.

 

 

RELATED SITES: 

 

http://www.wi-fi.org/ -WIFI Alliance


 

 
 
   Copyright 2010 Wirelessdefence.org. All Rights Reserved.