Next up, after some discussion of cryptography, is wireless security. Wireless is increasingly popular, and how most people access the internet. So, it’s important for IT and security folks to know how to implement it securely.
This is a continuation of my blog post series on the CompTIA Security+ exam.
Wireless networks are difficult to physically secure (obviously) so cryptographic protocols must be used.
Wired Equivalent Privacy uses a cipher to encrypt data as its transmitted, using an RC4 stream cipher. It has an IV length of 24-bits, regardless of the key length. This is the cause of WEP’s weakness: it reuses keys, due to the size of the IV. If an attacker waits long enough and captures enough data, they can determine the key. See: AirSnort.
WEP won’t be on the exam.
Wi-Fi Protected Access. This is WEP, with Temporal Key Integrity Protocol (TKIP) added. TKIP combines the shared secret with the card’s MAC address to create a new key. It mixes that with the IV to create a new key for each packet. This bridges the WEP repeated-key issue. WPA doesn’t have forward secrecy protection, so you should always use a VPN because other people who know the shared key can collect and observe your traffic, otherwise.
Temporal Key Integrity Protocol (TKIP) was used as a stopgap measure to replace WEP without having to replace the legacy hardware. This is no longer considered secure. Instead, you should use WPA2.
Wi-Fi Protected Access 2 is the protocol in common use. Also known as IEEE 802.11i. Uses an AES block cipher as the encryption protocol.
Counter Mode with Cipher Block Chaining–Message Authentication Code (or CCMP) is another protocol that uses AES. Unlike WPA2, it requires new hardware.
Authentication protocols are the methods that wireless networks use to remotely provide authentication services. These protocols are standardized. Unfortunately, they all have stupid names.
Extensible Authentication Protocol (EAP) is a protocol for wireless networks that builds on the authentication methods used in Point-to-Point Protocol (PPP).
Protected EAP. Developed to protect EAP communication by encapsulating it with TLS.
The Wi-Fi Alliance added EAP-FAST (along with EAP-TLS and EAP-TTLS) in 2010 in support of WPA/WPA2. The “FAST” part stands for Flexible Authentication via Secure Tunneling. It uses Protected Access Credential (PAC) that is used to establish a TLS tunnel. This tunnel is then used to pass client credentials for verification.
EAP-TLS is an IETF open standard. It also uses TLS to secure the authentication process. It is one the most secure methods because it typically employs client-side certificates. This means that the attacker must also possess that client-side certificate key to break the TLS channel.
EAP-Tunneled TLS Protocol. This is a variant of the EAP-TLS protocol and works in a similar way. It has the server authenticating to the client with a certificate, but there is also a TLS tunnel to the client side of the authentication. This allows for legacy authentication protocols such as Password Authentication Protocol (PAP).
This is “an authentication standard that supports port-based authentication services between a user an authorization device, such as an edge router.”
RADIUS servers in a federated connection is a RADIUS federation network. The RADIUS server will determine which other RADIUS server to send user credentials to, and from there, they are authenticated and allowed to join the network. Certificate-based tunneling and EAP allows for RADIUS to scale to a worldwide authentication network.
Since WEP and WPA are insecure, that leaves WPA2. We’ll see that there’s also WPS, but maybe we don’t want to use that either (stay tuned!)
PSK vs Enterprise vs Open
When you’re setting up a wireless network, you have some options for how users connect.
PSK standards for pre-share key. It’s just that, a secret shared between users. If the key isn’t big enough, it can be easily brute-forced. The PSK gets converted to a 256-bit key that is then used to secure future communications between the AP and devices.
In Enterprise mode, devices use IEEE 802.1X and a RADIUS authentication server to connect. That allows them to use usernames and passwords as credentials, instead of a pre-shared key. This is a good setup for enterprises, and allows for network access control (NAC) integration.
Open System isn’t really authentication, but uses the SSID to generate an authentication code that’s used for a given session.
Wi-Fi Protected Setup (WPS) was meant to help facilitate wireless network setup for home users. Unfortunately, the use of an 8-digit pin is easy to brute force, so you should prolly disable this on your home network.
Setting up WPA2
When setting up a network, you can choose between WPA2-Personal (PSK) or WPA2-Enterprise. PSK is probably what you want for a home network. You can choose between TKIP or AES… TKIP is deprecated so don’t use that.
Lastly, you can use a captive portal to handle authentication on a wireless network. This is the common pop-up window you see when you join a network, and you have to provide credentials or some other form of identification before you’re allowed to fully use the network.