This chapter introduces general campus switching and data center ...
Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that...
-
Upload
britney-york -
Category
Documents
-
view
220 -
download
0
Transcript of Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that...
![Page 1: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/1.jpg)
Chapter 4
![Page 2: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/2.jpg)
Copyright Pearson Prentice-Hall 2010
Chapter 3 introduces cryptographic elements that may be needed in a dialogue
Chapter 4 focuses on important cryptographic system standards, such as SSL/TLS, IPsec, and wireless security standards
Future chapters will use the cryptographic concepts you are learning in these chapters
2
![Page 3: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/3.jpg)
Copyright Pearson Prentice-Hall 20103
![Page 4: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/4.jpg)
Transmission across Un-trusted Networks
◦ Internet, Wireless LAN’s, etc.
◦ Companies will (should) apply Cryptographic Systems Virtual Private Network (VPN)
SSL/TLS
◦ Secure Socket Layer/Transport Layer Security
◦ Non-Transparent, doesn’t automatically protect application messages.
◦ Only messages from applications that are SSL/TSL aware Web Browsers/Web Servers; Many email
◦ But there’s a problem
IPsec
◦ Operates on the Internet layer
◦ Everything in IP packet data file is protected
◦ Transparent protection – applications and transport layer are protected (see Module A)
Copyright Pearson Prentice-Hall 20104
![Page 5: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/5.jpg)
Copyright Pearson Prentice-Hall 20105
SSL/TSLOr
IPsec
SSL/TSLOr
IPsec SSL/TSLSSL/TSL
IPsecIPsec
![Page 6: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/6.jpg)
Connect one Client to one Server
Copyright Pearson Prentice-Hall 20106
![Page 7: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/7.jpg)
Copyright Pearson Prentice-Hall 20107
![Page 8: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/8.jpg)
Connects a single Client to a Network
Connection is to a VPN Gateway◦ Used for Authentication and Access Control
◦ Depending on Access Authorization connection can be to multiple computers on the network.
Uses SSL/TSL between Browser and Gateway◦ The Gateway is a WebServer to SSL/TSL
◦ SSL/TSL protects messages between client and Gateway
◦ Gateway authenticates with the client via Public Key Authentication
Copyright Pearson Prentice-Hall 20108
![Page 9: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/9.jpg)
Web server
Database server◦ Gateway translates browser requests to Queries
to database
◦ Gateway translates database response to web pages “webifies”
Router◦ Connection to subnet of network
Copyright Pearson Prentice-Hall 20109
![Page 10: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/10.jpg)
Copyright Pearson Prentice-Hall 201010
![Page 11: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/11.jpg)
Copyright Pearson Prentice-Hall 201011
Step Sender Name of Message
Semantics (Meaning)
1 Client Client Hello Client requests secure connection.
Client lists cipher suites it supports.
2 Server Server Hello Server indicates willingness to proceed.
Selects a cipher suite to use in the session.
3 Server Certificate Server sends its digital certificate containing its public key.
(Client should check the certificate’s validity.)
4 Server ServerHelloDone Server indicates that its part in the initial introduction is finished.
Stage 1Stage 1
Stage 2 & 3 ???Stage 2 & 3 ???
![Page 12: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/12.jpg)
Copyright Pearson Prentice-Hall 201012
Step Sender Name of Message
Semantics (Meaning)
5 Client ClientKeyExchange
Client generates a random symmetric session key. Encrypts it with the server’s public key.
It sends this encrypted key to the server. Only the server can decrypt the key, using the server’s own private key.
The server decrypts the session key.
Both sides now have the session key.
6 Client ChangeCipherSpec*
Client changes selected cipher suite from pending to active.
7 Client Finish Client indicates that its part in the initial introduction is finished.
*Not cipher suite.
Key Exchangeusing public key encryption
for confidentiality
Key Exchangeusing public key encryption
for confidentiality
Stage 2 & 3Stage 2 & 3
![Page 13: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/13.jpg)
Copyright Pearson Prentice-Hall 201013
Step Sender Name of Message Semantics (Meaning)
8 Server ChangeCipherSpec* Server changes selected cipher suite from pending to active.
9 Server Finish Server indicates that its role in selecting options is finished.
10 Ongoing communication stage begins
*Not cipher suite.
![Page 14: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/14.jpg)
Protects all traffic between two sites
VPN Gateway on both ends of transmission
VPN Gateway’s encrypt/decrypt messages
Copyright Pearson Prentice-Hall 201014
![Page 15: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/15.jpg)
Transport (Host-to-Host)◦ Protects messages from host-to-host
Over the internet and Internet
◦ Requires installing IPsec on each client/server (not built into browser)
◦ Costly
◦ Eliminates ability of Firewall to filter content as it is encrypted
Tunnel (Site-to-Site)◦ Protects messages between VPN Gateways over the
Internet
◦ Less Costly than Transport
◦ Firewall can filter content
Copyright Pearson Prentice-Hall 201015
![Page 16: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/16.jpg)
Copyright Pearson Prentice-Hall 201016
1.End-to-End
Security(Good)
1.End-to-End
Security(Good)
2.Security in
Site Network(Good)
2.Security in
Site Network(Good)
3.Setup Cost
On Each Host(Costly)
3.Setup Cost
On Each Host(Costly)
![Page 17: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/17.jpg)
Copyright Pearson Prentice-Hall 201017
2.No Security inSite Network
(Bad)
2.No Security inSite Network
(Bad)
3.No Setup
CostOn Each Host
(Good)
3.No Setup
CostOn Each Host
(Good)
![Page 18: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/18.jpg)
Copyright Pearson Prentice-Hall 201018
Characteristic Transport Mode Tunnel ModeUses an IPsec VPN Gateway?
No Yes
Cryptographic Protection
All the way from the source host to the destination host, including the Internet and the two site networks.
Only over the Internet between the IPsec gateways. Not within the two site networks.
Setup Costs High. Setup requires the creation of a digital certificate for each client and significant configuration work.
Low. Only the IPsec gateways must implement IPsec, so only they need digital certificates and need to be configured.
![Page 19: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/19.jpg)
Copyright Pearson Prentice-Hall 201019
Characteristic Transport Mode Tunnel Mode
Firewall Friendliness Bad. A firewall at the border to a site cannot filter packets because the content is encrypted.
Good. Each packet is decrypted by the IPsec gateway. A border firewall after the IPsec gateway can filter the decrypted packet.
The “Bottom Line” End-to-end security at high cost.
Low cost and protects the packet over the most dangerous part of its journey.
![Page 20: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/20.jpg)
Copyright Pearson Prentice-Hall 201020
SSL/TLS IPsec
Cryptographic security standard Yes Yes
Cryptographic security protections Good Gold Standard
Supports central management No Yes
Complexity and expense Lower Higher
Layer of operation Transport Internet
Transparently protects all higher-layer traffic
No Yes
Works with IPv4 and IPv6 NA Yes
Modes of operation NA Transport, Tunnel
![Page 21: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/21.jpg)
Copyright Pearson Prentice-Hall 201021
Kind of like a cipher suite
Enables Central
Management
Enables Central
Management
![Page 22: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/22.jpg)
Copyright Pearson Prentice-Hall 201022
![Page 23: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/23.jpg)
Copyright Pearson Prentice-Hall 201023
![Page 24: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/24.jpg)
Protections from 3rd parties
Copyright Pearson Prentice-Hall 201024
![Page 25: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/25.jpg)
Copyright Pearson Prentice-Hall 201025
![Page 26: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/26.jpg)
Copyright Pearson Prentice-Hall 201026
Router does not need to make a complex decision
for each packet
Router does not need to make a complex decision
for each packet
![Page 27: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/27.jpg)
Copyright Pearson Prentice-Hall 201027
Cryptographic VPNs Routed VPNsExamples SSL/TLS
IPsec
Carrier PSDNs
Carrier TCP/IP MPLS VPNs
Cryptographic protections
Confidentiality, integrity, authentication, etc.
None
Other protections Limiting customer access
Limiting access to routing supervisory protocols
Customer actions to improve protection
Create a cryptographic VPN to run over carrier services
![Page 28: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/28.jpg)
Wired and Wireless Protection
Copyright Pearson Prentice-Hall 201028
![Page 29: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/29.jpg)
Copyright Pearson Prentice-Hall 201029
![Page 30: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/30.jpg)
Used to Authenticate Users connecting to wired-LAN◦ By definition they are “in the building”
User connects to a Workgroup Switch vs. Core Switch (Review Module A)◦ Specifically User connects to a port on the
workgroup switch Port is in Unauthorized status Switches after supplicant is verified; Access
Granted Verification provided by Authentication Server (RADIUS)
Copyright Pearson Prentice-Hall 201030
![Page 31: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/31.jpg)
1. Supplicant
2. Workgroup Switch (Authenticator)
3. Authentication Server
Copyright Pearson Prentice-Hall 201031
![Page 32: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/32.jpg)
Copyright Pearson Prentice-Hall 201032
![Page 33: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/33.jpg)
1. Workgroup switch senses a port connection
2. Sends EAP Start
3. Authentication Server sends EAP Request to client
◦ Specifies expected credentials
◦ If client doesn’t have credentials EAP Response of negative acknowledgement sent back to server
4. Client EAP Response with correct credentials
5. EAP Success if supplicant authenticated or
6. EAP Failure if suppliant is not
Copyright Pearson Prentice-Hall 201033
![Page 34: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/34.jpg)
Copyright Pearson Prentice-Hall 201034
![Page 35: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/35.jpg)
Copyright Pearson Prentice-Hall 201035
RADIUS Functionality
Authentication Authorizations Auditing
Uses EAP Uses RADIUS authorization functionality
Uses RADIUS auditing
functionality
![Page 36: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/36.jpg)
Copyright Pearson Prentice-Hall 201036
![Page 37: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/37.jpg)
802.1X can’t be used for Wireless connections
EAP assumes secure connection between supplicant and Authenticator◦ UTP has low interception rate (need to tap line)
◦ Wireless has high interception rate
◦ EAP messages need to be secured – 802.11i
Copyright Pearson Prentice-Hall 201037
![Page 38: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/38.jpg)
Copyright Pearson Prentice-Hall 201038
EAP-TLSUses TLS for authenticatio
n
EAP-TLSUses TLS for authenticatio
n
PEAP uses any authentication
standard allowed by EAP
PEAP uses any authentication
standard allowed by EAP
![Page 39: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/39.jpg)
802.11i, WPA, WEP
Security extends between Wireless Client and Access Point
Copyright Pearson Prentice-Hall 201039
![Page 40: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/40.jpg)
Copyright Pearson Prentice-Hall 201040
Cryptographic Characteristic
WEP WPA 802.11i (WPA2)
Cipher for Confidentiality
RC4 with a flawed implementation
RC4 with 48-bit initialization vector (IV)
AES with 128-bit keys
Automatic Rekeying
None Temporal Key Integrity Protocol (TKIP), which has been partially cracked
AES-CCMP Mode
Overall Cryptographic Strength
Negligible Weaker but no complete crack to date
Extremely strong
![Page 41: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/41.jpg)
Copyright Pearson Prentice-Hall 201041
Cryptographic Characteristic
WEP WPA 802.11i (WPA2)
Operates in 802.1X
(Enterprise) Mode?
No Yes Yes
Operates in Pre-SharedKey (Personal) Mode?
No Yes Yes
![Page 42: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/42.jpg)
Not practical / Expensive
Pre-Shared Key’s used in◦ 802.11i and WPA
Each Wireless client uses the same shared Key for authentication◦ This is your passphrase on your wireless network
Once authenticated Access Point provides an unshared Session Key
Copyright Pearson Prentice-Hall 201042
![Page 43: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/43.jpg)
Copyright Pearson Prentice-Hall 201043
![Page 44: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/44.jpg)
Copyright Pearson Prentice-Hall 2010
Origin of WEP◦ Original core security standard in 802.11, created
in 1997
Uses a Shared Key◦ Each station using the access point uses the same
(shared) key
◦ The key is supposed to be secret, so knowing it “authenticates” the user
◦ All encryption uses this key
44
![Page 45: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/45.jpg)
Copyright Pearson Prentice-Hall 2010
Problem with Shared Keys◦ If the shared key is learned, an attacker near an
access point can read all traffic
◦ Shared keys should at least be changed frequently But WEP had no way to do automatic rekeying Manual rekeying is expensive if there are
many users Manual rekeying is operationally next to
impossible if many or all stations use the same shared key because of the work involved in rekeying many or all corporate clients
45
![Page 46: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/46.jpg)
Copyright Pearson Prentice-Hall 2010
Problem with Shared Keys◦ Because “everybody knows” the key, employees
often give it out to strangers
◦ If a dangerous employee is fired, the necessary rekeying may be impossible or close to it
46
![Page 47: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/47.jpg)
Copyright Pearson Prentice-Hall 2010
RC4 Initialization Vectors (IV)
◦ WEP uses RC4 for fast and therefore cheap encryption
◦ But if two frames are encrypted with the same RC4 key are compared, the attacker can learn the key
◦ To solve this, WEP encrypts with a per-frame key that is the shared WEP key plus an initialization vector (IV)
◦ However, many frames “leak” a few bits of the key
◦ With high traffic, an attacker using readily available software can crack a shared key in two or three minutes
◦ (WPA uses RC4 but with a 48-bit IV that makes key bit leakage negligible)
47
![Page 48: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/48.jpg)
Copyright Pearson Prentice-Hall 2010
Conclusion◦ Corporations should never use WEP for security
48
![Page 49: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/49.jpg)
Copyright Pearson Prentice-Hall 201049
![Page 50: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/50.jpg)
Copyright Pearson Prentice-Hall 201050
![Page 51: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/51.jpg)
Copyright Pearson Prentice-Hall 201051
![Page 52: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/52.jpg)
Copyright Pearson Prentice-Hall 2010
Spread Spectrum Operation and Security◦ Signal is spread over a wide range of frequencies
◦ NOT done for security, as in military spread spectrum transmission.
52
![Page 53: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/53.jpg)
Copyright Pearson Prentice-Hall 2010
Turning Off SSID Broadcasting◦ Service set identifier (SSID) is an identifier for an
access point
◦ Users must know the SSID to use the access point
◦ Drive-by hacker needs to know the SSID to break in
◦ Access points frequently broadcast their SSIDs
53
![Page 54: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/54.jpg)
Copyright Pearson Prentice-Hall 2010
Turning off SSID Broadcasting
◦ Some writers favor turning off of this broadcasting
◦ But turning off SSID broadcasting can make access more difficult for ordinary users
◦ Will not deter the attacker because he or she can read the SSID, which is transmitted in the clear in each
transmitted frame
54
![Page 55: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/55.jpg)
Copyright Pearson Prentice-Hall 2010
MAC Access Control Lists
◦ Access points can be configured with MAC access control lists
◦ Only permit access by stations with NICs having MAC addresses on the list
◦ But MAC addresses are sent in the clear in frames, so attackers can learn them
◦ Attacker can then spoof one of these addresses
55
![Page 56: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/56.jpg)
Copyright Pearson Prentice-Hall 2010
Perspective
◦ These “false” methods, however, may be sufficient to keep out nosy neighbors
◦ But drive-by hackers hit even residential users
◦ Simply applying WPA or 802.11i provides much stronger security and is easier to do
56
![Page 57: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/57.jpg)
57
![Page 58: Chapter 4. Copyright Pearson Prentice-Hall 2010 Chapter 3 introduces cryptographic elements that may be needed in a dialogue Chapter 4 focuses on.](https://reader036.fdocuments.us/reader036/viewer/2022062314/56649e725503460f94b7138d/html5/thumbnails/58.jpg)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.
Copyright © 2010 Pearson Education, Inc. Copyright © 2010 Pearson Education, Inc. Publishing as Prentice HallPublishing as Prentice Hall