Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island...
-
date post
15-Jan-2016 -
Category
Documents
-
view
224 -
download
1
Transcript of Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island...
![Page 1: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/1.jpg)
Wireless Networking
WLAN Security Module-12
Jerry BernardiniCommunity College of Rhode Island
04/21/23 1Wireless Networking J. Bernardini
![Page 2: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/2.jpg)
Presentation Reference Material• CWNA Certified Wireless Network Administration Official Study Guide (PWO-104), David Coleman, David Westcott, 2009, Chapter-13• CWNA Certified Wireless Network Administration Official Study
Guide, Fourth Edition, Tom Carpenter, Joel Barrett– Chapter-9,10
• Cisco White Paper - A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite
www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm• Your 802.11 Wireless Network has No Clothes¤
– William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan, Department of Computer Science University of Maryland College Park, Maryland 20742 March 30, 2001
– http://www.cs.umd.edu/~waa/wireless.pdf
04/21/23 Wireless Networking J. Bernardini 2
![Page 3: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/3.jpg)
3
What is Information Security?
• Information Security: Task of guarding digital information
• Information must be protective -on the devices that store, manipulate, and transmit the information through products, people, and procedures.
• Information that must be protected are CIA• Confidentiality
– Only authorized parties can view information
• Integrity– Information is correct and unaltered
• Availability– Authorized parties must be able to access at all times
![Page 4: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/4.jpg)
4
Layers of Security
![Page 5: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/5.jpg)
802.11 Security Basics
• Data Privacy• Authentication, Authorization, Accounting (AAA)• Segmentation• Monitoring• Policy
Because data is transmitted freely and in open air, wireless systems need strong encryption
04/21/23 Wireless Networking J. Bernardini 5
![Page 6: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/6.jpg)
Wireless Data Privacy• Data privacy means others can not read your
messages unless you allow it.• Data must be encrypted• Most common methods
– RC4 algorithm– Advanced Encryption algorithm (AES)
• Most encryption is Layer-2, protecting layers 3-7• 802.11 management frames are not encrypted• 802.11 control frames are not encrypted
04/21/23 Wireless Networking J. Bernardini 6
![Page 7: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/7.jpg)
Authentication, Authorization, Accounting (AAA)
• Authentication – verification of user identity• Authorization – granting access to • Accounting – tracking the use of network by users
04/21/23 Wireless Networking J. Bernardini 7
![Page 8: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/8.jpg)
Early IEEE 802.11 Security
• Referred to as: Pre-RSNA Security– RSNA=Robust Security Network Association
• Pre-RSNA Security includes– Open System Authentication– Share Key Authentication– Wired Equivalent Privacy
• This technology has many flaws and should not be considered for new systems
• But we should understand Pre-RSNA to appreciate WLAN vulnerabilities
04/21/23 Wireless Networking J. Bernardini 8
![Page 9: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/9.jpg)
Security Segmentation and Monitoring
• Segmentation – separating users– Firewalls– Routers– VPNs– VLANs
• Monitoring and Policy– Full-time monitoring of wireless network needed – Protect against possible attacks– Use a Wireless Intrusion detection System(WIDS)
04/21/23 Wireless Networking J. Bernardini 9
![Page 10: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/10.jpg)
CCRI J. Bernardini 10
Open Authentication
• Open authentication allows any device network access.
• If no encryption is enabled on the network, any device that knows the SSID of the access point can gain access to the network.
• With WEP encryption enabled on an access point, the WEP key itself becomes a means of access control.
![Page 11: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/11.jpg)
CCRI J. Bernardini 11
802.11 client authentication process• 1. Client broadcasts a probe request frame on every channel• 2. Access points within range respond with a probe response frame• 3. The client decides which access point (AP) is the best for access and sends an
authentication request• 4. The access point will send an authentication reply• 5. Upon successful authentication, the client will send an association request frame to the
access point• 6. The access point will reply with an association response• 7. The client is now able to pass traffic to the access point
![Page 12: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/12.jpg)
CCRI J. Bernardini 12
Open Authentication Vulnerabilities
• No way for the access point to determine whether a client is valid.
• A major security vulnerability if WEP or better encryption is not implemented– Cisco does not recommend deploying wireless LANs without WEP encryption.
• When WEP encryption is not needed or is not feasible to deploy - such as public WLAN deployments
• Higher-layer authentication can be provided by implementing a Service Selection Gateway (SSG).
![Page 13: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/13.jpg)
CCRI J. Bernardini 13
Shared Key Authentication1. The client sends an authentication request to the access point requesting shared
key authentication2. The access point responds with an authentication response containing challenge
text3. The client uses its locally configured WEP key to encrypt the challenge text and
reply with a subsequent authentication request4. If the access point can decrypt the authentication request and retrieve the original
challenge text, then it responds with an authentication response that grants the client access
![Page 14: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/14.jpg)
CCRI J. Bernardini 14
Vulnerability of Shared Key Authentication
![Page 15: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/15.jpg)
Wired Equivalent Privacy-WEP
• Wired Equivalent Privacy, a security protocol for WLANs defined in the 802.11b standard.
• A secret key is shared between STAs and an AP• The secret key is used to encrypt packets (MSDU)
before they are transmitted.• LANs are inherently more secure than WLANs• WLANs are over radio waves and can be intercepted
![Page 16: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/16.jpg)
WEP uses RC4
• It is reasonably strong:• It is self-synchronizing:• WEP is self-synchronizing for each message. This property is
critical for a• data-link level encryption algorithm, where “best effort”
delivery is assumed and packet loss rates may be high.• It is efficient:• The WEP algorithm is efficient and may be implemented in
either hardware or software.• It may be exportable:
04/21/23 Wireless Networking J. Bernardini 16
![Page 17: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/17.jpg)
What is RC4
• RC4 is a stream cipher designed by Ronald L. Rivest (MIT Professor) for RSA Data Security (now RSA Security).
• It is a variable key-size stream cipher with byte-oriented operations.
• The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100.
• Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software.
• Independent analysts have scrutinized the algorithm and it is considered secure.
04/21/23 Wireless Networking J. Bernardini 17
![Page 18: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/18.jpg)
CCRI J. Bernardini 18
Correct WEP Key Required
• If a device does not have the correct WEP key, even though authentication is successful, the device will be unable to transmit data through the access point.
• Neither can it decrypt data sent from the access point
![Page 19: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/19.jpg)
WEP Encryption Process
PRNG
Integrity Algorithm
Ciphertext
IVInitializationVector (IV)
Secret Key
Seed
Plaintext
IntegrityCheck
Value (ICV)
C1
C2Exclusive-OR
Key Stream
What is Transmitted
Pseudorandom Number
Generator
802.11 recommends IV change per-framesame packet is transmitted twice resulting cipher-text will be different
![Page 20: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/20.jpg)
20
WEP Implementation
• IEEE 802.11 cryptography objectives:– Efficient– Exportable– Optional– Reasonably strong– Self-synchronizing
• WEP relies on secret key “shared” between a wireless device and the AP
• Same key installed on device and AP• A form of Private key cryptography or symmetric
encryption
![Page 21: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/21.jpg)
21
WEP Characteristics
• WEP shared secret keys must be at least 40 bits– Most vendors use 104 bits
• Options for creating WEP keys:– 40-bit WEP shared secret key (5 ASCII characters or 10 hexadecimal
characters)– 104-bit WEP shared secret key (13 ASCII characters or 16 hexadecimal
characters)– Passphrase (16 ASCII characters)
• APs and wireless devices can store up to four shared secret keys– Default key one of the four stored keys– Default key used for all encryption– Default key can be different for AP and client
![Page 22: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/22.jpg)
22
WEP Keys
- Key order must be the same for all devices
- Default Keys can be different for each device
![Page 23: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/23.jpg)
CCRI J. Bernardini 23
Initialization Vector• The IV is a 24-bits that augments a 40-bit WEP key to 64 bits and
a 104-bit WEP key to 128 bits. • The IV is sent in the clear in the frame header so the receiving
station knows the IV value and is able to decrypt the frame • Although 40-bit and 104-bit WEP keys are often referred to as 64-
bit and 128-bit WEP keys, the effective key strength is only 40 bits and 104 bits, respectively, because the IV is sent unencrypted.
![Page 24: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/24.jpg)
WEP Encryption Process
1 0 1 1 1 0 0 1 0 1 1 1 0 1 0 1 1 0 0 1 1 1 1 0 1
1 1 1 1 0 1 1 0 0 1 1 1 1 0 1 0 1 0 1 0 1 1 1 0 1
0 1 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 1 1 0 0 0 0 0
Data
Key Stream
Cipher Stream (Transmitted and Received)
1 1 1 1 0 1 1 0 0 1 1 1 1 0 1 0 1 0 1 0 1 1 1 0 1
Key Stream
1 0 1 1 1 0 0 1 0 1 1 1 0 1 0 1 1 0 0 1 1 1 1 0 1
Data
![Page 25: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/25.jpg)
WEP Encryption Process
IV4
Data PDU>=1
ICV4
Init. Vector3
The WEP Encrypted Frame Body
1 OctetPad
6-bitsKey ID2-bits
Encrypted
![Page 26: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/26.jpg)
WEP Keys
• 802.11b – 64-bit shared RC4 Key. 24-bit IV plus a 40-bit Secret Key.
• 128-bit shared RC4 Key24-bit IV plus a 104-bit Secret Key.
• 152-bit shared RC4 Key24-bit IV plus a 128-bit Secret Key.
IV24 - bits
Secret Key40 - bits
PRNG Seed
0 23|24 63
![Page 27: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/27.jpg)
WEP Weaknesses• Key management and key size.
40-bit• The IV is too small. 24-bit = 16,777,216 different cipher streams.• The ICV algorithm is not appropriate
Uses CRC-32 when MD5 or SHA-1 would be better.
• Authentication messages can be easily forged.
![Page 28: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/28.jpg)
CCRI J. Bernardini 28
Block Cipher Operation
• Block ciphers deal with data in defined blocks• The block cipher fragments the frame into blocks of predetermined size and performs the
XOR function on each block. • Each block must be the predetermined size, and leftover frame fragments are padded to the
appropriate block size
![Page 29: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/29.jpg)
RSNA Security
• Robust Security Network Association• IEEE 802.11. Clause 8 (previously IEEE 802.11i)• TKIP and RC4• CCMP and AES• IEEE 802.1X• Preshared Keys• Certificates and PACs• Four way Handshake• Key Hierarchies• Transition Security Network04/21/23 Wireless Networking J. Bernardini 29
![Page 30: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/30.jpg)
IEEE 802.11, Clause 8
04/21/23 Wireless Networking J. Bernardini 30
Discusses and defines the following issues
![Page 31: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/31.jpg)
Temporal Key Integrity Protocol - TKIP• Part of the IEEE 802.11i encryption standard for wireless LANs
(Pronounced tee-kip )
• TKIP is the next generation of WEP (initially call WEP2). • Provides per-packet key mixing, a message integrity check
and a re-keying mechanism, thus fixing the flaws of WEP. • TKIP Process
– begins with a 128-bit "temporal key" shared among clients and access points– Combines the temporal key with the client's MAC address and then adds a relatively
large 16-octet initialization vector to produce the key that will encrypt the data. – This procedure ensures that each station uses different key streams to encrypt the data.
• Older WEP based devices can be upgraded to TKIP and not processor intensive
![Page 32: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/32.jpg)
CCMP and AES
• Counter Mode with Cipher Block Chaining-Message Authentication Code (CCMP)
• CCMP uses Advanced Encryption Standard (AES) instead of RC4 algorithm
• CCMP/AES uses 128-bit encryption, encrypts 128-bit blocks, uses 8-bytes integrity check
• AES is very processor intensive• Not upgradable for older devices
04/21/23 Wireless Networking J. Bernardini 32
![Page 33: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/33.jpg)
Advanced Encryption Standard - AES
• Relatively new U.S. National Institute of Standards and technology (NIST) for single-key encryption; approved in 2002.
• 16-byte Block Cipher based on Rijndael – (pronounced “Rain Doll”)
• Key Lengths of 128, 192, and 256-bit• Time to brute-force break an AES 256-bit key… several years.• AES Encryption is a four step process
![Page 34: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/34.jpg)
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
AES Four Steps
04/21/23 Wireless Networking J. Bernardini 34
1
2
3
4
![Page 35: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/35.jpg)
802.1X and EAP• IEEE’s 802.1X Port Based Network Access Control
standard provides strong authentication and network access control for 802.11 networks.
• Extensible Authentication Protocol (EAP) is used to pass authentication information between the supplicant and the AS.
1
Supplicant Authenticator Authentication Server
![Page 36: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/36.jpg)
CCRI J. Bernardini 36
802.1X Requires Three Entities:• The supplicant-—Resides on the wireless LAN client• The authenticator-—Resides on the access point• The authentication server—Resides on the RADIUS server
![Page 37: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/37.jpg)
CCRI J. Bernardini 37
Cisco Wireless Security Suite and 802.1X
• authentication framework—The IEEE 802.1X standard provides a framework for many authentication types and the link layer
• Extensible Authentication Protocol (EAP) Cisco authentication algorithm—The EAP Cisco Wireless authentication type, also called Cisco LEAP supports centralized, user-based authentication with the ability to generate dynamic WEP keys
• Temporal Key Integrity Protocol (TKIP)—Cisco has implemented two components to augment WEP encryption:
– Message Integrity Check (MIC)—The MIC function provides effective frame authenticity to mitigate man-in-the-middle vulnerabilities
– Per-Packet Keying—Per-packet keying provides every frame with a new and unique WEP key that mitigates WEP key derivation attacks
• Broadcast Key Rotation—Dynamic key rotation
![Page 38: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/38.jpg)
Four-Way Handshake
04/21/23 Wireless Networking J. Bernardini 38
•Used to establish temporary transient keys with AP•Four-packet exchange
1.Number used once (Anounce)2.Supplicant nounce (Snounce)3.Authenticator Nounce4.Message Integrity Check (MIC)
![Page 39: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/39.jpg)
WPA• There are 2 modes of WPA and WPA2
certification—Enterprise and Personal
WPA WPA2Enterprise Mode(Business & Government)
Authentication: IEEE 802.1X/EAP
Encryption: TKIP/MIC
Authentication: IEEE 802.1X/EAP
Encryption: AES-CCMP
Personal Mode(Personal & SOHO)
Authentication: PSK
Encryption: TKIP/MIC
Authentication: PSK
Encryption: AES-CCMP
![Page 40: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/40.jpg)
WPA & WPA2, 7-steps
• The 7 steps are: • Step 1: Security Mechanism and Credentials • Step 2: User Authentication Database • Step 3: Client Operating Systems • Step 4: Supplicants • Step 5: EAP Types (EAP-TTLS) • Step 6: Authentication Server • Step 7: Access Points and Client NIC Cards
![Page 41: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/41.jpg)
Example of a WPA2
• Windows 1. Security Credentials: Digital Certificate X.509 2. Database: Microsoft Active Directory 3. Client OS: Windows XP 4. Supplicant: Built into Windows XP for EAP-TLS 5. Authentication EAP Type: EAP-TLS 6. Authentication Server: Cisco Secure Access Control Server (RADIUS server) 7. Access Points and Client Devices: WPA2-Enterprise Wi-Fi CERTIFIED
![Page 42: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/42.jpg)
WPA Deployment
Access Points
Wired LAN
1 2
AuthenticationDatabase
WirelessClients
AP-1
Radius Server802.1X EAP Type
Support for802.1X EAP TypeTKIP
WiFi Cert with WPA802.1X EAP TypeSupplicant for EAP & OSTKIP Encryption
![Page 43: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/43.jpg)
CCRI J. Bernardini 43
MAC Address Authentication
• MAC address authentication is not specified in the 802.11 standard• Many vendors—including Cisco—support it. • MAC address authentication verifies the client's MAC address against a locally configured list
of allowed addresses or against an external authentication server
• MAC authentication is used to augment the open and shared key authentications provided
by 802.11
![Page 44: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/44.jpg)
Remember CIA and AAA
• CIA • Confidentiality-Keep things private
• Integrity – Data must be consistant and accurate
• Availability – The right data to the right users
• AAA• Authentication –”Who are You?”
• Authorization – “What do you want?”
• Accounting – “What have you done?”• Bottom Line
– Users are responsible for protecting there accounts and their data
04/21/23 Wireless Networking J. Bernardini 44
![Page 45: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/45.jpg)
IPsec VPN (Secure Your Wireless with Ipsec by Dan Langille 10/21/2004 )
• IPsec is short for IP security• It is a set of protocols for securely exchanging packets at the
IP layer. – VPNs frequently use it. can use the same approach to secure our wireless network.
• uses shared secrets to encrypt data. • uses security policies to decide what types of traffic to
encrypt between which hosts.• IPsec can create a point-to-point tunnel between two hosts. • IPsec cannot exist on its own -need to have IPsec at both ends• IPsec uses a database to decide how to treat traffic.
– The two main types of rules are policy and association.– Security Policy Database (SPD) determines what traffic IPsec should handle. – Security Association Database (SAD) specifies how to encrypt that traffic.
04/21/23 Wireless Networking J. Bernardini 45
![Page 46: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/46.jpg)
Wireless VPNs
• Virtual Private Networks, or VPNs, use publicly accessible or wireless network infrastructures combined with private connections to securely exchange private applications and data.
• All VPN systems use encryption and other security mechanisms to ensure that only authorized users can access the network, so that the data cannot be intercepted.
![Page 47: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/47.jpg)
Wireless Gateways
• A network device or base station, usually providing shared network access, firewall security and encryption.
• An Access Point, LAN Switch, Firewall, and WAN Interface in one enclosure.
![Page 48: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/48.jpg)
Security Solutions
802.1XAuthentication
MICMessage Integrity
Checking
TKIPTemporal Key Integrity
Protocol
Cipher andAuthentication
Negotiation
KeyManagement
AESAdvanced Encryption
Standard
WPA / WPA2Wi-Fi Protected
Access
802.11i
![Page 49: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/49.jpg)
CCRI J. Bernardini 49
Wireless Security SummarySecurity Model Authentication Encryption Security
Level
Transitional (only a temporary
solution)
Shared Key – Up to four WEP keys should be rotated between clients
SSID Beaconing – turn off if AP permits and or cryptic name SSID
MAC Address Filtering – Pre-approved at the AP and no guests
WEP – Even 128-bit WEP has vulnerabilities. 16 ASCII passphasing generate predictable keys and should be discouraged. Only secure against Script-kiddies and casual eavesdroppers.
Low
WPA Personal (ten or fewer devices)
PSK – Manually entered and used as starting seed for encryption generation
Must be entered in both the AP and client
TKIP – Is strong than WEP but uses same hardware. TKIP has three components. MIC to prevent forgeries; the IV is increased from 24 to 48-bits and changed for each packet; TKIP key mixing generates keys that are replaced frequently.
Medium
WPA2 Personal PSK – Keys are automatically changed after set number of packets.
AES-CCMP – Superior to TKIP and based on the 802.11i standard. Produces 128-bit blocks with 128 to 256-bits. Computation intensity strongly suggests hardware processing.
Med/High
WPA Enterprise 802.1x – Port based authentication employing a Supplicant (client), an Authenticator (server isolating client and RADIUS) and Authentication Server (RADIUS).
TKIP – Same as WPA2 Personal High/Med
WPA2 Enterprise 802.1x – Same as WPA Enterprise AES-CCMP - Same as WPA2 Personal High/High
![Page 50: Wireless Networking WLAN Security Module-12 Jerry Bernardini Community College of Rhode Island 6/18/20151Wireless Networking J. Bernardini.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d495503460f94a25585/html5/thumbnails/50.jpg)
CCRI J. Bernardini 50
Wireless Security Terms
• SSID –Service Set Identifier• WPA –Wi-Fi Protected Access• WEP- Wired Equivalent Privacy• PSK –Pre-Shared Key• TKIP –Temporal Key Integrity Protocol• MAC –Media Access Control• MIC –Message Integrity Check• AES –Advanced Encryption Standard• CCMP -Counter Mode CBC-MAC Protocol• RADIUS –Remote Dial-In User Service