Home > CCNP, ONT > ONT – Wireless security

ONT – Wireless security

This post takes off from the same point the previous post ended, wireless security.

The historical time-line for wireless security is built on this path:
1G WEP -> Cisco LEAP -> WPA -> WPA2/802.11i

WEP, Wired Equivalent Privacy is the first solution that the industry presented for wireless security. It is a weak solution that present many problems as it was released without enough security testing.
The original standard was 40 bit, as a result we can create 40 bit or 104 bit WEP keys and in addition there is a 24 bit IV.
IV, Initialization Vector is a random number that combine with the key to create encryption, it is sent in clear text.

WEP is a combination of a static key and a rotation of IV numbers. Over time the IV repeat and duplicates are sent out, which make it easy to decrypt and break into the network. When wireless networks were introduced, the amount of bandwidth was low but over time and with the huge increase in bandwidth usage the duplicate IVs are being sent over short windows and breaking take minutes (or even less).

Dynamic WEP keys – Cisco and Microsoft designed rotating WEP keys that allow the WEP key to be changed automatically. It provided a better security since the duplicates window grew but still, it is a weak point in a network security.

WPA, Wi-Fi Protected Access was released by the WiFi alliance as an interim solution to WEP (it was not ment to be a long-term solution).

WPA added 3 areas of security:
Temporal Key Integrity Protocol (TKIP) – a replacement for WEP encryption
Message Integrity Code (MIC) – 20 bit hashing mechanism to ensure data integrity
802.1x – per port/per user authentication

TKIP, Temporal Key Integrity Protocol came out of an industry challenge to use existing hardware for WPA. TKIP was the answer to this challenge.

The solution presented by TKIP looks simple (how did they not think about it earlier?) – IV expanded from 24 to 48 bits and used as a sequence number that help with the hashing. Shared secret keys used to generate other keys.
First generated key is the session key:
Hash = sender MAC + seed key + first 32 bits of IV, this combine to session key for 1 session
Stays the same for the session as long as first 32 bits of IV does not change.
Second generated key is per packet key:
Hash = session key + lower 16 bits of IV, the result is 104 bit per-packet key
Using the same hardware TKIP bring a powerful fix for WEP.

MIC, Message Integrity Code was designed for data integrity.
Existing wireless hardware could only handle a 20 bit hash key (low protection).
Countermeasures to fight intruders when altered data packet is detected:
Wireless link of compromised devices disabled for 60 seconds – this is secure but dangerous as the network lose connectivity in an automated process
Session keys regenerated when the device come back – whoever tried to break in will have to start over.

802.1x standard defines authentication for port-based access control, It consists of the following pieces:
Client < EAP> Authenticator Authentication Server

EAP, Extensible Authentication Protocol is an empty “container” allowing authentication methods to change with no hardware upgrades. It is a shell for a packet where any authentication method can exist.

EAP methods:

  • Cisco LEAP, supported on Cisco devices. Easy to set up, can use the windows sign-on to authenticate with a RADIUS server.
    It can apply permissions based on username
  • Microsoft PEAP is more secure than LEAP, require CA certificate on each client. Require access to each PC and install the CA – more configurations \ more secure
  • EAP-TLS is an industry standard, certificate based authentication
  • EAP-FAST is another industry standard, PAC-based system: It combines LEAP with PEAP

WPA2 is also known as 802.11i.
WPA2 is identical to the original WPA with the exception of AES encryption standard, a more advanced and secure standard than TKIP.
WPA2 with AES require hardware upgrade and has backwards compatibility which allow it to run using TKIP.

Both WPA and WPA2 can be run in one of 2 modes: Enterprise or Personal

Enterprise mode provide authentication through EAP/802.1x and uses TKIP or AES for encryption.

Personal mode provide authentication through pre-shared key and uses TKIP or AES for encryption.

I’ve completed my ONT video series and first book reading. These are my ONT Study Notes.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: