Penguin
Recent Changes
Blame: MeetingTopics.2005-08-22
EditPageHistoryDiffInfoLikePages
Annotated edit history of MeetingTopics.2005-08-22 version 13 showing authors affecting page license. View with all changes included.
Rev Author # Line
2 DanielLawson 1 WLUG Meeting - 22 August 2005
1 CraigBox 2
2 DanielLawson 3 Location: University of Waikato, [LitB]
4 Time: 7pm
5
6 DanielLawson is giving a talk on the current state of Wireless Security, covering [WEP], [WPA], [802.11i] and more.
6 DanielLawson 7
8 [WEP] - Wireline Equivalent Protocol.
9 * Introduced in 1997 as part of [IEEE] [802.11] standard
10 * Attempt to make wireless networks "no less secure" than wired ones
11
12 Authentication:
13 * one-way open authentication ([SSID])
14 * shared-key authentication
15
16 Encryption:
17 * Wireline Equivalent Privacy ([WEP]) key
18
19 [WEP] keys
20 * 40 (or 104/128 bit) string
21 * uses [RC4]
22 * combined with 24bit Initialization Vector ([IV])
23
24 Pros:
25 * allows some control over access to network
26 * allows some protection against sniffing.
27
28 Cons:
29 * comprised key = complete breach in security
30 * pain to administer large number of machines
31 * algorithm broken; can break encryption if enough data observed
32
33 [WPA] - Wi-Fi Protected Access
34 * Wi-Fi Alliance assembled a part of the upcoming [802.11i] standardin 2003
35 * [TKIP] for encryption
36 * per-user, not per-device authentication and key distribution framework ([802.1X])
37 * Extensible Authentication Protocol ([EAP])
38 * Can still use Pre-Shared Keys ([PSK])
39
40 [TKIP]
41 * [RC4] based
42 * Per-packet keying, [IV] changes, broadcast key rotation to get around [WEP] insecurities
43 * Message Integrity Check ([MIC]) to prevent [MITM] attacks
44
45 [802.1X]
46 * [IEEE] standard for port-based authentication
47 * Strong mutual authentication between client and auth server
48 * Authenticates a client through user-supplied credentials, rather than a computer
49
50 Keys
51 * [TKIP] keys dynamically generated and distributed
52 * Master key generated to seed key hierarchy
53 * Master key given to [AP] and client
54 * Per-user, per-session encryption - brute forcing attack very difficult!
55
56 [EAP]
57 * Extensible Authentication Protocol
58 * Allows different auth methods without infrastructure changes
59 * Originally designed for [PPP] connections, adapted for [LAN] ([EAPOL|EAP])
10 CraigBox 60 * Many [EAPOL|EAP] auth protocols exist - [MD5], [TLS], [CHAP], [MS-CHAPv2], [SIM] (Subscriber Identity Module), EAP-AKA (Authentication and Key Agreement), GTC (Generic Token Card)
61 * Some methods add a tunnel for authentication information - [PEAP|EAP], [EAP-TTLS|EAP] (Tunneled [TLS])
6 DanielLawson 62
63 [WPA2]
64 * Full [IEEE] [802.11i] standard
65 * Ratified in July 2004
66 * [TKIP], [802.1X]/[EAP]
67 * Added [AES] encryption
68
69 [AES]
8 PerryLorier 70 * Counter cipher-block chaining mode ([CBC]), as opposed to [WEP]'s single stream cipher
6 DanielLawson 71 * Variable keys sizes - 128, 192, 256 bits
72 * "Good security"
73
74
75 Practical Wireless Security
76
77 Encryption Methods:
78
79 * Only very early [802.11b] devices lack [WEP] support, .: [WEP] is a good "minimum"
80 * [WEP] adds some overhead - might see some drop in throughput. Better than handing out your email password?
81 * BUT, [WEP] can be broken.
82
83 * Some [802.11b] and most [802.11g] (all?) devices have [WPA] support
84 * [WPA] addresses most of the problems
85 * Can still use [PSK]
86 * [PSK] used to seed the [TKIP] key hieararchy
87 * Changing keys, so bruteforce attack not as feasable
88 * [WPA] shown to still be insecure if keys are less than 20 characters long
89
90 * [WPA2] has good encryption ([AES])
91 * Some [WPA] implementations have [AES] support as well. This is also good!
92
93 Is [PSK] ok?
94
95 * For small networks, [PSK] works well
96 * Know the userbase
97 * Can control when people add / leave network, and change keys appropriately
98 * Low admin time
99 * Perfect for home / small office use
100
101 When is [PSK] not ok?
102 * Large networks ( > 20 machines ?)
103 * Large admin cost
104 * Dynamic user base (eg cafe net, conference)
105 * If per-user security is needed (eg cafe net, conference)
106
107
108 Other considerations for wireless security:
109
110 End-to-end security
111 * [WEP], [WPA], [WPA2] only secure "in the air" transmissions. No security on remaining wired transmissions (which might go over an unsecured wireless backhaul!)
112 * Use [VPN]s
113
114 Multiple [SSID]s
115 * Can be used to provide different levels of security
116 * different user groups
117
118 [VLAN]s
119 * Many [AP]s now support VLAN tagging
120 * Per-port (per [AP])
121 * [MAC] address (per physical computer - bad)
122 * Per [SSID] ([SSID]s are sniffable)
123 * Per user (via [802.1X])
124
125 Rogue [AP] detection
126 * Network only secure as long as you control all aspects of it
127 * insecure [AP]s without strict security controls can cause major security breaches
128
129
130 Implementation of WPA-RADIUS with 802.1X via FreeRadius
10 CraigBox 131
132 See also:
133
134 * [How to set up a wireless network using Windows server WPA and RADIUS|http://www.hansenonline.net/Networking/wlanradius.html]
13 DanielLawson 135 * [Comparison of TTLS and PEAP|http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html]

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach()