Differences between version 7 and previous revision of MeetingTopics.2005-08-22.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 7 | Last edited on Monday, August 22, 2005 10:40:00 pm | by DanielLawson | Revert |
Older page: | version 6 | Last edited on Monday, August 22, 2005 7:16:59 pm | by DanielLawson | Revert |
@@ -2,25 +2,25 @@
Location: University of Waikato, [LitB]
Time: 7pm
-DanielLawson is giving a talk on the current state of Wireless Security, covering WEP, WPA, 802.11i and more.
+DanielLawson is giving a talk on the current state of Wireless Security, covering [
WEP]
, [
WPA]
, [
802.11i]
and more.
-WEP - Wireline Equivalent Protocol.
-* Introduced in 1997 as part of IEEE 802.11 standard
+[
WEP]
- Wireline Equivalent Protocol.
+* Introduced in 1997 as part of [
IEEE] [
802.11]
standard
* Attempt to make wireless networks "no less secure" than wired ones
Authentication:
-* one-way open authentication (SSID)
+* one-way open authentication ([
SSID]
)
* shared-key authentication
Encryption:
-* Wireline Equivalent Privacy (WEP) key
+* Wireline Equivalent Privacy ([
WEP]
) key
-WEP keys
+[
WEP]
keys
* 40 (or 104/128 bit) string
-* uses RC4
-* combined with 24bit Initialization Vector (IV)
+* uses [
RC4]
+* combined with 24bit Initialization Vector ([
IV]
)
Pros:
* allows some control over access to network
* allows some protection against sniffing.
@@ -29,77 +29,77 @@
* comprised key = complete breach in security
* pain to administer large number of machines
* algorithm broken; can break encryption if enough data observed
-WPA - Wi-Fi Protected Access
-* Wi-Fi Alliance assembled a part of the upcoming 802.11i standardin 2003
-* TKIP for encryption
-* per-user, not per-device authentication and key distribution framework (802.1x)
-* Extensible Authentication Protocol (EAP)
-* Can still use Pre-Shared Keys (PSK)
+[
WPA]
- Wi-Fi Protected Access
+* Wi-Fi Alliance assembled a part of the upcoming [
802.11i]
standardin 2003
+* [
TKIP]
for encryption
+* per-user, not per-device authentication and key distribution framework ([
802.1x]
)
+* Extensible Authentication Protocol ([
EAP]
)
+* Can still use Pre-Shared Keys ([
PSK]
)
-TKIP
-* RC4 based
-* Per-packet keying, IV changes, broadcast key rotation to get around WEP insecurities
-* Message Integrity Check (MIC) to prevent MITM attacks
+[
TKIP]
+* [
RC4]
based
+* Per-packet keying, [
IV]
changes, broadcast key rotation to get around [
WEP]
insecurities
+* Message Integrity Check ([
MIC]
) to prevent [
MITM]
attacks
-802.1x
-* IEEE standard for port-based authentication
+[
802.1x]
+* [
IEEE]
standard for port-based authentication
* Strong mutual authentication between client and auth server
* Authenticates a client through user-supplied credentials, rather than a computer
Keys
-* TKIP keys dynamically generated and distributed
+* [
TKIP]
keys dynamically generated and distributed
* Master key generated to seed key hierarchy
-* Master key given to AP and client
+* Master key given to [
AP]
and client
* Per-user, per-session encryption - brute forcing attack very difficult!
-EAP
+[
EAP]
* Extensible Authentication Protocol
* Allows different auth methods without infrastructure changes
-* Originally designed for PPP connections, adapted for LAN (EAPOL)
-* Many EAPOL auth protocols exist - MD5, TLS, CHAP, MS-CHAPv2, SIM (Subscriber Identify Module), AKA (Athentication and Key Agreement), GTC (Generic Token Card)
-* Some methods add a tunnel for authentication information - PEAP, EAP-TTLS (Tunneled TLS)
+* Originally designed for [
PPP]
connections, adapted for [
LAN]
([
EAPOL]
)
+* Many [
EAPOL]
auth protocols exist - [
MD5]
, [
TLS]
, [
CHAP]
, [
MS-CHAPv2]
, [
SIM]
(Subscriber Identify Module), [
AKA]
(Athentication and Key Agreement), [
GTC]
(Generic Token Card)
+* Some methods add a tunnel for authentication information - [
PEAP]
, [
EAP-TTLS]
(Tunneled [
TLS]
)
-WPA2
-* Full IEEE 802.11i standard
+[
WPA2]
+* Full [
IEEE 802.11i]
standard
* Ratified in July 2004
-* TKIP, 802.1X
/EAP
-* Added AES encryption
+* [
TKIP]
, [
802.1x]
/[
EAP]
+* Added [
AES]
encryption
-AES
-* Counter cipher-block chaining mode (CCM), as opposed to WEPs
single stream cipher
+[
AES]
+* Counter cipher-block chaining mode ([
CCM]
), as opposed to [WEP]'s
single stream cipher
* Variable keys sizes - 128, 192, 256 bits
* "Good security"
Practical Wireless Security
Encryption Methods:
-* Only very early 802.11b devices lack WEP support, .: WEP is a good "minimum"
-* WEP adds some overhead - might see some drop in throughput. Better than handing out your email password?
-* BUT, WEP can be broken.
+* Only very early [
802.11b]
devices lack [
WEP]
support, .: [
WEP]
is a good "minimum"
+* [
WEP]
adds some overhead - might see some drop in throughput. Better than handing out your email password?
+* BUT, [
WEP]
can be broken.
-* Some 802.11b and most 802.11g (all?) devices have WPA support
-* WPA addresses most of the problems
-* Can still use PSK
-* PSK used to seed the TKIP key hieararchy
+* Some [
802.11b]
and most [
802.11g]
(all?) devices have [
WPA]
support
+* [
WPA]
addresses most of the problems
+* Can still use [
PSK]
+* [
PSK]
used to seed the [
TKIP]
key hieararchy
* Changing keys, so bruteforce attack not as feasable
-* WPA shown to still be insecure if keys are less than 20 characters long
+* [
WPA]
shown to still be insecure if keys are less than 20 characters long
-* WPA2 has good encryption (AES)
-* Some WPA implementations have AES support as well. This is also good!
+* [
WPA2]
has good encryption ([
AES]
)
+* Some [
WPA]
implementations have [
AES]
support as well. This is also good!
-Is PSK ok?
+Is [
PSK]
ok?
-* For small networks, PSK works well
+* For small networks, [
PSK]
works well
* Know the userbase
* Can control when people add / leave network, and change keys appropriately
* Low admin time
* Perfect for home / small office use
-When is PSK not ok?
+When is [
PSK]
not ok?
* Large networks ( > 20 machines ?)
* Large admin cost
* Dynamic user base (eg cafe net, conference)
* If per-user security is needed (eg cafe net, conference)
@@ -107,24 +107,24 @@
Other considerations for wireless security:
End-to-end security
-* WEP, WPA, WPA2 only secure "in the air" transmissions. No security on remaining wired transmissions (which might go over an unsecured wireless backhaul!)
-* Use VPNs
+* [
WEP]
, [
WPA]
, [
WPA2]
only secure "in the air" transmissions. No security on remaining wired transmissions (which might go over an unsecured wireless backhaul!)
+* Use [VPN]s
-Multiple SSIDs
+Multiple [SSID]s
* Can be used to provide different levels of security
* different user groups
-VLANs
-* Many APs
now support VLAN tagging
-* Per-port (per AP)
-* MAC address (per physical computer - bad)
-* Per SSID (SSIDs
are sniffable)
-* Per user (via 802.1x)
+[VLAN]s
+* Many [AP]s
now support VLAN tagging
+* Per-port (per [
AP]
)
+* [
MAC]
address (per physical computer - bad)
+* Per [
SSID]
([SSID]s
are sniffable)
+* Per user (via [
802.1x]
)
-Rogue AP detection
+Rogue [
AP]
detection
* Network only secure as long as you control all aspects of it
-* insecure APs
without strict security controls can cause major security breaches
+* insecure [AP]s
without strict security controls can cause major security breaches
Implementation of WPA-RADIUS with 802.1x via FreeRadius