Penguin
Recent Changes
Diff: MeetingTopics.2005-08-22
EditPageHistoryDiffInfoLikePages

Differences between version 7 and previous revision of MeetingTopics.2005-08-22.

Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History

Newer page: version 7 Last edited on Monday, August 22, 2005 10:40:00 pm by DanielLawson Revert
Older page: version 6 Last edited on Monday, August 22, 2005 7:16:59 pm by DanielLawson Revert
@@ -2,25 +2,25 @@
  
 Location: University of Waikato, [LitB] 
 Time: 7pm 
  
-DanielLawson is giving a talk on the current state of Wireless Security, covering WEP, WPA, 802.11i and more. 
+DanielLawson is giving a talk on the current state of Wireless Security, covering [ WEP] , [ WPA] , [ 802.11i] and more. 
  
-WEP - Wireline Equivalent Protocol.  
-* Introduced in 1997 as part of IEEE 802.11 standard 
+[ WEP] - Wireline Equivalent Protocol.  
+* Introduced in 1997 as part of [ IEEE] [ 802.11] standard 
 * Attempt to make wireless networks "no less secure" than wired ones 
  
 Authentication: 
-* one-way open authentication (SSID) 
+* one-way open authentication ([ SSID]
 * shared-key authentication 
  
 Encryption: 
-* Wireline Equivalent Privacy (WEP) key 
+* Wireline Equivalent Privacy ([ WEP] ) key 
  
-WEP keys 
+[ WEP] keys 
 * 40 (or 104/128 bit) string 
-* uses RC4  
-* combined with 24bit Initialization Vector (IV) 
+* uses [ RC4]  
+* combined with 24bit Initialization Vector ([ IV]
  
 Pros: 
 * allows some control over access to network 
 * allows some protection against sniffing. 
@@ -29,77 +29,77 @@
 * comprised key = complete breach in security 
 * pain to administer large number of machines 
 * algorithm broken; can break encryption if enough data observed 
  
-WPA - Wi-Fi Protected Access  
-* Wi-Fi Alliance assembled a part of the upcoming 802.11i standardin 2003  
-* TKIP for encryption  
-* per-user, not per-device authentication and key distribution framework (802.1x)  
-* Extensible Authentication Protocol (EAP)  
-* Can still use Pre-Shared Keys (PSK) 
+[ WPA] - Wi-Fi Protected Access  
+* Wi-Fi Alliance assembled a part of the upcoming [ 802.11i] standardin 2003  
+* [ TKIP] for encryption  
+* per-user, not per-device authentication and key distribution framework ([ 802.1x] )  
+* Extensible Authentication Protocol ([ EAP] )  
+* Can still use Pre-Shared Keys ([ PSK]
  
-TKIP  
-* RC4 based  
-* Per-packet keying, IV changes, broadcast key rotation to get around WEP insecurities  
-* Message Integrity Check (MIC) to prevent MITM attacks 
+[ TKIP]  
+* [ RC4] based  
+* Per-packet keying, [ IV] changes, broadcast key rotation to get around [ WEP] insecurities  
+* Message Integrity Check ([ MIC] ) to prevent [ MITM] attacks 
  
-802.1x  
-* IEEE standard for port-based authentication 
+[ 802.1x]  
+* [ IEEE] standard for port-based authentication 
 * Strong mutual authentication between client and auth server 
 * Authenticates a client through user-supplied credentials, rather than a computer 
  
 Keys 
-* TKIP keys dynamically generated and distributed 
+* [ TKIP] keys dynamically generated and distributed 
 * Master key generated to seed key hierarchy 
-* Master key given to AP and client 
+* Master key given to [ AP] and client 
 * Per-user, per-session encryption - brute forcing attack very difficult! 
  
-EAP 
+[ EAP]  
 * Extensible Authentication Protocol 
 * Allows different auth methods without infrastructure changes 
-* Originally designed for PPP connections, adapted for LAN (EAPOL)  
-* Many EAPOL auth protocols exist - MD5, TLS, CHAP, MS-CHAPv2, SIM (Subscriber Identify Module), AKA (Athentication and Key Agreement), GTC (Generic Token Card)  
-* Some methods add a tunnel for authentication information - PEAP, EAP-TTLS (Tunneled TLS) 
+* Originally designed for [ PPP] connections, adapted for [ LAN] ([ EAPOL] )  
+* Many [ EAPOL] auth protocols exist - [ MD5] , [ TLS] , [ CHAP] , [ MS-CHAPv2] , [ SIM] (Subscriber Identify Module), [ AKA] (Athentication and Key Agreement), [ GTC] (Generic Token Card)  
+* Some methods add a tunnel for authentication information - [ PEAP] , [ EAP-TTLS] (Tunneled [ TLS]
  
-WPA2  
-* Full IEEE 802.11i standard 
+[ WPA2]  
+* Full [ IEEE 802.11i] standard 
 * Ratified in July 2004 
-* TKIP, 802.1X /EAP  
-* Added AES encryption 
+* [ TKIP] , [ 802.1x] /[ EAP]  
+* Added [ AES] encryption 
  
-AES  
-* Counter cipher-block chaining mode (CCM), as opposed to WEPs single stream cipher 
+[ AES]  
+* Counter cipher-block chaining mode ([ CCM] ), as opposed to [WEP]'s single stream cipher 
 * Variable keys sizes - 128, 192, 256 bits 
 * "Good security" 
  
  
 Practical Wireless Security 
  
 Encryption Methods: 
  
-* Only very early 802.11b devices lack WEP support, .: WEP is a good "minimum"  
-* WEP adds some overhead - might see some drop in throughput. Better than handing out your email password?  
-* BUT, WEP can be broken. 
+* Only very early [ 802.11b] devices lack [ WEP] support, .: [ WEP] is a good "minimum"  
+* [ WEP] adds some overhead - might see some drop in throughput. Better than handing out your email password?  
+* BUT, [ WEP] can be broken. 
  
-* Some 802.11b and most 802.11g (all?) devices have WPA support  
-* WPA addresses most of the problems  
-* Can still use PSK  
-* PSK used to seed the TKIP key hieararchy 
+* Some [ 802.11b] and most [ 802.11g] (all?) devices have [ WPA] support  
+* [ WPA] addresses most of the problems  
+* Can still use [ PSK]  
+* [ PSK] used to seed the [ TKIP] key hieararchy 
 * Changing keys, so bruteforce attack not as feasable 
-* WPA shown to still be insecure if keys are less than 20 characters long 
+* [ WPA] shown to still be insecure if keys are less than 20 characters long 
  
-* WPA2 has good encryption (AES)  
-* Some WPA implementations have AES support as well. This is also good! 
+* [ WPA2] has good encryption ([ AES] )  
+* Some [ WPA] implementations have [ AES] support as well. This is also good! 
  
-Is PSK ok? 
+Is [ PSK] ok? 
  
-* For small networks, PSK works well 
+* For small networks, [ PSK] works well 
 * Know the userbase 
 * Can control when people add / leave network, and change keys appropriately 
 * Low admin time 
 * Perfect for home / small office use 
  
-When is PSK not ok? 
+When is [ PSK] not ok? 
 * Large networks ( > 20 machines ?) 
 * Large admin cost 
 * Dynamic user base (eg cafe net, conference) 
 * If per-user security is needed (eg cafe net, conference) 
@@ -107,24 +107,24 @@
  
 Other considerations for wireless security: 
  
 End-to-end security 
-* WEP, WPA, WPA2 only secure "in the air" transmissions. No security on remaining wired transmissions (which might go over an unsecured wireless backhaul!)  
-* Use VPNs  
+* [ WEP] , [ WPA] , [ WPA2] only secure "in the air" transmissions. No security on remaining wired transmissions (which might go over an unsecured wireless backhaul!)  
+* Use [VPN]s  
  
-Multiple SSIDs  
+Multiple [SSID]s  
 * Can be used to provide different levels of security 
 * different user groups 
  
-VLANs  
-* Many APs now support VLAN tagging  
-* Per-port (per AP)  
-* MAC address (per physical computer - bad)  
-* Per SSID (SSIDs are sniffable)  
-* Per user (via 802.1x) 
+[VLAN]s  
+* Many [AP]s now support VLAN tagging  
+* Per-port (per [ AP] )  
+* [ MAC] address (per physical computer - bad)  
+* Per [ SSID] ([SSID]s are sniffable)  
+* Per user (via [ 802.1x]
  
-Rogue AP detection 
+Rogue [ AP] detection 
 * Network only secure as long as you control all aspects of it 
-* insecure APs without strict security controls can cause major security breaches 
+* insecure [AP]s without strict security controls can cause major security breaches 
  
  
 Implementation of WPA-RADIUS with 802.1x via FreeRadius