Differences between version 6 and predecessor to the previous major change of MeetingTopics.2005-08-22.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 6 | Last edited on Monday, August 22, 2005 7:16:59 pm | by DanielLawson | Revert |
Older page: | version 1 | Last edited on Tuesday, January 25, 2005 10:08:08 am | by CraigBox | Revert |
@@ -1,3 +1,130 @@
-A
WLUG meeting is booked for this date.
+WLUG Meeting - 22 August 2005
-If you're seeing this message
, feel free
to suggest
or offer
to present a meeting topic
- the MeetingTopics page
might be a
good place
to start
.
+Location: University of Waikato
, [LitB]
+Time: 7pm
+
+DanielLawson is giving a talk on the current state of Wireless Security, covering WEP, WPA, 802.11i and more.
+
+WEP - Wireline Equivalent Protocol.
+* Introduced in 1997 as part of IEEE 802.11 standard
+* Attempt
to make wireless networks "no less secure" than wired ones
+
+Authentication:
+* one-way open authentication (SSID)
+* shared-key authentication
+
+Encryption:
+* Wireline Equivalent Privacy (WEP) key
+
+WEP keys
+* 40 (
or 104/128 bit) string
+* uses RC4
+* combined with 24bit Initialization Vector (IV)
+
+Pros:
+* allows some control over access
to network
+* allows some protection against sniffing.
+
+Cons:
+* comprised key = complete breach in security
+* pain to administer large number of machines
+* algorithm broken; can break encryption if enough data observed
+
+WPA
- Wi-Fi Protected Access
+* Wi-Fi Alliance assembled a part of
the upcoming 802.11i standardin 2003
+* TKIP for encryption
+* per-user, not per-device authentication and key distribution framework (802.1x)
+* Extensible Authentication Protocol (EAP)
+* Can still use Pre-Shared Keys (PSK)
+
+TKIP
+* RC4 based
+* Per-packet keying, IV changes, broadcast key rotation to get around WEP insecurities
+* Message Integrity Check (MIC) to prevent MITM attacks
+
+802.1x
+* IEEE standard for port-based authentication
+* Strong mutual authentication between client and auth server
+* Authenticates a client through user-supplied credentials, rather than a computer
+
+Keys
+* TKIP keys dynamically generated and distributed
+* Master key generated to seed key hierarchy
+* Master key given to AP and client
+* Per-user, per-session encryption - brute forcing attack very difficult!
+
+EAP
+* Extensible Authentication Protocol
+* Allows different auth methods without infrastructure changes
+* Originally designed for PPP connections, adapted for LAN (EAPOL)
+* Many EAPOL auth protocols exist - MD5, TLS, CHAP, MS-CHAPv2, SIM (Subscriber Identify Module), AKA (Athentication and Key Agreement), GTC (Generic Token Card)
+* Some methods add a tunnel for authentication information - PEAP, EAP-TTLS (Tunneled TLS)
+
+WPA2
+* Full IEEE 802.11i standard
+* Ratified in July 2004
+* TKIP, 802.1X/EAP
+* Added AES encryption
+
+AES
+* Counter cipher-block chaining mode (CCM), as opposed to WEPs single stream cipher
+* Variable keys sizes - 128, 192, 256 bits
+* "Good security"
+
+
+Practical Wireless Security
+
+Encryption Methods:
+
+* Only very early 802.11b devices lack WEP support, .: WEP is a good "minimum"
+* WEP adds some overhead -
might see some drop in throughput. Better than handing out your email password?
+* BUT, WEP can
be broken.
+
+* Some 802.11b and most 802.11g (all?) devices have WPA support
+* WPA addresses most of the problems
+* Can still use PSK
+* PSK used to seed the TKIP key hieararchy
+* Changing keys, so bruteforce attack not as feasable
+* WPA shown to still be insecure if keys are less than 20 characters long
+
+* WPA2 has
good encryption (AES)
+* Some WPA implementations have AES support as well. This is also good!
+
+Is PSK ok?
+
+* For small networks, PSK works well
+* Know the userbase
+* Can control when people add / leave network, and change keys appropriately
+* Low admin time
+* Perfect for home / small office use
+
+When is PSK not ok?
+* Large networks ( > 20 machines ?)
+* Large admin cost
+* Dynamic user base (eg cafe net, conference)
+* If per-user security is needed (eg cafe net, conference)
+
+
+Other considerations for wireless security:
+
+End-
to-end security
+* WEP, WPA, WPA2 only secure "in the air" transmissions. No security on remaining wired transmissions (which might go over an unsecured wireless backhaul!)
+* Use VPNs
+
+Multiple SSIDs
+* Can be used to provide different levels of security
+* different user groups
+
+VLANs
+* Many APs now support VLAN tagging
+* Per-port (per AP)
+* MAC address (per physical computer - bad)
+* Per SSID (SSIDs are sniffable)
+* Per user (via 802.1x)
+
+Rogue AP detection
+* Network only secure as long as you control all aspects of it
+* insecure APs without strict security controls can cause major security breaches
+
+
+Implementation of WPA-RADIUS with 802
.1x via FreeRadius