Differences between version 7 and predecessor to the previous major change of MeetingTopics.2005-08-22.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 7 | Last edited on Monday, August 22, 2005 10:40:00 pm | by DanielLawson | Revert |
| Older page: | version 1 | Last edited on Tuesday, January 25, 2005 10:08:08 am | by CraigBox | Revert |
@@ -1,3 +1,130 @@
-A
WLUG meeting is booked for this date.
+WLUG Meeting - 22 August 2005
-If you're seeing this message
, feel free
to suggest
or offer
to present a meeting topic
- the MeetingTopics page
might be a
good place
to start
.
+Location: University of Waikato
, [LitB]
+Time: 7pm
+
+DanielLawson is giving a talk on the current state of Wireless Security, covering [WEP], [WPA], [802.11i] and more.
+
+[WEP] - Wireline Equivalent Protocol.
+* Introduced in 1997 as part of [IEEE] [802.11] standard
+* Attempt
to make wireless networks "no less secure" than wired ones
+
+Authentication:
+* one-way open authentication ([SSID])
+* shared-key authentication
+
+Encryption:
+* Wireline Equivalent Privacy ([WEP]) key
+
+[WEP] keys
+* 40 (
or 104/128 bit) string
+* uses [RC4]
+* combined with 24bit Initialization Vector ([IV])
+
+Pros:
+* allows some control over access
to network
+* allows some protection against sniffing.
+
+Cons:
+* comprised key = complete breach in security
+* pain to administer large number of machines
+* algorithm broken; can break encryption if enough data observed
+
+[WPA]
- Wi-Fi Protected Access
+* Wi-Fi Alliance assembled a part of
the upcoming [802.11i] standardin 2003
+* [TKIP] for encryption
+* per-user, not per-device authentication and key distribution framework ([802.1x])
+* Extensible Authentication Protocol ([EAP])
+* Can still use Pre-Shared Keys ([PSK])
+
+[TKIP]
+* [RC4] based
+* Per-packet keying, [IV] changes, broadcast key rotation to get around [WEP] insecurities
+* Message Integrity Check ([MIC]) to prevent [MITM] attacks
+
+[802.1x]
+* [IEEE] standard for port-based authentication
+* Strong mutual authentication between client and auth server
+* Authenticates a client through user-supplied credentials, rather than a computer
+
+Keys
+* [TKIP] keys dynamically generated and distributed
+* Master key generated to seed key hierarchy
+* Master key given to [AP] and client
+* Per-user, per-session encryption - brute forcing attack very difficult!
+
+[EAP]
+* Extensible Authentication Protocol
+* Allows different auth methods without infrastructure changes
+* Originally designed for [PPP] connections, adapted for [LAN] ([EAPOL])
+* Many [EAPOL] auth protocols exist - [MD5], [TLS], [CHAP], [MS-CHAPv2], [SIM] (Subscriber Identify Module), [AKA] (Athentication and Key Agreement), [GTC] (Generic Token Card)
+* Some methods add a tunnel for authentication information - [PEAP], [EAP-TTLS] (Tunneled [TLS])
+
+[WPA2]
+* Full [IEEE 802.11i] standard
+* Ratified in July 2004
+* [TKIP], [802.1x]/[EAP]
+* Added [AES] encryption
+
+[AES]
+* Counter cipher-block chaining mode ([CCM]), as opposed to [WEP]'s single stream cipher
+* Variable keys sizes - 128, 192, 256 bits
+* "Good security"
+
+
+Practical Wireless Security
+
+Encryption Methods:
+
+* Only very early [802.11b] devices lack [WEP] support, .: [WEP] is a good "minimum"
+* [WEP] adds some overhead -
might see some drop in throughput. Better than handing out your email password?
+* BUT, [WEP] can
be broken.
+
+* Some [802.11b] and most [802.11g] (all?) devices have [WPA] support
+* [WPA] addresses most of the problems
+* Can still use [PSK]
+* [PSK] used to seed the [TKIP] key hieararchy
+* Changing keys, so bruteforce attack not as feasable
+* [WPA] shown to still be insecure if keys are less than 20 characters long
+
+* [WPA2] has
good encryption ([AES])
+* Some [WPA] implementations have [AES] support as well. This is also good!
+
+Is [PSK] ok?
+
+* For small networks, [PSK] works well
+* Know the userbase
+* Can control when people add / leave network, and change keys appropriately
+* Low admin time
+* Perfect for home / small office use
+
+When is [PSK] not ok?
+* Large networks ( > 20 machines ?)
+* Large admin cost
+* Dynamic user base (eg cafe net, conference)
+* If per-user security is needed (eg cafe net, conference)
+
+
+Other considerations for wireless security:
+
+End-
to-end security
+* [WEP], [WPA], [WPA2] only secure "in the air" transmissions. No security on remaining wired transmissions (which might go over an unsecured wireless backhaul!)
+* Use [VPN]s
+
+Multiple [SSID]s
+* Can be used to provide different levels of security
+* different user groups
+
+[VLAN]s
+* Many [AP]s now support VLAN tagging
+* Per-port (per [AP])
+* [MAC] address (per physical computer - bad)
+* Per [SSID] ([SSID]s are sniffable)
+* Per user (via [802.1x])
+
+Rogue [AP] detection
+* Network only secure as long as you control all aspects of it
+* insecure [AP]s without strict security controls can cause major security breaches
+
+
+Implementation of WPA-RADIUS with 802
.1x via FreeRadius
