Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
MeetingTopics.2005-08-22
Edit
PageHistory
Diff
Info
LikePages
WLUG Meeting - 22 August 2005 Location: University of Waikato, [LitB] Time: 7pm DanielLawson is giving a talk on the current state of Wireless Security, covering [WEP], [WPA], [802.11i] and more. [WEP] - Wireline Equivalent Protocol. * Introduced in 1997 as part of [IEEE] [802.11] standard * Attempt to make wireless networks "no less secure" than wired ones Authentication: * one-way open authentication ([SSID]) * shared-key authentication Encryption: * Wireline Equivalent Privacy ([WEP]) key [WEP] keys * 40 (or 104/128 bit) string * uses [RC4] * combined with 24bit Initialization Vector ([IV]) Pros: * allows some control over access to network * allows some protection against sniffing. Cons: * comprised key = complete breach in security * pain to administer large number of machines * algorithm broken; can break encryption if enough data observed [WPA] - Wi-Fi Protected Access * Wi-Fi Alliance assembled a part of the upcoming [802.11i] standardin 2003 * [TKIP] for encryption * per-user, not per-device authentication and key distribution framework ([802.1X]) * Extensible Authentication Protocol ([EAP]) * Can still use Pre-Shared Keys ([PSK]) [TKIP] * [RC4] based * Per-packet keying, [IV] changes, broadcast key rotation to get around [WEP] insecurities * Message Integrity Check ([MIC]) to prevent [MITM] attacks [802.1X] * [IEEE] standard for port-based authentication * Strong mutual authentication between client and auth server * Authenticates a client through user-supplied credentials, rather than a computer Keys * [TKIP] keys dynamically generated and distributed * Master key generated to seed key hierarchy * Master key given to [AP] and client * Per-user, per-session encryption - brute forcing attack very difficult! [EAP] * Extensible Authentication Protocol * Allows different auth methods without infrastructure changes * Originally designed for [PPP] connections, adapted for [LAN] ([EAPOL|EAP]) * Many [EAPOL|EAP] auth protocols exist - [MD5], [TLS], [CHAP], [MS-CHAPv2], [SIM] (Subscriber Identity Module), EAP-AKA (Authentication and Key Agreement), GTC (Generic Token Card) * Some methods add a tunnel for authentication information - [PEAP|EAP], [EAP-TTLS|EAP] (Tunneled [TLS]) [WPA2] * Full [IEEE] [802.11i] standard * Ratified in July 2004 * [TKIP], [802.1X]/[EAP] * Added [AES] encryption [AES] * Counter cipher-block chaining mode ([CBC]), as opposed to [WEP]'s single stream cipher * Variable keys sizes - 128, 192, 256 bits * "Good security" Practical Wireless Security Encryption Methods: * Only very early [802.11b] devices lack [WEP] support, .: [WEP] is a good "minimum" * [WEP] adds some overhead - might see some drop in throughput. Better than handing out your email password? * BUT, [WEP] can be broken. * Some [802.11b] and most [802.11g] (all?) devices have [WPA] support * [WPA] addresses most of the problems * Can still use [PSK] * [PSK] used to seed the [TKIP] key hieararchy * Changing keys, so bruteforce attack not as feasable * [WPA] shown to still be insecure if keys are less than 20 characters long * [WPA2] has good encryption ([AES]) * Some [WPA] implementations have [AES] support as well. This is also good! Is [PSK] ok? * For small networks, [PSK] works well * Know the userbase * Can control when people add / leave network, and change keys appropriately * Low admin time * Perfect for home / small office use When is [PSK] not ok? * Large networks ( > 20 machines ?) * Large admin cost * Dynamic user base (eg cafe net, conference) * If per-user security is needed (eg cafe net, conference) Other considerations for wireless security: End-to-end security * [WEP], [WPA], [WPA2] only secure "in the air" transmissions. No security on remaining wired transmissions (which might go over an unsecured wireless backhaul!) * Use [VPN]s Multiple [SSID]s * Can be used to provide different levels of security * different user groups [VLAN]s * Many [AP]s now support VLAN tagging * Per-port (per [AP]) * [MAC] address (per physical computer - bad) * Per [SSID] ([SSID]s are sniffable) * Per user (via [802.1X]) Rogue [AP] detection * Network only secure as long as you control all aspects of it * insecure [AP]s without strict security controls can cause major security breaches Implementation of WPA-RADIUS with 802.1X via FreeRadius See also: * [How to set up a wireless network using Windows server WPA and RADIUS|http://www.hansenonline.net/Networking/wlanradius.html] * [Comparison of TTLS and PEAP|http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html]
One page links to
MeetingTopics.2005-08-22
:
MeetingTopics.2005
