wifi security tutorial

Wireless Security Protocols

  • 802.11i
  • 802.1x
  • Cisco LEAP
  • Microsoft PEAP
  • EAP-TLS
  • EAP-TTLS

General Information

EAP-TLS

  • RFC 2716
  • TLS used for two-way authentication (client to server and server to client)
  • Uses TLS (SSL) key management systems
  • Developed by Microsoft
  • Clients
    • Xsupplicant (Unix)
    • Windows XP
  • Pros
    • Very secure
  • Cons
    • Requires a PKI for distributing client certificates
    • Client implementations are limited



EAP-TTLS

  • Same as EAP-TLS, except that client authentication can use other methods than TLS, removing PKI requirement
  • Server authentication is still TLS
  • Essentially the same as PEAP
  • Still in draft status, development by Certicom and Funk Software
  • Funk Software does have a pre-standard client and server for Windows (Odyssey)

Summary

  • 802.11i
    • Tries to fix the problems with WEP, using TKIP (per-packet keying)
    • 802.1x will be part of the standard
  • 802.1x
    • Standard for port-based security
      • For 802.11, the port is a session with
    • Adopts PPP EAP for authentication
    • Does not provide link encryption
  • EAP-Cisco AKA LEAP
    • Proprietary, mutual authentication, per-session keying
    • Currently only works with Cisco gear, but Funk Software is developing supplicant and server software that will work with other vendors' cards (still need Cisco A/P)
  • EAP-TLS
    • Authentication via SSL/TLS certificates
    • Standards-based, mutual authentication, per-session keying
    • Requires client AND server TLS certificates, so an existing PKI is necessary
    • Open-source: (Xsupplicant, FreeRADIUS)
    • Closed-source: Windows XP, IAS, Funk Odyssey
  • EAP-TTLS
    • Draft standard, mutual authentication, per-session keying
    • Server authentication through certificates
    • Client authentication through other means (MD5, tokens, etc)
    • Funk Software is only current implementation
  • Protected EAP (PEAP)
    • TLS-encapsulated EAP
    • Server authentication through TLS cert
    • Client authentication through other EAP method (MD5, etc.)
    • Microsoft IAS, XP only implementations

802.11i

  • Fixes some problems with WEP
  • AKA Temporal Key Integrity Protocol
  • Same encryption as WEP (RC4)
  • New keys generated for every 10KB of data
  • AES encryption is being considered to replace RC4, but will require new hardware
  • http://www.pcworld.com/news/article/0,aid,82563,00.asp

802.1x

Cisco LEAP

  • AKA EAP Cisco
  • Proprietary, only implemented on Cisco systems software (ACS) and Aironet A/Ps, Bridges & Clients
  • Provides:
    • Session-based keying
    • Message integrity checks
    • Two-way authentication (client-AP and AP-client)
  • Requires:
    • Cisco Aironet gear
    • Cisco ACS software (some others now offer compatibility)
  • Pros:
    • Solves most problems with 802.11 security
    • Integrates with NT domains and Active Directory through ACS
    • Clients available for Windows 9x, 2000 and XP as well as Linux, PocketPC, and Palm
  • Cons:
    • Expensive, proprietary
    • No open-source solution for AAA server

PEAP

  • Developed by Microsoft, Cisco and RSA.
  • Included in XP SP1
  • Aironet devices will also soon support it
  • Almost identical to EAP-TTLS
  • Server authentication to client is TLS certificates
    • TLS tunnel is built initially
  • Client to server authentication can be any other EAP method (MD5, tokens, etc)
  • Pros:
    • None
  • Cons:
    • XP is the only client available
    • IAS is the only server available

If there is any problem with these links, or you want to suggest additions, please contact info@pneservices.com