For confidentiality purposes, wireless clients should be authenticated before they are allowed to associate with an AP. It is also best that the AP authenticate to the client before sending traffic so as to minimize attacks from illegitimate APs. The data payload should also be encrypted before sending and decrypted after receiving so as to maintain privacy of the message.
Each WLAN supports only one authentication method and one encryption scheme.
An AP can provide a group key that can be used to encrypt data when it needs to send data to all clients.
To ensure that the message has not been tampered with, we can use the tool Message Integrity Check (MIC) to verify. Sender adds a secrete stamp to the encrypted message, this stamp should be used to compare once the message is decrypted.
Wireless Client Authentication Methods
- Open Authentication- No credentials needed. Client must use 802.11 auth request before attempting to associate. Clients are authenticated locally at the AP.
- WEP (Wireless Equivalent Privacy) – uses RC4 cipher algorithm for encryption and decryption. They need to have identical keys to decrypt the encrypted data. 4 WEP keys re configurable but only one is active at a time. It uses a shared key mechanism. Every client should have the same key before associating with AP. It can be an authentication method or an encryption method. AP sends a challenge, client encrypts the challenge with WEP, AP compares key with its own. Can be 40 or 104 bits long, string can be 10 or 26 hexadigits.WEPencryption and WEP shared key auth are weak methods. WEP was implemented in the wireless adapter hardware making it rather difficult to move from it without changing hardware. Clients are authenticated locally at the AP.
- 802.1x/EAP (Extensible Authentication Protocol) – More extensible and scalable. It does not have only one auth method. EAP can be intergrated with portbased access control method 802.1X. When 802.1x is enabled, it limits access to a network media until a client authenticates through an EAP method so even if the client associates with the AP, it cannot pass traffic until it is authenticated. Client uses open auth to associate with AP then the actual auth process occurs at a dedicated auth server. Supplicant requests access, authenticator provides access to the network while authentication server usually radius, permits or denies access based on user database. Common EAP-based authentication methods are:
- Lightweight EAP (LEAP)
- Developed by Cisco
- Client supply’s username & Password
- Auth server and client exchange challenge messages
- Used dynamic WEP keys
- Was depreciated as method used to encrypt the challenge messages was found to be vulnerable
- Should not be used.
- EAP Flexible Authentication by Secure Tunneling (EAP-FAST)
- Developed by Cisco
- Authentication credentials are protected by passing a protected
access credential (PAC) between the AS and the supplicant. The AS generates the PAC for auth. After auth, a Transport Layer Security (TLS) tunnel is negotiated and used by end user for added security. The auth occurs in two separate processes – outside the TLS tunnel and within the TLS tunnel.
- Radius server should be an EAP-FAST server so that it can generate PACS for each user
- Known vulnerability but still secure if managed well.
- Protected EAP (PEAP)
- Uses inner and outer authentication
- In outer auth, AS presents a cert to the supplicant inorder to auth itself. The digital certificate of the AS consists of data in a standard format that identifies the owner and is “signed” or validated by a third party (certificate authourity CA). Supplicant should also have the certificate so that it can validate the one it receives from AS. The certificate is also used to pass a public key, in plain view,
which can be used to help decrypt messages from the AS.
- If supplicant is ok with identity of AS, they build a TLS tunnel for inner auth and encryption key exchange.
- Only the AS has a certificate. The client does not have or use a certificate of its own, so it must be authenticated within the TLS tunnel using either MSCHAPv2 or GTC
- GTC —Generic Token Card; a hardware device that generates one-time passwords for the user or a manually generated password
- EAP Transport Layer Security (EAP-TLS)
- Requires a certificate on both the AS and every client device.
- AS and supplicant can auth each other using certificate.
- Afetr auth, TLS tunnel is built o that the client can be authenticated and encryption key material can be securely exchanged
- Most secure method available
- Public Key Infrastructure (PKI) could supply certificates securely and efficiently and revoke them when a client or user should no longer have access to the network instead of having to manually do that for each and every client. This usually involves setting up your own CA or building a trust relationship with a third-party CA that can supply certificates to your clients.
- Many wireless devices, such as communicators, medical devices, and RFID tags, have an underlying operating system that cannot interface with a CA or use certificates.
- Lightweight EAP (LEAP)