Tuesday, November 24, 2020

WIRELESS AUTHENTICATION METHODS

WIRELESS AUTHENTICATION METHODS


These authenticate the device only. These devices do not use TLS as this is only used with certificates. Do not use a username only a password (PSK).

 WEP (Wired Equivalent Privacy)

·       Built on RC4 – uses a 24-bit IV – PSK (Pre-Shared Key)

·       Prone to IV (Initialization Vector) attack

 

WPA (Wi-Fi Protected Access)

·       Built on RC4 – uses TKIP (Temporal Key Integrity Protocol)

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

 

WPA2 (Wi-Fi Protected Access 2)

·       Built on AES – uses CCMP

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

·       AES replaced RC4, CCMP replaced TKIP

 

WPA3 (Wi-Fi Protected Access 3)

  • Built on GCMP-256 (Galois/Counter Mode Protocol)
  • Replaces PSK with SAE (Simultaneous Authentication of Equals)

 

WPS (Wi-Fi Protected Setup)

  • Connection normally used with a pushbutton
  • If there is no push button, use the 8-digit PIN on the bottom of the AP
  • Prone to a brute force attack, can be broken in less than 11,000 attempt
  • Tools used for cracking WPS: Reaver, Wifite, Wash 

 

The following authenticate the user and require certificates. When using certificates you must use TLS.

 

Enterprise Mode / 802.1x Authentication

  • Using this method requires a RADIUS server
  • Authentication can be accomplished with a username & password, smart card, or token
  • Authentication is used against an enterprise directory service / AAA server / RADIUS
  • 802.1x requires a Supplicant, Authenticator, and Authentication server (AAA / RADIUS) 

 

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

  • Certificates required on both the server and wireless device (Supplicant)
  • Provides mutual authentication
  • Authenticates the user – uses an enterprise directory service

 

EAP-TTLS (Extensible Authentication Protocol – Tunneled Transport Layer Security)

  • Certificate on the server only
  • Authenticates the user - uses an enterprise directory service
  • End-to-end protection of authentication credentials

 

PEAP (Protected Extensible Authentication Protocol)

  • Certificate on the server only
  • Uses TLS
  • Authenticates the user – uses an enterprise directory service
  • End-to-end protection of authentication credentials

 

The following authenticate the user and do not use certificates

 

LEAP (Lightweight Extensible Authentication Protocol)

  • Does not require certificates
  • Replaced with EAP-FAST

 

EAP-FAST (Flexible Authentication via Secure Tunneling)

  • Does not use certificates
  • Replaced LEAP


 

The following is RADIUS federation

 

Multiple organizations allow access to one another’s users

Uses the native 802.1x client (Supplicant)

Each organization has a RADIUS server and joins a mesh

at

No comments:

Post a Comment