Tuesday, November 24, 2020

WIRELESS AUTHENTICATION METHODS

WIRELESS AUTHENTICATION METHODS

These authenticate the device only. These devices do not use TLS, which is only used with certificates. Do not use a username; only use a password (PSK).

 WEP (Wired Equivalent Privacy)

·       Built on RC4 – uses a 24-bit IV – PSK (Pre-Shared Key)

·       Prone to IV (Initialization Vector) attack

 WPA (Wi-Fi Protected Access)

·       Built on RC4 – uses TKIP (Temporal Key Integrity Protocol)

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

 WPA2 (Wi-Fi Protected Access 2)

·       Built on AES – uses CCMP

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

·       AES replaced RC4, CCMP replaced TKIP

 WPA3 (Wi-Fi Protected Access 3)

  • Built on GCMP-256 (Galois/Counter Mode Protocol)
  • Replaces PSK with SAE (Simultaneous Authentication of Equals)

 WPS (Wi-Fi Protected Setup)

  • Connection is generally used with a pushbutton
  • If there is no push button, use the 8-digit PIN at the bottom of the AP
  • Prone to a brute force attack, can be broken in less than 11,000 attempt
  • Tools used for cracking WPS: Reaver, Wifite, Wash 

 The following authenticate the user and require certificates. When using certificates, you must use TLS.

 Enterprise Mode / 802.1x Authentication

  • Using this method requires a RADIUS server
  • Authentication can be accomplished with a username & password, smart card, or token
  • Authentication is used against an enterprise directory service / AAA server / RADIUS
  • 802.1x requires a Supplicant, Authenticator, and Authentication server (AAA / RADIUS) 

 EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

  • Certificates are needed on both the server and wireless device (Supplicant)
  • Provides mutual authentication
  • Authenticates the user – uses an enterprise directory service

 EAP-TTLS (Extensible Authentication Protocol – Tunneled Transport Layer Security)

  • Certificate on the server only
  • Authenticates the user - uses an enterprise directory service
  • End-to-end protection of authentication credentials

 PEAP (Protected Extensible Authentication Protocol)

  • Certificate on the server only
  • Uses TLS
  • Authenticates the user – uses an enterprise directory service
  • End-to-end protection of authentication credentials

 The following authenticates the user and do not use certificates

 LEAP (Lightweight Extensible Authentication Protocol)

  • Does not require certificates
  • Replaced with EAP-FAST

 EAP-FAST (Flexible Authentication via Secure Tunneling)

  • Do not use certificates
  • Replaced LEAP

 The following is the RADIUS federation

 Multiple organizations allow access to one another’s users

Uses the native 802.1x client (Supplicant)

Each organization has a RADIUS server and joins a mesh

at

No comments:

Post a Comment