Transcript WirelessSecurity

WIRELESS SECURITY
802.1x EAP Authentication
Protocols
802.1x - Authentication Methods
 EAP defines a standard message exchange that allows a server to
authenticate a client based on an authentication protocol agreed upon by
both parties.
 The access point relays authentication messages from the wireless client
device to the RADIUS server and from the RADIUS server to the wireless
client device.
 Components involved in the 802.1x/EAP authentication process are:
• supplicant (the end entity, or end user's machine),
• the authenticator (the access point), and
• the authentication server (back-end RADIUS server).
IEEE 802.1x is a port based authentication protocol
EAP – How It Works
802.1x EAP – Authentication Types
 A specific EAP authentication scheme is known as an EAP type.
 Both the remote access client and the authenticator must support the
same EAP type for successful authentication to occur.
 The access point has to support the 802.1x/EAP authentication process.
(The access point is not aware of the EAP authentication protocol
type.)
 The different EAP-Types are :
• EAP-Transport Layer Security (EAP-TLS)
• Tunneled Transport Layer Security (TTLS)
• Cisco Light Weighted EAP (LEAP)
• Protected EAP (PEAP).
EAP – TLS and its Disadvantages
 In EAP-TLS, certificates are used to provide
authentication in both directions.
 The server presents a certificate to the client, and,
after validating the server's certificate the client
presents a client certificate.
 Requires each user to have a certificate.
 Imposes substantial administrative burden in
operating a certificate authority to distribute, revoke
and manage user certificates
EAP – TLS in Action
EAP- Tunneled Transport Layer Security
(EAP- TTLS)
 EAP - TTLS protocol developed in response to the PKI barrier in EAP-TLS.
 TTLS a two-stage protocol - establish security in stage one, exchange
authentication in stage two.
 RADIUS servers, not the users, are required to have certificates
 The user’s identity and password-based credentials are tunneled during
authentication
Advantages of Using EAP – TTLS
 Users to be authenticated with existing password credentials,
and, using strong public/private key cryptography
 Prevents dictionary attacks, man-in-the-middle attacks, and
hijacked connections by wireless eavesdroppers.
 Does not require the use of client certificates.
 Requires little additional administration unlike EAP-TLS
 Dynamic per-session keys are generated to encrypt the
wireless connection and protect data privacy
Situations when EAP – TTLS can Fail
 User's identity is not hidden from the EAPTTLS server and may be included in the
clear in AAA messages between the access
point, the EAP-TTLS server, and the AAA/H
server.
 Server certificates within EAP-TTLS makes
EAP-TTLS susceptible to attack.
 EAP – TTLS is vulnerable to attacks by
rogue EAP-TTLS servers
Comparison of EAP- TTLS and PEAP
Protocols
 Microsoft, Cisco and RSA
Security developed
Protected Extensible
Authentication Protocol
(PEAP) over 802.11
WLANs
 Windows XP is currently
the only operating system
that supports PEAP.
 Only EAP - generic token
card
 Funk Software and Interlink
Networks added support for
the proposed wireless
security protocol, developed
by Funk and Certicom,
 Linux, Mac OS X, Windows
95/98/ME, and Windows
NT/2000/XP.
 Any Authentication Method
- CHAP, PAP, MS-CHAP,
and MS-CHAPv2 and EAP
Conclusions
 Selection of an authentication method is the key
decision in securing a wireless LAN deployment.
 EAP-TLS is best suited under situations when a well
configured PKI is already deployed
 TTLS slight degree of flexibility at the protocol level
and supports wider of client operating systems.
 No single security solution is likely to address all
security risks. Hence should implement multiple
approaches to completely secure wireless application
access
References
 www.ietf.org/internet-drafts/draft-ietf-pppext-eapttls-02.txt
 http://www.nwfusion.com/research/2002/0506ilabwla
n.html
 http://www.oreillynet.com/pub/a/wireless/2002/10/17
/peap.html
 http://www.nwfusion.com/news/2002/1111funk.html
 http://www.nwfusion.com/news/2002/0923peap.html
 http://www.mtghouse.com