Wireless Security

Previous page
Table of content
Next page

Wireless Security

Security for IEEE 802.11b consists of encryption and authentication, as described in the following sections.

Encryption

To encrypt wireless data, you can use Wired Equivalent Privacy (WEP); if your wireless networking components are Wi-Fi Protected Access (WPA) enabled, you can use the Temporal Key Integrity Protocol (TKIP).

WEP Encryption

Securing physical access to the network is difficult because of the nature of wireless LAN networks. Unlike a wired network (in which a direct physical connection is required), anyone within range of a wireless AP or a wireless client can conceivably send and receive frames as well as listen for other frames being sent which makes eavesdropping on and remote sniffing of wireless network frames very easy.

WEP uses a shared secret key to encrypt the data of the sending node, and the receiving node uses the same WEP key to decrypt the data. For infrastructure mode, the WEP key must be configured on the wireless AP and all the wireless clients. For ad hoc mode, the WEP key must be configured on all the wireless clients.

As specified in the IEEE 802.11 standards, WEP uses a 40-bit secret key, and most wireless hardware for IEEE 802.11 supports the use of a 104-bit WEP key. If your hardware supports both, use a 104-bit key.

Strong Encryption with WEP

Some wireless vendors advertise a 128-bit wireless encryption key, which is the addition of a 104-bit WEP key with another number (a 24-bit number known as the initialization vector) used during the encryption process. Some wireless APs also support the use of a 152-bit wireless encryption key (a 128-bit WEP key added to the 24-bit initialization vector). Windows XP does not support the configuration of 128-bit WEP keys.

If you must use 152-bit wireless encryption keys, disable the Wireless Zero Configuration (WZC) service by clearing the Use Windows To Configure My Wireless Network Settings check box on the Wireless Networks tab of the properties of the wireless connection or wireless network adapter in Network Connections. Use the configuration tool provided with your wireless network adapter to configure the wireless network settings and the WEP key.

Choosing a WEP Key

The WEP key should be a random sequence of keyboard characters (upper- and lowercase letters, numbers, and punctuation) or hexadecimal digits (numbers 0 9 and letters A F). The more random your WEP key, the safer it is to use for a longer period of time.

A WEP key based on a familiar word (such as your company name or your last name) or an easily remembered phrase is easy to guess. After malicious users discover your WEP key, they can decrypt received frames, send properly encrypted frames, and begin attacking your network.

Even if your WEP key is random, it is still subject to determination if a large amount of data encrypted with the same key is collected and analyzed. Therefore, it is recommended that you change your WEP key to a new random sequence periodically (for example, every three months).

WPA Encryption

TKIP in WPA dynamically determines a unique initial encryption key for each authenticated association, and changes the key for each wireless frame. TKIP does not require manual configuration of an encryption key.

Authentication

The following types of authentication are available for use with 802.11b networks, as described in the following sections:

  • Open system

  • Shared key

  • IEEE 802.1X

  • WPA with preshared key

Open System Authentication

Open system authentication is not really authentication because all it does is identify a wireless node using its wireless adapter hardware address. A hardware address, which is an address assigned to the network adapter during its manufacture, is used to address wireless frames.

In infrastructure mode, some wireless APs allow you to configure a list of allowed hardware addresses for open system authentication. However, it is a fairly simple matter for a malicious user to capture frames sent on your wireless network to determine the hardware address of allowed wireless nodes and then use that hardware address to perform open system authentication and join your wireless network.

In ad hoc mode, there is no equivalent of configuring the list of allowed hardware addresses in Windows XP or Windows Server 2003. Therefore, any hardware address can be used to perform open system authentication and join your ad hoc mode based wireless network.

Shared Key Authentication

Shared key authentication verifies that the wireless client joining the wireless network has been configured with a secret key. During the authentication process, the wireless client proves that it has the secret key without actually sending the secret key. In infrastructure mode, all the wireless clients and the wireless AP use the same shared key; in ad hoc mode, all the wireless clients of the ad hoc wireless network use the same shared key.

IEEE 802.1X Authentication

The IEEE 802.1X standard enforces authentication of a network node before it can begin to exchange data with the network. Exchanging frames with the network is denied if the authentication process fails. IEEE 802.1X provides much stronger authentication than open system or shared key authentication.

The recommended solution for Windows wireless authentication is the use of EAP-Transport Layer Security (TLS) and certificates for authentication. To use EAP-TLS authentication for wireless connections, you must create an authentication infrastructure that consists of an Active Directory directory service domain, Remote Authentication Dial-In User Service (RADIUS) servers, and a certification authority (CA) to issue certificates to your RADIUS servers and wireless clients. This authentication infrastructure is appropriate for large businesses and enterprise organizations, but it is not practical for most homes or small business offices. If your home or small business office has an Active Directory domain controller, a RADIUS server, and a CA, and you want to deploy an EAP-TLS-authenticated wireless network, follow the instructions given in Chapter 8, Intranet Wireless Deployment Using EAP-TLS.

If you have a domain controller and a RADIUS server, but no CA, you can purchase a computer certificate from a commercial CA, install it on your RADIUS server, and use Protected EAP (PEAP) and the Microsoft Challenge-Handshake Authentication Protocol, version 2 (MS-CHAP v2) EAP type. PEAP-MS-CHAP v2 uses passwords instead of certificates for credentials. The only certificate required when using PEAP-MS-CHAP v2 is the RADIUS server certificate, which is used to authenticate the RADIUS server and create a secure channel for communication between the wireless client and the RADIUS server.

More Info
For more information about deploying secure wireless networks using PEAP-MS-CHAP v2 authentication, see Chapter 10, Intranet Wireless Deployment Using PEAP-MS-CHAP v2.

WPA with Preshared Key Authentication

WPA supports two types of authentication:

  • User-level 802.1X authentication using an EAP type

  • Preshared key (PSK)

Preshared key authentication for WPA was designed specifically for the home and small office environment, in which an 802.1X authentication infrastructure is not present. With preshared key authentication, the wireless AP and the wireless clients are configured with the same key. When authenticating, the wireless clients provide proof that they have been configured with the correct preshared key.

Choosing a WPA Preshared Key

The WPA preshared key should be a random sequence of keyboard characters (upper- and lowercase letters, numbers, and punctuation) and can be up to 256 characters long. The longer and more random your preshared key, the safer it is to use for a longer period of time. A preshared key based on a familiar word (such as your company name, last name, or part of your home address) or an easily remembered phrase can be easily guessed. After malicious users have determined the WPA preshared key, they can begin attacking your network.

Because the initial TKIP encryption key is different for each association and changes with each wireless frame, you do not have to worry about malicious users accumulating a large amount of data and decrypting wireless frames. However, to prevent online dictionary attacks against your WPA preshared key, it is a good idea to change it periodically (for example, once every six months).

Recommended Authentication: WPA-PSK or Open System

For a secure wireless network that cannot use IEEE 802.1X authentication, the recommendation is to use one of the following:

  • If your wireless network components are WPA-enabled, use WPA with preshared key authentication.

  • If your wireless network components are not WPA-enabled, use open system authentication.

The use of open system authentication instead of shared key authentication in the absence of WPA might seem contradictory. Open system authentication is not really authentication, but identification; and shared key authentication requires knowledge of a shared secret key. Although shared key authentication might be a strong er authentication method than open system, using it actually makes your wireless communication less secure.

For most wireless implementations, including Windows XP, the shared key authentication secret key is the same as the WEP encryption key. The shared key authentication process consists of two messages: a challenge message sent by the authenticator and a challenge response message sent by the authenticating wireless client. A malicious user who captures both messages can use cryptanalysis methods to determine the shared key authentication secret key and therefore the WEP encryption key. After the WEP encryption key is determined, the malicious user has full access to your network, as if WEP encryption were not enabled. Therefore, although shared key authentication is stronger than open system authentication, it weakens WEP encryption.

The tradeoff of using open system authentication is that anyone can easily join your network, unless your wireless AP has the capability to configure the list of allowed wireless clients by their hardware addresses. By joining the network, malicious users use up one of the available wireless connections, but they cannot send or decrypt received wireless frames without the WEP encryption key.

Wireless APs and Windows wireless clients support open system authentication. One advantage of using open system authentication is that it is always enabled for Windows XP wireless clients no additional authentication configuration is needed.

For these reasons, open system authentication is recommended for the home or small office wireless network in the absence of WPA.


Previous page
Table of content
Next page
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies
BUY ON AMAZON
Beginning Cryptography with Java
C++ How to Program (5th Edition)
Java How to Program (6th Edition) (How to Program (Deitel))
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Programming Microsoft ASP.NET 3.5
An Introduction to Design Patterns in C++ with Qt 4
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy