7.03 Compare and contrast wireless security protocols and authentication methods

Introduction 

Imagine your home had no doors—anyone walking by could enter without a problem. Wi-Fi networks, without proper security, are like that: anyone within range can access your data. In this lesson, we’ll compare different ways to lock down Wi-Fi networks and ensure that only authorized users can connect. Just like in real life, where you might use a key or a security system, Wi-Fi uses various protocols like WPA2 and WPA3, and enterprise systems like RADIUS or Kerberos, to safeguard connections. Understanding these systems will help you solve security issues and assist others in keeping their networks safe from intruders.

Wi-Fi Protected Access 

Wi-Fi networks need to be set up carefully to ensure that the connection and data transmissions are secure. The main challenge with wireless networks is that they use radio signals, which means anyone within range can potentially listen in. If these signals aren’t encrypted, it’s easy for unauthorized people to intercept data or use the network without permission. 

Temporal Key Integrity Protocol (TKIP) 

The first version of Wi-Fi Protected Access (WPA) was created to fix serious problems with an older security system called Wired Equivalent Privacy (WEP). Like WEP, the first version of WPA uses the RC4 symmetric cipher to encrypt data. However, WPA also added a feature called the Temporal Key Integrity Protocol (TKIP). This protocol was designed to fix the various vulnerabilities that hackers found in WEP.

WPA2 

Both WEP and the original WPA version are no longer considered secure. Even with the TKIP improvements, WPA is still vulnerable to replay attacks, which attempt to steal the encryption key. WPA2 was introduced to provide better security. It uses a stronger encryption method called the Advanced Encryption Standard (AES). This encryption is applied using the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). In WPA2, AES replaces RC4, and CCMP replaces TKIP

CCMP provides authenticated encryption, which makes it more difficult for attackers to carry out replay attacks. 

Compatibility Modes in WPA2 

Some older Wi-Fi access points allow WPA2 to run in WPA2-TKIP or WPA2-TKIP+AES compatibility mode. This allows older devices to connect, but it weakens the security. It is always better to use WPA2-AES for maximum protection. 

WPA3 

Even though WPA2 is much better than WPA, weaknesses have still been found in its security. This led to the development of WPA3, which has stronger security features. 

Key Features of WPA3 

  • Simultaneous Authentication of Equals (SAE): 

    • WPA2 uses a 4-way handshake to allow devices (called "stations") to connect to an access point, authenticate themselves, and exchange an encryption key. However, this handshake can be manipulated by attackers to steal the encryption key. 

    • WPA3 fixes this by replacing the 4-way handshake with the more secure SAE mechanism, an even stronger handshake method.

  • Updated Cryptographic Protocols: WPA3 uses AES Galois Counter Mode Protocol (GCMP) instead of AES CCMP. GCMP is stronger and more resistant to attacks. 

  • Protected Management Frames: 

    • Management frames are used for tasks like connecting to the network (association and authentication) and disconnecting (disassociation and deauthentication). In WPA2, these frames can be spoofed by attackers, leading to security breaches. 

    • WPA3 requires that these management frames are encrypted, which prevents key recovery attacks and stops Denial of Service (DoS) attacks that force devices to disconnect. 

Wi-Fi Enhanced Open: 

  • An open Wi-Fi network is one that doesn’t require a password. In WPA2, this means that all traffic on the network is unencrypted, leaving it vulnerable to eavesdropping. 

  • WPA3 fixes this by encrypting traffic even on open networks, so while anyone can join the network, their data will be protected from being sniffed. 

In summary, WPA3 offers the latest and strongest security features for Wi-Fi networks, providing better encryption and protection against various attacks compared to WPA2 and older standards. Using WPA2-AES or WPA3 is critical for keeping your wireless network secure. 

Wi-Fi Authentication Methods 

Wi-Fi networks use different methods to authenticate users and ensure secure connections. There are three main types of Wi-Fi authentication: open, personal, and enterprise. In the personal authentication category, two methods are commonly used: WPA2 Pre-Shared Key (PSK) authentication and WPA3 Simultaneous Authentication of Equals (SAE)

WPA2 Pre-Shared Key (PSK) Authentication 

In WPA2, Pre-Shared Key (PSK) authentication secures communication by using a passphrase. This passphrase is used by all users on the network, which is why it's called group authentication

How WPA2-PSK Works: 

  • The administrator sets a passphrase (8 to 63 characters long) when configuring the access point. 

  • This passphrase is converted into a pairwise master key (PMK), a type of hash used to secure network communications. 

  • Each device (station) that joins the network must have the same passphrase configured. 

  • The PMK is part of WPA2's 4-way handshake, which is used to create session keys for secure communication. 

Vulnerabilities of WPA2-PSK: 

  • Attackers can attempt to recover the passphrase through brute-force attacks

  • To reduce the risk of cracking, the passphrase should be at least 14 characters long

WPA3 Personal Authentication 

WPA3 improves security while still using passphrase-based group authentication. However, it replaces the 4-way handshake with a more secure process called the Simultaneous Authentication of Equals (SAE) protocol. 

Key Features of WPA3-Personal: 

  • SAE makes it harder for attackers to steal the encryption key compared to WPA2's 4-way handshake. 

  • WPA3's SAE provides stronger protection even if users are using a weak passphrase. 

Labels for WPA2 and WPA3: 

  • Different access points may label these methods differently.

    For example, you might see WPA2-Personal and WPA3-SAE instead of WPA2-PSK and WPA3-Personal. 

  • Some access points support a WPA3-Personal Transition mode, which allows WPA3 to work alongside legacy WPA2 clients. However, enabling this mode may weaken the security of the network. 

Enterprise Authentication Protocols 

Enterprise authentication is a more secure alternative to personal Wi-Fi authentication methods, addressing the main problems of passphrase distribution and lack of user-specific credentials. Unlike personal modes, enterprise authentication uses a unique credential for each user, improving security and enabling individual user tracking (accounting). 

Problems with Personal Authentication: 

  • Passphrase distribution: The same passphrase is shared among all users, making it less secure. 

  • Weak passphrases: Administrators might choose weak, easily guessed passphrases. 

  • No accounting: All users share the same credential, making it impossible to track individual users. 

WPA Enterprise Authentication 

Enterprise Wi-Fi networks use 802.1X enterprise authentication with the Extensible Authentication Protocol (EAP). EAP allows flexible authentication mechanisms, such as verifying credentials with a network directory

Enterprise authentication is configured by selecting WPA2-Enterprise or WPA3-Enterprise on the access point. 

How Enterprise Authentication Works: 

  1. Wireless station request: When a wireless device (supplicant) requests to connect, the access point allows EAP over Wireless (EAPoW) traffic only. 

  2. Credential forwarding: The access point forwards the user's credentials to an Authentication, Authorization, and Accounting (AAA) server

  3. Credential validation: The AAA server (not the access point) validates the credentials and decides whether to allow access. 

  4. Master key exchange: Once authenticated, the AAA server sends a master key (MK) to the wireless station. 

  5. Key derivation: The wireless device and the AAA server use the MK to create a pairwise master key (PMK)

  6. Session key creation: The AAA server sends the PMK to the access point, which uses it to generate session keys for secure communication.

Benefits of Enterprise Authentication 

  • Secure credential storage: User accounts and credentials are stored on a secure AAA server, not the access point. 

  • Advanced authentication: Supports more secure methods than just usernames and passwords, such as digital certificates and smart card authentication

  • Multifactor authentication: Many EAP methods use digital certificates and smart cards for secure, multifactor authentication. 

EAP Methods and Certificates 

Enterprise networks can use EAP with Transport Layer Security (EAP-TLS) for stronger authentication. This method requires encryption key pairs and digital certificates on both the server and wireless client. 

How EAP-TLS Works: 

  1. Both the server and wireless device receive encryption keys and certificates. 

  2. The private key on the wireless device is stored in a secure location, like a trusted platform module (TPM) or USB key. The user authenticates using a PIN, password, or bio gesture to access the key (first authentication factor). 

  3. When connecting, the server sends a digital signature and its certificate. 

  4. The client verifies the signature and certificate, then sends its own. 

  5. The server validates the client's certificate (second authentication factor).

Other EAP Methods 

Some EAP methods use certificates only on the AAA server. In this case, the AAA server uses its certificate to create a secure, encrypted tunnel, allowing the client to safely transmit a username/password credential. 

This approach still offers high security, but does not require client-side certificates. It allows for simpler setups while still protecting the transmission of user credentials. 

RADIUS, TACACS+, and Kerberos: Protocols for Enterprise Authentication 

Enterprise authentication in networks uses AAA servers (Authentication, Authorization, and Accounting) and a network directory to manage secure access. Various protocols are available to implement these systems, including RADIUS, TACACS+, and Kerberos

RADIUS (Remote Authentication Dial-in User Service) 

RADIUS is a common protocol used to implement AAA servers for enterprise authentication, particularly in wireless and VPN connections. 

How it works

  • The wireless access point is configured as a client of the RADIUS server

  • User credentials are forwarded from the access point to the RADIUS server for validation. 

  • The access point cannot read the credentials, as they are securely passed between the supplicant (user device) and the RADIUS server.

Configuration

  • The access point must be configured with the hostname or IP address of the RADIUS server. 

  • A shared secret is used to ensure mutual trust between the access point and the RADIUS server. 

TACACS+ (Terminal Access Controller Access Control System Plus) 

TACACS+ is another AAA protocol, developed by Cisco, but is also supported by many third-party systems. TACACS+ is often used for administrative access to networking devices. 

Use cases

  • Authenticating administrative access to routers, switches, and access points. 

  • While RADIUS is typically used for wireless and VPN authentication, TACACS+ is commonly used for device management

Key Features

  • Supports granular control over what commands a user can execute on a device. 

  • Provides separate control for authentication, authorization, and accounting, allowing for detailed policy configurations.

Kerberos 

Kerberos is a protocol that supports single sign-on (SSO) and is often used in Windows domain networks. It allows users to authenticate once and gain access to multiple services without re-entering credentials. 

How Kerberos Works

  • A user account authenticates to a domain controller (DC) using the Kerberos protocol. 

  • Kerberos provides tickets that grant the user access to resources and application servers based on their permissions. 

Application in Wireless Networks

  • Although access points do not directly support Kerberos, RADIUS or TACACS+ is used to tunnel Kerberos credentials. 

  • Through this tunneling, a wireless client can authenticate to a domain controller and benefit from SSO

Summary of Protocol Usage: 

  • RADIUS: Primarily used for authenticating wireless and VPN users, forwarding user credentials to an AAA server. 

  • TACACS+: Best for managing administrative access to network devices like routers and switches, offering more detailed control over command execution. 

  • Kerberos: Commonly used in Windows domain networks for single sign-on, although indirectly supported by access points via RADIUS or TACACS+ tunneling. 

Each of these protocols plays a vital role in ensuring secure, efficient enterprise authentication. 

Summary: 

You're doing great! By exploring and comparing these wireless security protocols and authentication methods, you're building a strong foundation for understanding how to keep networks secure. WPA2 and WPA3 are key players in modern Wi-Fi security, offering robust encryption methods like AES and improved features like SAE for even stronger protection. Moving to enterprise authentication introduces additional protocols like RADIUS, TACACS+, and Kerberos, each offering specialized security solutions that ensure safe, efficient network access. Keep up the great work—mastering these concepts puts you on track for success!