Tuesday, 3 July 2012

Wireless Security part 2 - Inc RADIUS

RADIUS:
Some benefits of RADIUS are:
Authorisation
Centralised access and control of that access
Accounting supervision - including client network access and rights
Recording access attempts

Encryption:
The basic encryption process is to take plain text, which is scrambled in a process called the cipher, and this gives cipher text. Types of cipers include stream ciphers which consists of performing modifications to each bit of data, and block ciphers, which performs the modifications on a block of data.

Symmetric and Asymmetric Encryption:
Symmetric encryption is faster than Asymmetric encryption because it requires less processing power. The disadvantage is that it is less secure.

Key Management:
There are 2 methods, a common key across all users or a unique key for each user. An issue with individual keys is with unicast and broadcast  / multicast traffic. Individual keys can be generated in 2 ways, either individuals keys should be configured on the client and APs or they can be derived from a common key and generated for each session the user has with the AP.

Encryption methods:
There are 2 types of encryption methods used: TKIP and AES. Prior to these there was only RC4 with static keys which is insecure and should not be used.
TKIP was a replacement to WEP. It is essentially a wrap around WEP with enhanced 128bit encryption but it is made more secure by the following:
It changes the packet's key. The packets key is made up of 3 things, a base key, the transmitting device's MAC, and the packet serial number. This is important because the serial number is a 48bit number which cycles, so a hacker reusing an old serial (replay attacks) are mitigated. Also the Base key is a unique value, so it can't be reused also.
AES is used in the WPA2 and 802.11i standard. It uses 128bit data encryption. AES is a block cipher. 


The 4 improvements of WPA:
Larger initialisation vector (IV) - increases the level of randomness making the encryption harder to crack
Message integrity check
key management using 802.11x
unicast and broadcast key management


Centralised Key Management:
This is a benefit of 802.11i and WPA2. As a client roams often the reauthentication can take long enough to break the applications connections. Two items which mitigate this are: Key Caching (AP caches the credentials of the client so if it roams away and back the AP already has the details) and preauthentication (If the AP comes close but not enough to associate it will perform the authentication process anyway so that if it comes within range later the authentication is much quicker). 


801.11i:
WPA2 was built with 802.11i in mind, when 802.11i was fully ratified some features were added:
A list of EAP methods that can be used
AES-CCMP instead of RC4
Better key management, for example the master key can be cached permitting a faster reconnect for clients


If performing an upgrade from TKIP to AES the same keys can be used


TKIP is used to encrypt data in WPA where as AES or TKIP can be used in WPA2 or 802.11i

No comments:

Post a Comment