Thursday, March 19, 2015

Wireless - Authentication vs Encryption terminology

Sorry, It has been a few days since I posted here.  I need to do a better job logging the things I run across and am studying for the Comptia Security + cert.  So I took video course with CBT Nuggest 2 weeks ago for Comptia Security +.  I then started working on some practice exams while using the Cert Guide by David L. Prowse for SY0-401.  The book is frankly neck deep in material that appears to sometimes be overboard and other times it seems to gloss over the topic and I have run into the material in the practice exams and I wanted more info.  So I am finding that I am having to use StartPage to hunt down what I am looking for and hoping that the Wiki's and other online resources don't lead me astray. 

Today I want to very briefly talk about the alphabet soup of wireless authentication, and encryption.  In the course of working through the practice tests I found that I am getting more and more confused as references to older technologies is tested in the tests, and the ambiguous wording in the questions that make you scratch your head and make assumptions about what they are talking about.  It is quite frustrating to be honest.  Worse yet the lines seemed to have blurred in the test when asking about the technology that is used or should be used given a scenario.  There is not way to encompass this entire topic when there are so many methods out there, but I wanted to just point out a careful distinction that you must make when looking at wireless access. 

First is are we talking about a home or small business?  Or are we talking about a larger establishment with a number of access points and requirements to authenticate to get into the network? 

Home or Small business:
In a home or small business you are not looking for a complex authentication system that allows you access to the network.  In this case you will configure your wireless access for the strongest security method that your equipment(wireless access point) can handle.  WPA2 is currently the most recent wireless standard with the strongest possible security options.  Of the WPA2 you will likely see WPA2-PSK or WPA2-Enterprise.  For a home or small business we will select the WPA2-PSK.  The PSK refers to a pre-shared key.  This key will be configured on your wireless access point and your client computer.  If your access point does not support WPA2 then choose WPA-PSK.  If you don't have that as an options then I HIGHLY recommend you consider upgrading your wireless access point. 

Hopefully you have WPA2-PSK as an option.  Now we have to select an encryption method to be used.  In other words how will the traffic that is transmitted and received from the wireless access point be protected from prying eyes?  There will be typically be two options.  TKIP or AES.  TKIP is the older standard that was used to replace WEP encryption.  TKIP uses a stronger 128 bit shared key over the 40bit or 108bit WEP keys that used to be used and were easily cracked due to weak initialization vectors in the WEP protocol.  So lets avoid WEP completely.  TKIP is better than the WEP as they corrected much of the initialization vector issues and made the key much longer and stronger.  However it can still be brute force attacked, and it is a shared key that the wireless access point has and that your client machine must have for access to be granted.  TKIP has been deprecated and has known weaknesses.  You should not use TKIP unless you don't have any other options.  TKIP is 128 bit shared key in the case of WPA2-TKIP.

WPA2-PSK with AES is 128, 192, 256 bit depending on what your hardware is capable of supporting.  AES is considered the most secure cryptography at this time for WPA2 encryption.  This is why you should select WPA2-PSK(AES) for your encryption method. 

PSK means it is a shared key that is stored on the wireless access point and your client.  It isn't the most secure method available, but will work well for home or small business use where you don't need the headache and work of setting up a authentication server to validate and authenticate users on the network.

For Business and larger organizations:
You should be using not only a stronger encryption like AES as we just discussed, but you should be enforcing authentication to get on the network.  To so this you should be using WPA2-Enterprise instead of WPA2-PSK.  Enterprise means that we are going to send your connection requests to get on the network to an Authentication, Authorization, and Accounting server called RADIUS or DIAMETER to look up your credentials and determine if your access is allowed or denied. 

Now I feel it is important to note that there are two separate things we are talking about here.  One is encryption which is how will we handle the traffic on the network once your connected?  How will we protect it?  That is where AES comes into the picture.  HOWEVER, you first have to authenticate and be given access to the network.  That is where a new acronym soup comes into play.  The protocol framework for authentication is known as EAP.  That is a generic term and not the specific type of EAP to be used... And yes there are a BUNCH of them which really adds to the confusion when you start trying to take tests regarding how this technology works back in the day, and how it works today. 

EAP = Extensible Authentication Protocol

The standard for authenticating on the network with a Radius server is called 802.1x.  Now here is where the SOUP gets thick and the chaos of these EAP methods can drive you crazy.  Let's just summarize shall we and say that there are 3 main types to note:


Under these protocols there are different technologies used to secure the authentication.

LEAP is Lightweight EAP and is a CISCO technology and not supported by Microsoft.  It is common, but even CISCO does not recommend using LEAP any longer.
EAP - TLS and TTLS are variations of TLS.  TLS uses server and client certificates to authenticate.  TTLS only uses a server side certificate and is not widely supported at this time.  EAP does not protect the username and password info that is exchanged.
PEAP - Is Protected EAP and has encrypted the username and password.  There are several methods of using PEAP, PEAP-MSCHAPV2 which encrypts the password, but MS-CHAPV2 has been cracked. PEAP-TLS uses transport layer security to use certificates for the client and server to authenticate.

PEAP-TLS builds a TLS tunnel and then uses MS-CHAPV2 to authenticate in the encrypted tunnel.   Why is this important?  By authenticating the client and the server with certificates for the TLS tunnel you are not likely to have anyone who can spoof a client or a server thus ensuring that the connection is secure and it is being made with the correct systems. 

Comptia Security + practice tests:
The questions that are being asked in the practice tests for this exam are all over the map, they are not clear, and many times your left with a chaotic soup of methods for both encryption and for authentication that start to run together and frankly don't make sense.  After enough Startpage searches and reading it finally started to sink in to my head and now I just need to watch carefully in the tests are we talking about authentication or encryption.

Next sort out in your mind what are the methods for authentication and keep reviewing them until you have a handle on the types and how it is implemented and the weaknesses.  I am still reading, reviewing and trying to make sure I have it clear in my mind because the questions are not very clear and the jumble of junk they throw at you makes it very easy to get confused.

Same thing is true with the encryption standards.  Make sure you understand the encryption being used and for which type of application.  They LOVE to jumble block and cipher encryption together, and they love to mix hashing technologies in there and try to jumble things up intentionally and the questions are worded in such a way that your not sure if they are talking about a hash or encryption.

So I thought I would share my observations and hope you find this helpful.  There are several areas like this in the Comptia Security + tests that make things confusing.  I will post on another topic as soon as I have some free time.  The goal is to have my test done before March 30th when I have another training class starting for Cisco.  So I want this wrapped up and completed before then so I am not jumbling two classes into my already taxed brain!  LOL

Remember to harden those systems, apply those patches... and Always stay vigilant!

No comments:

Post a Comment