Encryption and access control are crucial for maintaining security on our wireless networks. In this video, you’ll learn about WPA2, CCMP, access control protocols, and more.
<< Previous Video: Logical Security Next: Types of Malware >>
Security on a wireless network has its own set of challenges. The first is that everyone can hear what’s going on. Every device that has a wireless card can listen and send traffic over that wireless network. Since everyone can hear what’s going on, the obvious solution is that we need to encrypt the communication that we’re sending out over this wireless network.
On some wireless networks, there’s a shared password that everyone uses. On other wireless networks, it may be configured that every user has their own password. Whether it’s a shared encryption key or one that’s specific to a user, you have to have these keys to be able to send information over these wireless networks.
Two common forms of encryption on wireless networks is WPA and WPA2. WPA encryption stands for Wi-Fi Protected Access. And this first iteration of WPA was created in 2002. This was actually a replacement that was built after we found some significant cryptographic vulnerabilities in the WEP type of encryption. WEP is the Wired Equivalent Privacy. And it’s so insecure that you want to be sure that you’re never using WEP on your wireless networks.
The problem was that we knew that WEP was not going to be a valid type of encryption. But we also didn’t know what a good long-term solution would be. So we needed some type of stopgap. And that’s where WPA was created. This was a type of encryption that would run on the existing hardware that we had in 2002. But it would still provide a level of security that was above the capabilities of WEP.
The final combination of technologies that made up WPA was an encryption with RC4 and an integrity protocol called TKIP. This was the Temporal Key Integrity Protocol. One of the problems we found with WEP was that the IV, or Initialization Vector, was relatively small. So with WPA, we increased the size of the IV and added an encrypted hash. We also made sure that every packet with WPA had a 128-bit encryption key so that it would be as secure as possible.
TKIP brought a number of capabilities to WPA encryption. One was that it allowed the mixing of a secret root key with the initialization vector. It also provided a sequence counter, which made it impossible to replay this traffic through the wireless network. And it also added a 64-bit message integrity check to make sure that none of the data had been tampered as it went across the wireless network. Unfortunately, we found a number of vulnerabilities with TKIP. And this particular standard was removed from 802.11 in 2012.
Fortunately by the time we were deprecating WPA, most people were already using the successor to WPA, which is WPA2. We started using WPA-2 in 2004. And it replaced RC4 with AES for encryption. And it replaced TKIP with CCMP, which is the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol.
CCMP is what is known as a block cipher mode. That means it will take a 128-block of data and send it through the cipher. It usually combines this with AES to encrypt the data using a 128-bit key. This has significantly larger computing requirements than WPA. So usually we were replacing our access points to be able to use WPA2.
CCMP also include some additional capabilities. Not only are we getting the data confidentiality with AES, but CCMP also includes authentication, so we know exactly who’s sending the information, and access control to limit who’s able to use the wireless network.
To configure the type of wireless encryption you’re going to use in your network, you usually make these changes on your wireless router or your wireless access point. One configuration you can choose is an open system. That means there’s no encryption. There’s no requirement to have a passphrase or any type of access control. And anyone would have access to your wireless network.
If this is an access point in your home, it’s usually common to configure WPA2-Personal. You may see this referred to as WPA2-PSK, which is referring to a pre-shared key. This would be a key that you would give to everyone on your network that would allow them access to the wireless network.
If you’re in a business or company, you’re probably using WPA2-Enterprise. You might see this referred to as WPA2-802.1X. This is usually providing authentication with a user’s personal username and password. And it’s usually using something like RADIUS or TACACS to be able to authenticate across a centralized database. This makes it much easier for the system administrator who needs to add or remove users from the wireless network. They can simply enable or disable accounts and not have to manage any other passphrases for the wireless network.
With 802.1X, there’s usually a centralized authentication server that’s storing all the username and password information. So a user may be connecting in from the internet to an access point, a VPN concentrator, or a firewall. And they’ll be sending in their username and password to that device.
At that point, the device will then take that authentication, pass it down to the authentication server, and confirm that the username and password is correct. If it is correct, the credentials will be approved. And that client can then communicate to the services on the inside of the network.
This communication that takes place between this device and the authentication server is using some type of well-known authentication protocol, such as RADIUS or TACACS. RADIUS stands for Remote Authentication Dial-in User Service. And although it has “dial-in” in the name, this is a very common protocol to use for any type of authentication on a network.
It’s commonly referred to as a AAA protocol, which stands for authentication, authorization, and accounting. This allows you to centralize authentication on one single server and then have switches, VPN concentrators, or wireless access points communicate and authenticate to that AAA server using the RADIUS protocol. This is very commonly seen on wireless networks that are using 802.1X. You’ll find RADIUS is already built into many operating systems and network appliances, making it a very common authentication protocol.
If a device doesn’t support RADIUS, then it probably will support TACACS. TACACS stands for Terminal Access Controller Access-Control System. This is a protocol that was designed to control access to the dial-up lines at ARPANET. So it’s a protocol that’s been around for a very long time.
There’s a newer version of TACACS called TACACS+. And in the industry whenever we say that we’re using TACACS, we’re really referring to this TACACS+ version. This was made an open source standard in 1993. And there are many different operating systems and network devices that can use TACACS as an authentication protocol.