5.9 Describe wireless security protocols (WPA, WPA2, and WPA3)

How do we keep our wireless network secure when we are sending bits of data out in the air that anybody with a packet sniffer can pick up.  The goal of security is four-fold

  • Ensure that only authorized users can access the network and ensure that each user has access to only the resources that he needs.
  • Ensure that users connect to the legitimate network and not to a fake SSID that is pretending to be part of the real network (a rogue AP).
  • Keep the data secure so that unauthorized users can’t view it.
  • Keep the data intact so that it is not tampered with on its way to the destination.

The most basic type of security requires the user to enter a passcode when connecting to an SSID.  All users are given the same passcode and it is not possible to determine which users connected or when.  An unauthorized user who knows the passcode can also connect.

The second type of security requires the user to enter a username and password when connecting to the network.  The LAP or WLC verifies the username and password with a central database like Active Directory or RADIUS.  It is less likely that an unauthorized user will guess the correct username and password combination.  Also, we can determine which users have connected to the network, monitor their activities, and provide them with access to only the resources that they require.

What if I set up a fake LAP and used it to broadcast the same SSID as your real network?  Your users would connect to it, thinking that it is the real thing.  I could capture data from your users.  I could also forward the data to a real LAP so that users don’t notice that they have connected to a fake LAP.  This is called a man in the middle attack.

If I just wanted to be annoying, I could send signals to clients connected to legitimate LAPs which tell them to disconnect from the LAPs.  These signals are called management frames.

How do we keep the data secure between each host and the LAP?  Each LAP and each host encrypts data right before it transmits it, and decrypts data upon receipt.  A LAP (an entire wireless network actually) will only support one form of encryption, but each client chooses a unique encryption key to communicate with the LAP so that other users cannot read its communication.

There are several forms of encryption

  • Open Authentication.  We do not encrypt any data.  Anybody who wants to connect to our network can.
  • WEP or Wired Equivalent Privacy.  The client must enter a password (known as a WEP key) to connect to the wireless network.  The client and LAP use the WEP key to choose an encryption key.  The data between the client and the LAP is encrypted with the chosen key.  All the clients must use the same WEP key, which must be shared ahead of time.

    WEP has been broken and is not considered secure.  We should not use WEP.
  • 802.1x/EAP or Extensible Authentication Protocol.  When WEP was introduced, it was considered the standard for encryption, and network devices were built around it.  When it became insecure, administrators were left panicking because their devices had to be replaced.

    Thus, EAP was invented.  EAP lets a host authenticate with a network, but the host and the network can choose their own authentication method within EAP.  That way, if some of the authentication methods become insecure, we can choose new ones and continue to use EAP, without having to replace the network devices.

    Using EAP, a client can associate with a WAP, but is not allowed to access deeper parts of the network until it is authenticated.  This is different from WEP where a client can authenticate with the WAP.

    There are three devices
    • The supplicant is the client that chooses to connect to the LAN/WAN.  It could be a laptop, desktop, smartphone, tablet, or other computing device
    • The authenticator is a network device that allows/denies access.  It could be a switch, a router, a firewall, or a proxy server.  In the Wi-Fi case, it is probably a WLC.
    • The authentication server is a server that decides whether a device or user should be granted access

The procedure

  • The supplicant connects to the network
    • The authenticator (switch) detects the new supplicant and automatically sets the port to an unauthenticated state.  Only traffic related to 802.1X is permitted.
    • The authenticator sends frames to the supplicant.  These frames demand that the supplicant provide credentials such as a user ID.  The frames are sent on the local network segment to a specific address (01:80:C2:00:00:03).  The supplicant listens for messages on this address.
    • The supplicant replies to the message with an EAP-Response Identity frame
    • The authenticator sends the supplicant’s response to an authentication server
    • The authentication server and the supplicant negotiate an authentication method.  The server and the supplicant may support different methods and must agree on one.  The negotiation methods are transported through the authenticator.
    • The authentication server attempts to authenticate the suppliant.  If successful, the authenticator changes the port status to authorized.  If unsuccessful, the authenticator keeps the port as unauthorized.
    • When the supplicant logs off or is disconnected, the authenticator changes the port status back to unauthorized.  When the supplicant logs off, it sends an EAPOL-Logoff message to the authenticator.
  • Lightweight Extensible Authentication Protocol or LEAP.  LEAP was developed by Cisco to plug the hole created by WEP.  The client must provide a username and password, which are checked by the authentication server.  The server authenticates the client and the client authenticates the server.  LEAP used WEP to encrypt the traffic but changed the keys every few minutes.  Eventually, LEAP was found to be insecure, but it can still be configured on a Cisco WAP.
  • After LEAP, Cisco developed EAP-FAST, or Flexible Authentication via Secure Tunneling.  The supplicant sends the authentication server a credential called a Protected Access Credential, or PAC.  The PAC is a shared secret that only the server and client know.  This shared secret is generated via the Diffie-Hellman key exchange.  The process
    • Phase 0: The PAC is generated by the client
    • Phase 1: The client and server authenticate each other and create a tunnel
    • Phase 2: Optionally, the server can authenticate the end user (not just the client hardware).  We call this an inner and outer authentication.
  • PEAP or Protected Extensible Authentication Protocol.  Originally, EAP assumed that communications would be secure; therefore, it did not provide a mechanism to secure the data being transmitted.  PEAP corrects this by providing a secure TLS tunnel. 

    The authentication server has a digital certificate that it presents to the supplicant.  This certificate is signed by a third party (a certificate authority or CA) that the supplicant and authentication server trust.  Since the supplicant trusts the CA, it trusts the certificate signed by the CA, and therefore, it trusts the authentication server.  We want to make sure that we have connected to a legitimate authentication server and not a fake, so that we don’t provide the fake server with our username and password.

    How does the server know that the client is legitimate?  Once the client and the server have established a TLS tunnel, they can use a second authentication method to verify the identity of the user.  PEAP permits the use of MSCHAPv2, or Microsoft Challenge Authentication Protocol version 2, or GTC or Generic Token Card.
  • EAP-TLS or EAP-Transport Layer Security uses TLS (Transport Layer Security) as its protocol.  All wireless manufacturers support EAP-TLS, and it is considered secure.

    The authentication server maintains a certificate and every client device maintains a certificate.  To establish a connection, the authentication server and the supplicant must exchange certificates and then create a TLS tunnel.  Again, these certificates are usually signed by a third party.

    Once we have a secure tunnel, we can authenticate a user through the tunnel.

    The problem with EAP-TLS is that we must install a certificate on each client device.  This is not easily done manually when there are many devices.  We must also be aware that many devices (industrial devices, medical devices, etc.) do not support the use of certificates for authentication.  Thus EAP-TLS is not always a practical option.

The recipient also needs to make sure that the message I sent hasn’t been modified.  Before a device sends a message, it creates a fingerprint of the message by performing a specific calculation on its contents.  The fingerprint is sent with the message.  The recipient calculates the same fingerprint upon receipt and compares it with the fingerprint inside the message.  If the results match, then the recipient knows that the message was not modified during transmission.  This is known as integrity.  How can we verify the integrity of the message?  There are several algorithms.

  • TKIP or Temporal Key Integrity Protocol was used ensure integrity in transmissions over WEP.  TKIP was invented when WEP was found to be insecure, but the industry needed a temporary solution to encrypt wireless transmissions over the existing hardware until a better system could be developed.

    Each time we send a frame, we perform a calculation known as MIC, or Message Integrity Check.  What does the MIC contain?
    • A signature (hash value) of the message contents
    • A time stamp.  We add a time stamp so that a hacker can’t intercept the message and send it again.  If he does, the message will appear to arrive late.
    • The sender’s MAC address
    • The TKIP sequence counter.  Each time the sender creates a new message, it increments the counter by one.  If a hacker intercepts the message and sends it again, the recipient will receive two messages with the same sequence number and will know that the second message was fake.  This prevents a replay attack.

TKIP uses a key mixing algorithm to generate a new WEP key for each frame sent.  It also uses a 48-bit initialization vector which prevents a hacker from brute forcing the frames.  The initialization vector, or IV, is a random set of data that is included in the key generation process.

TKIP is no longer considered secure.

  • CCMP or Counter/CBC-MAC Protocol was developed after TKIP.  It uses two algorithms
    • AES or Advanced Encryption Standard
    • CBC-MAC or Cipher Block Chaining Message Authentication Code

CCMP is used by WPA2

  • GCMP or Galois/Counter Mode Protocol.  It also uses two algorithms
    • AES or Advanced Encryption Standard
    • GMAC or Galois Message Authentication Code

GCMP is used by WPA3

After the failure of WEP, the industry (the Wi-Fi Alliance) developed WPA or Wi-Fi Protected Access.  There are three types of Wi-Fi Protected Access (WPA): WPA, WPA2, and WPA3.

While the IEEE was still working on a regulation for protecting Wi-Fi, WPA was created by the Wi-Fi Alliance using the 802.1x authentication and TKIP.  WPA is no longer considered secure.

After the IEEE released 802.11i, the Wi-Fi Alliance used it to create the WAP2 standard, which uses the CCMP algorithm.  WPA2 is the current standard, but WPA3 has been introduced to replace it.  It uses a better encryption algorithm.

In summary

FeatureWPAWPA2WPA3
Pre-shared Key Authentication and 802.1x AuthenticationYesYesYes
TKIP EncryptionYesNoNo
EncryptionAES and CCMPAES and CCMPAES and GCMP

Providing a user with a pre-shared key is also known as personal mode.  In personal mode, we give each user a key string.  The key string is used by the LAP and the client to exchange data and to generate encryption keys via a four-way handshake.  The key is not transmitted, but if a hacker were to capture the data, he could perform a brute force attack and guess the key.

While personal mode under WPA and WPA2 can be broken, personal mode under WPA3 has forward secrecy and Simultaneous Authentication of Equals.  That means that each message is transmitted with a different key.  If the encryption key is broken, the hacker can only intercept message that was sent with that key and not new messages or previous messages.

802.1x authentication is called enterprise authentication.  All three versions of WPA support enterprise authentication through the EAP scheme, but no specific EAP method is required.  Enterprise authentication means that a user authenticates through a third-party server such as a RADIUS or Active Directory server.

How can my users determine that they have connected to a legitimate LAP?  We would create a certificate for the network, which is digitally signed by our organization or by a third party.  We configure each end user device to trust this certificate and to only connect to networks that present a trusted certificate.  When an end user device connects to our legitimate network, it verifies the presence of the trusted certificate.

A rogue network will not hold a certificate but might broadcast the same SSID.  When an end user device attempts to connect to a rogue network, it will notice the lack of the signed certificate and refuse to connect.