2.2 Compare and contrast wireless security protocols and authentication methods.

  • Protocols and Encryption
    • Wi-Fi Protected Access 2 (WPA2)
    • WPA3
    • Temporal Key Integrity Protocol (TKIP)
    • Advanced Encryption Standard (AES)
  • Authentication
    • Remote Authentication Dial-In User Service (RADIUS)
    • Terminal Access Controller Access-Control System (TACACS+)
    • Kerberos
    • Multifactor

Protocols and Encryption

There are three parts to Wi-Fi encryption – the protocol, the algorithm, and the key

  • The protocol is the way that the computer and access point exchange data.  It includes WEP, WPA, WPA2.

  • The algorithm is the equation that the computer and access point use to encrypt/decrypt traffic.  It includes TKIP and AES.

  • The key is a specific set of numbers that your computer and the access point agree on so that other devices can’t decrypt your data.  The key is inserted into the algorithm. 

    You can think of an algorithm like the lock on your door and the key like your key.  You and your neighbor may have the same style of locks but you each have a different key. 

The selection of these parameters generally happens automatically.  Let’s look at some protocols

WEPWired Equivalent Privacy

Considered weak and shouldn’t be used

Can be cracked in less than one minute  
WPAWi-Fi Protected Access

When WEP was cracked, the Wi-Fi Alliance quickly developed WPA to protect Wi-Fi networks until a better solution could be implemented  
WPA2Wi-Fi Protected Access 2

Current Wi-Fi encryption protocol

When connecting, the user is prompted to enter the WPA key

The computer and the access point use the WPA key to generate a new key

The new key is used to encrypt traffic between the computer and access point

WPA2 uses AES or TKIP to encrypt its data

WPA 2 is being replaced by WPA3  
WPA3Wi-Fi Protected Access 3

Some devices use WPA3

WPA3 uses longer keys and a more secure encryption algorithm called Diffie-Hellman Key Exchange with elliptic curve cryptography.

This algorithm provides security even for unsecured wireless networks such as those in libraries and other public spaces.  Security on an unsecured network!  

There are two types of encryption algorithms that can be combined with WPA2

TKIPTemporal Key Integrity Protocol

Developed in 2004 as a temporary replacement to WEP

Considered weak and easily broken

Current standards say that it should not be used, but many Wi-Fi devices still use it  
AESAdvanced Encryption Standard

Current encryption standard in use

Many routers that support WPA2 will use both WPA2-TKIP and WPA2-AES.  Why?  Some older wireless devices do not understand AES.  This ensures that the router can communicate with them over TKIP.

Authentication

After you connect to the wireless network, the network must verify who you are and decide whether to give you access.  This process is called authentication.  There are several types of authentication.

Single-FactorRequires a user to enter a password and/or a username/password  
Multi-FactorRequires a user to enter “something else” in addition to the username/password, which could include

A code from a tokenA Biometric scanA certificate from a Smart Card or one that is saved to the computer  
RADIUSRemote Authentication Dial-In User Service (RADIUS)  

A RADIUS server provides authentication, authorization, and accounting to remote users  

Authentication: verifies the identity of the remote user  

Authorization: determines whether the remote user is permitted to connect to the network and what they are allowed to do while connected  

Accounting: keeps track of when the user connected to the network and what he did   RADIUS allows a user to connect to multiple resources via a single username/password  
TACACSTerminal Access Controller Access Control System  

TACACS+ uses the AAA (Authentication, Authorization, and Accounting) architecture, but each element is separate.  Therefore, a system could use a different form of authentication (such as Kerberos) with TACACS+ authorization and accounting.   
KerberosKerberos is a protocol that allows clients and servers to authenticate with each other and prove their identities.  The Kerberos protocol protects against eavesdropping and replay attacks.  Kerberos uses UDP port 88.  Kerberos provides encryption over an unsecure network.