2.2 Compare and contrast wireless security protocols and authentication methods.
- Protocols and Encryption
- Wi-Fi Protected Access 2 (WPA2)
- Temporal Key Integrity Protocol (TKIP)
- Advanced Encryption Standard (AES)
- Remote Authentication Dial-In User Service (RADIUS)
- Terminal Access Controller Access-Control System (TACACS+)
Protocols and Encryption
There are three parts to Wi-Fi encryption – the protocol, the algorithm, and the key.
- The protocol is the way that the computer and access point exchange data. It includes WEP, WPA, WPA2.
- The algorithm is the equation that the computer and access point use to encrypt/decrypt traffic. It includes TKIP and AES.
- The key is a specific set of numbers that your computer and the access point agree on so that other devices can’t decrypt your data. The key is inserted into the algorithm.
You can think of an algorithm like the lock on your door and the key like your key. You and your neighbor may have the same style of locks but you each have a different key.
The selection of these parameters generally happens automatically. Let’s look at some protocols
|WEP||Wired Equivalent Privacy|
Considered weak and shouldn’t be used
Can be cracked in less than one minute
|WPA||Wi-Fi Protected Access|
When WEP was cracked, the Wi-Fi Alliance quickly developed WPA to protect Wi-Fi networks until a better solution could be implemented
|WPA2||Wi-Fi Protected Access 2|
Current Wi-Fi encryption protocol
When connecting, the user is prompted to enter the WPA key
The computer and the access point use the WPA key to generate a new key
The new key is used to encrypt traffic between the computer and access point
WPA2 uses AES or TKIP to encrypt its data
WPA 2 is being replaced by WPA3
|WPA3||Wi-Fi Protected Access 3|
Some devices use WPA3
WPA3 uses longer keys and a more secure encryption algorithm called Diffie-Hellman Key Exchange with elliptic curve cryptography.
This algorithm provides security even for unsecured wireless networks such as those in libraries and other public spaces. Security on an unsecured network!
There are two types of encryption algorithms that can be combined with WPA2
|TKIP||Temporal Key Integrity Protocol|
Developed in 2004 as a temporary replacement to WEP
Considered weak and easily broken
Current standards say that it should not be used, but many Wi-Fi devices still use it
|AES||Advanced Encryption Standard|
Current encryption standard in use
Many routers that support WPA2 will use both WPA2-TKIP and WPA2-AES. Why? Some older wireless devices do not understand AES. This ensures that the router can communicate with them over TKIP.
After you connect to the wireless network, the network must verify who you are and decide whether to give you access. This process is called authentication. There are several types of authentication.
|Single-Factor||Requires a user to enter a password and/or a username/password|
|Multi-Factor||Requires a user to enter “something else” in addition to the username/password, which could include|
A code from a tokenA Biometric scanA certificate from a Smart Card or one that is saved to the computer
|RADIUS||Remote Authentication Dial-In User Service (RADIUS) |
A RADIUS server provides authentication, authorization, and accounting to remote users
Authentication: verifies the identity of the remote user
Authorization: determines whether the remote user is permitted to connect to the network and what they are allowed to do while connected
Accounting: keeps track of when the user connected to the network and what he did RADIUS allows a user to connect to multiple resources via a single username/password
|TACACS||Terminal Access Controller Access Control System |
TACACS+ uses the AAA (Authentication, Authorization, and Accounting) architecture, but each element is separate. Therefore, a system could use a different form of authentication (such as Kerberos) with TACACS+ authorization and accounting.
|Kerberos||Kerberos is a protocol that allows clients and servers to authenticate with each other and prove their identities. The Kerberos protocol protects against eavesdropping and replay attacks. Kerberos uses UDP port 88. Kerberos provides encryption over an unsecure network.|