Compare Wireless Security Protocols Flashcards
Lesson 16B (19 cards)
Configuring a TP-LINK SOHO access point with wireless encryption and authentication settings.
Configuring Network Policy Server to authenticate wireless clients using 802.1X EAP-TLS.
Wi-Fi Protected Access (WPA)
improved WEP security by using RC4 encryption with Temporal Key Integrity Protocol (TKIP), which introduced key mixing, integrity checking, and rekeying to mitigate known vulnerabilities.
Cipher Block Chaining Message Authentication Code Protocol (CCMP)
enhances security by providing authenticated encryption, making it more resistant to replay attacks and key recovery attempts.
WPA2
enhances Wi-Fi security by replacing RC4 and TKIP with AES and CCMP, providing authenticated encryption to mitigate replay attacks and key recovery vulnerabilities.
WPA3
improves Wi-Fi security by replacing WPA2’s vulnerable 4-way handshake with Simultaneous Authentication of Equals (SAE), introducing stronger cryptographic protocols like AES GCMP, encrypting management frames to prevent spoofing attacks, and protecting open network traffic with Wi-Fi Enhanced Open to prevent data sniffing.
Wi-Fi authentication
is categorized into three types: open (no passphrase required), personal (WPA2 PSK and WPA3 SAE for secure key exchange), and enterprise (using a RADIUS server for centralized authentication). Personal authentication ensures secure access with either WPA2’s pre-shared key or WPA3’s enhanced simultaneous authentication of equals mechanism.
WPA2-PSK authentication
uses a shared passphrase to generate the encryption key for network communication, with each device configuring the same secret. The passphrase is converted into a pairwise master key (PMK), which is used in WPA2’s 4-way handshake to derive session keys. However, PSK authentication is vulnerable to passphrase recovery attacks, so using at least 14 characters helps mitigate the risk.
WPA3 personal authentication
still relies on passphrase-based group authentication but enhances security by replacing WPA2’s 4-way handshake with the Simultaneous Authentication of Equals (SAE) protocol, improving resistance to key recovery attacks.
Enterprise authentication
addresses the security limitations of personal authentication by eliminating shared passphrases and allowing individual credentials. It relies on an Authentication, Authorization, and Accounting (AAA) server for credential validation, removing the need for the access point to store user credentials.
WPA’s 802.1X enterprise authentication
uses Extensible Authentication Protocol (EAP) to verify users against a network directory, ensuring secure authentication data transmission via EAP over Wireless (EAPoW).
EAP-TLS
(Extensible Authentication Protocol-Transport Layer Security)
It utilizes digital certificates for both the client and server, ensuring mutual authentication and a strong, encrypted connection.
EAP-TLS
is a highly secure multifactor authentication method that uses encryption key pairs and digital certificates for authentication. The private key is securely stored on the user’s device, requiring authentication via a PIN, password, or biometric gesture as the first factor. During an EAP session, the server and supplicant exchange digital handshakes and certificates, verifying each other’s authenticity as the second factor before granting access.
AAA server
is a network server that provides Authentication, Authorization, and Accounting (AAA) services for network access control.
RADIUS
(Remote Authentication Dial-In User Service)
enables secure enterprise authentication by allowing wireless access points to act as clients that forward user credentials to a central AAA server without storing or reading them, ensuring mutual trust through a shared secret.
wireless access point (WAP)
It acts as a bridge between wireless devices and a wired network, like a router, but its primary function is to extend the reach of a Wi-Fi network.
TACACS+
Terminal Access Controller Access Control System Plus (TACACS+)
is another way of implementing AAA. TACACS+ was developed by Cisco but is also supported
on many third-party implementations.
Where RADIUS is often used to authenticate
connections by wireless and VPN users, TACACS+ is often used in authenticating administrative access to routers, switches, and access points.
Kerberos
enables single sign-on (SSO) by issuing authorization tickets for network authentication, though access points rely on RADIUS or TACACS+ with EAP to securely tunnel credentials for domain user authentication.
