Wireless Security

Question 1

Wireless encryption

Answer 1

• All wireless computers are radio transmitters
and receivers
• Anyone can listen in

• Solution: Encrypt the data
• Everyone gets the password
• Or their own password

• Only people with the password can transmit and
listen
• WPA and WPA2

Question 2

WPA (Wi-Fi Protected Access)

Answer 2

• 2002: WPA was the replacement for serious
cryptographic weaknesses in WEP
• (Wired Equivalent Privacy)
• Don’t use WEP

• Needed a short-term bridge between WEP and
whatever would be the successor
• Run on existing hardware

• WPA: RC4 with TKIP (Temporal Key Integrity Protocol)
• Initialization Vector (IV) is larger and
an encrypted hash
• Every packet gets a unique 128-bit encryption key

Question 3

Temporal Key Integrity Protocol

Answer 3

• Mixed the keys
• Combines the secret root key with the IV
• Adds a sequence counter
• Prevents replay attacks
• Implements a 64-bit Message Integrity Check
• Protects against tampering
• TKIP has it’s own set of vulnerabilities
• Deprecated in the 802.11-2012 standard

Question 4

WPA2 and CCMP

Answer 4

• WPA2 certification began in 2004
• AES (Advanced Encryption Standard) replaced RC4

• CCMP (Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol) replaced TKIP
• CCMP block cipher mode
• Uses AES for data confidentiality
• 128-bit key and a 128-bit block size
• Requires additional computing resources

• CCMP security services
• Data confidentiality (AES), authentication,
and access control

Question 5

Wireless security modes

Answer 5

• Configure the authentication on your wireless
access point / wireless router

• Open System
• No authentication password is required
• WPA2-Personal / WPA2-PSK
• WPA2 with a pre-shared key
• Everyone uses the same 256-bit key

• WPA2-Enterprise / WPA2-802.1X
• Authenticates users individually with an
authentication server (i.e., RADIUS, TACACS+)
• Add additional factors

Question 6

RADIUS (Remote Authentication Dial-in User Service)

Answer 6

• One of the more common AAA protocols
• Supported on a wide variety of platforms and
devices
• Not just for dial-in

• Centralize authentication for users
• Routers, switches, firewalls
• Server authentication
• Remote VPN access
• 802.1X network access

• RADIUS services available on almost any server operating system

Question 7

TACACS

Answer 7

• Terminal Access Controller
 • Access-Control System
 • Remote authentication protocol
 • Created to control access to dial-up lines to 
    ARPANET

Question 8

TACACS+

Answer 8

• The latest version of TACACS
• More authentication requests and response codes
• Released as an open standard in 1993

Question 9

What are the characteristic features of RADIUS?

Answer 9

Primarily used for network access

Combines authentication and authorization

Encrypts only the password in the access-request packe

Question 10

What are the characteristics of TACACS+?

Answer 10

Encrypts the entire payload of the access-request packet

Primarily used for device administration

Separates authentication and authorization