WIRELESS LAN SECURITY FUNDAMENTALS

Similar documents
Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Authentication in WLAN

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Chapter 6 CDMA/802.11i

IBM i Version 7.3. Security Digital Certificate Manager IBM

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Wireless security. Any station within range of the RF receives data Two security mechanism

Overview. SSL Cryptography Overview CHAPTER 1

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

Deploying and Configuring Polycom Phones in 802.1X Environments

SSL Protect your users, start with yourself

SBClient SSL. Ehab AbuShmais

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

ClickShare Network Integration

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

Wireless Technology Seminar

SSL/TLS: The Ugly Truth

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Key Management and Distribution

Wireless Network Configuration Guide

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CSC574: Computer and Network Security

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

Configure WorkGroup Bridge on the WAP131 Access Point

Introduction to Cryptography

Network Authentication X Secure the Edge of the Network - Technical White Paper

WLAN Access Security Technical White Paper. Issue 02. Date HUAWEI TECHNOLOGIES CO., LTD.

Network Security Protocols

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Security Guide. BES12 Cloud. for BlackBerry

802.1X Client Software

CSCE 465 Computer & Network Security

Applying Cryptography as a Service to Mobile Applications

WiMAX Public Key Infrastructure (PKI) Users Overview

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Security Yokogawa Users Group Conference & Exhibition Copyright Yokogawa Electric Corporation Sept. 9-11, 2014 Houston, TX - 1 -

How To Encrypt Data With Encryption

Cryptography and Key Management Basics

SECURITY IN NETWORKS

Savitribai Phule Pune University

How to connect to NAU s WPA2 Enterprise implementation in a Residence Hall:

Certified Wireless Security Professional (CWSP) Course Overview

An Introduction to Cryptography as Applied to the Smart Grid

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

SSL A discussion of the Secure Socket Layer

Security Guide. BlackBerry Enterprise Service 12. for BlackBerry. Version 12.0

ipad in Business Security

Network Security Protocols

Understanding Wireless Security on Your Polycom SpectraLink 8400 Series Wireless Phones

Digital Certificates Demystified

Displaying SSL Certificate and Key Pair Information

Application Note: Onsight Device VPN Configuration V1.1

Deploying iphone and ipad Security Overview

Understanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012

Cisco ISE and Certificates. How to Implement Cisco ISE and Server Side Certificates

How To Test An Eap Test On A Network With A Testnet (Networking) On A Pc Or Mac Or Ipnet (For A Network) On An Ipnet Or Ipro (For An Ipro) On Pc Or Ipo

Chapter 10. Cloud Security Mechanisms

Angel Dichev RIG, SAP Labs

WiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise

ASA and Native L2TP IPSec Android Client Configuration Example

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Lecture 3. WPA and i

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

The 802.1x specification

Extension Wireless Access (EWA) v2.0

Network Services One Washington Square, San Jose, CA

iphone in Business Security Overview

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Client Server Registration Protocol

Ciphire Mail. Abstract

802.1x in the Enterprise Network

Internet access system through the Wireless Network of the University of Bologna (last update )

CS 356 Lecture 29 Wireless Security. Spring 2013

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

WiFi Security: WEP, WPA, and WPA2

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

Lecture 9: Application of Cryptography

Security Digital Certificate Manager

Security Digital Certificate Manager

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Huawei WLAN Authentication and Encryption

Configuring Windows 7 for eduroam at DkIT

[SMO-SFO-ICO-PE-046-GU-

Web Security. Mahalingam Ramkumar

Security Guide. BlackBerry 10 Device

Table of Contents. Bibliografische Informationen digitalisiert durch

802.1X Authentication

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Transcription:

WIRELESS LAN SECURITY FUNDAMENTALS Jone Ostebo November 2015 #ATM15ANZ @ArubaANZ

Learning Goals Authentication with 802.1X But first: We need to understand some PKI And before that, we need a cryptography primer And before that What is security 2

Security basics What is security? 3

Biggest security challenge at BH 4

CRYPTOGRAPHY PRIMER

Why study cryptography? Absolutely critical to wireless security Heavily used during authentication process Protects data in transit Makes you more interesting at parties 6

Meet Bob and Alice Bob and Alice are traditionally used in examples of cryptography 7

Symmetric Key Cryptography 8

Symmetric Key Cryptography Strength: Simple and very fast (order of 1000 to 10000 faster than asymmetric mechanisms) Challenges: Must agree on the key beforehand How to securely pass the key to the other party? Examples: AES, 3DES, DES, RC4 AES is the current gold standard for security 9

Public Key Cryptography (Asymmetric) 10

Public Key Cryptography Strength Solves problem of passing the key Allows establishment of trust context between parties Challenges: Slow (MUCH slower than symmetric) Problem of trusting public key (what if I ve never met you?) Examples: RSA, DSA, ECDSA 11

Hybrid Cryptography Randomly generate session key Encrypt data with session key (symmetric key cryptography) Encrypt session key with recipient s public key (public key cryptography) 12

Hash Function Properties it is easy to compute the hash value for any given message it is infeasible to find a message that has a given hash it is infeasible to find two different messages with the same hash it is infeasible to modify a message without changing its hash Ensures message integrity Also called message digests or fingerprints Examples: MD5, SHA1, SHA2 (256/384/512) 13

Message Integrity with CBC-MAC Set IV=0 Run message through AES-CBC (or some other symmetric cipher) Discard everything except final block this output is the MAC 14

AES-CCM (Counter with CBC-MAC) CBC-MAC AES in Counter Mode 15

Entropy (Information-theoretic, not thermodynamic!) When we create a random key, it must be unique and unpredictable We need good random numbers for this What happens if it s not unique or unpredictable? 16

Summary: Security Building Blocks Encryption provides confidentiality, can provide authentication and integrity protection Checksums/hash algorithms provide integrity protection, can provide authentication Digital signatures provide Buy this Book! authentication, integrity protection For more info: 17

CERTIFICATES, TRUST & PKI

What is a Certificate? Binds a public key to some identifying information The signer of the certificate is called its issuer The entity talked about in the certificate is the subject of the certificate Certificates in the real world Any type of license, government-issued ID s, membership cards,... Binds an identity to certain rights, privileges, or other identifiers 19

Public Key Infrastructure A Certificate Authority (CA) guarantees the binding between a public key and another CA or an End Entity (EE) CA Hierarchies 20

Who do you trust? Windows: Start->Run->certmgr.msc 21

Public Key Infrastructure We trust a certificate if there is a valid chain of trust to a root CA that we explicitly trust Web browsers also check DNS hostname == certificate Common Name (CN) Chain Building & Validation 22

Creating Certificates A-Z 1. Generate entropy 2. Use entropy to create random public/private keypair (asymmetric crypto) 3. Attach identifying information to public key send to CA (Certificate Signing Request) 4. CA issues certificate in X.509 format Contains public key as supplied in CSR Contains hash of certificate contents Contains digital signature signed with CA s private key (hash + asymmetric crypto) 5. Retrieve certificate from CA match up with private key. Ready for use. 23

Generating Certificate Signing Request 24

Public CA versus Private CA Windows Server includes a domain-aware CA why not just use it? Disadvantages: PKI is complex. Might be easier to let Verisign/Thawte/etc. do it for you. Nobody outside your Windows domain will trust your certificates Advantages: Less costly Better security possible. Low chances of someone outside organization getting a certificate from your internal PKI 25

For More Info https://kvazar.files.wordpress.com/2008/12/unencrypted.pdf Buy this Book! 26

PUTTING IT ALL TOGETHER: 802.1X

Authentication with 802.1X Authenticates users before granting access to L2 media Makes use of EAP (Extensible Authentication Protocol) 802.1X authentication happens at L2 users will be authenticated before an IP address is assigned 28

Sample EAP Transaction 2-stage process Outer tunnel establishment Credential exchange happens inside encrypted tunnel EAPOL Start Client Request Identity Response Identity (anonymous) Client Key exchange Cert. verification Response credentials Authenticator Response Identity TLS Start Certificate Request credentials Authentication Server Success EAPOL RADIUS 29

802.1X Acronym Soup PEAP (Protected EAP) Uses a digital certificate on the network side Password or certificate on the client side EAP-TLS (EAP with Transport Level Security) Uses a certificate on network side Uses a certificate on client side TTLS (Tunneled Transport Layer Security) Uses a certificate on the network side Password, token, or certificate on the client side EAP-FAST Cisco proprietary Do not use known security weaknesses 30

#ATM15 31 CONFIDENTIAL Copyright 2015. Aruba Networks, Inc. All rights reserved

Configure Supplicant Properly Configure the Common Name of your RADIUS server (matches CN in server certificate) Configure trusted CAs (an in-house CA is better than a public CA) ALWAYS validate the server certificate Do not allow users to add new CAs or trust new servers Enforce with group policy 32

Isn t MSCHAPv2 broken? Short answer: Yes because of things like rainbow tables, distributed cracking, fast GPUs, etc. This is why we use MSCHAPv2 inside a PEAP (TLS) tunnel for Wi-Fi What happens if you don t properly validate the server certificate? Look up FreeRADIUS-WPE Test at Aruba HQ Sunnyvale 33

WPA2 Key Management Summary Auth Server AP/Controller Step 2: Use PMK and 4-Way Handshake to derive, bind, and verify PTK Step 1: Use RADIUS to push PMK from AS to AP Step 3: Use Group Key Handshake to send GTK from AP to STA 34

THANK YOU THANK YOU #ATM15ANZ @ArubaANZ

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information