Authentication

• What is authentication ?
• Message integrity check (MIC) is a security tool that can protect against data tampering.

22
 WEP

• The original 802.11 standard offered only two choices to authenticate a client: open
authentication and WEP.
• Wired Equivalent privacy: use RC4 cipher algorithm
• Symmetric encryption or shared-key security
• 40 to 104 bit longs, 10 to 26 hex digits.
• Consider weak encryption and not recommended at this time.

69
 802.1x/EAP

• Extensible Authentication Protocol

• EAP defines a set of common functions that actual authentication methods can use
to authenticate users
• It can integrate with the IEEE 802.1x port-based access control standard.

22
 LEAP

• Lightweight EAP {LEAP}

• Cisco developed a proprietary wireless authentication method called Lightweight EAP
(LEAP). It can integrate with the IEEE 802.1x port-based access control standard.
• Both the client and authentication server must exchange challenge message that are
then encrypted and returned. {mutual authentication}
• LEAP has been deprecated and should not use it.

71
 EAP-FAST
• EAP - Flexible Authentication by Secure Tunneling.
• Cisco developed a proprietary wireless authentication
• Authentication credentials are protected by passing a protected access credential
(PAC) between the AS and the supplicant.
• PAC is a form of shared secret that is generated by the AS and used for mutual
authentication
• EAP-FAST has three phases: Phase 0 | Phase 1 | Phase 2
• Notice that two separate authentication occur in EAP-FAST—one between the AS
and the supplicant and another with the end user. These occur in a nested fashion, as
an outer authentication (outside the TLS tunnel) and an inner authentication (inside
the TLS tunnel).
72
 PEAP
• Protected EAP {PEAP}
• Auth. Server presents a digital certificate to authenticate itself with the supplicant in the
outer authentication.
• Auth. Server and client build a TLS tunnel to use for the inner authentication and encryption
key exchange.
• Certificates provided by third party Certification Authority (CA).
• certificate is also used to pass a public key, in plain view, which can be used to help decrypt
messages from the AS.
• The client does not have or use a certificate of its own, so it must be authenticated within the
TLS tunnel using one of the following two methods:
• MSCHAPv2: Microsoft Challenge Authentication Protocol version 2
• GTC: Generic Token Card; a hardware device that generates one-time passwords for the
user or a manually generated password
73
 EAP-TLS
• EAP – Transport Layer security
• Auth. Server and Client both require digital certificate
• Auth. Server and Supplicant both exchange certificate and can authenticate each other.
• A TLS tunnel is built afterward so that encryption key material can be surely exchange.
• Implement a Public Key Infrastructure (PKI) that could supply certificates securely and
efficiently and revoke them when a client or user should no longer have access to the
network.
• Certification Authority (CA) will release digital certificate
• The most secure wireless authentication.

74
 Wireless Privacy & Integrity
• Temporal Key Integrity Protocol (TKIP)
• TKIP adds the following security features using legacy hardware and the underlying
WEP encryption:
• MIC {Message Integrity Check} : Add hash to the frame
• Time stamp: a time stamp is added into the MIC to prevent replay attackers
• Sender’s MAC address
• TKIP sequence counter: add sequence # to the frame
• Key mixing algorithm: adds a unique 128-bit WEP key
• Longer initialization vector (IV): prevent from brute-force calculation

75
 CCMP
• Counter/CBC-MAC Protocol {CCMP}
• More secure that TKIP, and consist of two algorithms:
1. Advanced Encryption Standard {AES} counter mode encryption
2. Cipher Block Chain Message Authentication Code {CBC-MAC} used as a MIC
• AES is open, publicly accessible, and represents the most secure encryption method
available today.
• The devices should checked to support AES before applying CCMP

76
 GCMP
• Galois/Counter Mode Protocol {GCMP}
• The robust authenticated encryption suite that is more secure and more efficient than
CCMP.
• GCMP consist of two algorithms:
1. AES counter mode encryption
2. Galois Message Authentication Code used as a MIC
• GCMP is used in WPA3

77
 Wi-Fi Protect Access (WPA)
• Wi-Fi Alliance, a nonprofit wireless industry association, has worked out
straightforward ways to do that through its Wi-Fi Protected Access (WPA) industry
certifications. To date, there are three different versions: WPA, WPA2, and WPA3.
• The Wi-Fi Alliance first generation WPA certification was based on parts of 802.11i and
included 802.1x authentication, TKIP, and a method for dynamic encryption key
management.
• Wi-Fi Alliance (WPA2) certification is based around the superior AES CCMP algorithms.
It should be obvious that WPA2 was meant as a replacement for WPA.
• In 2018, the Wi-Fi Alliance introduced (WPA3) as a future replacement for WPA2.
WPA3 leverages stronger encryption by AES with the (GCMP). It also uses Protected
Management Frames (PMF) to secure important 802.11 management frames between
APs and clients, to prevent malicious activity that might spoof or tamper with a BSS’s
operation. 78
WPA , WPA2 , WPA3 Summarization
• Each successive version is meant to replace prior versions by offering better
security features. You should avoid using WPA and use WPA2 instead—at least
until WPA3 becomes widely available on wireless client devices, APs, and WLCs.

79