Chapter 11 - 03 - Discuss Different Types of Wireless Network Authentication Methods - 01_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Wireless Network Security

Module Flow

Discuss Different Types
Understand Wireless Network
ofWireless Network
Encryption Mechanisms
Ruthentication Methods

Discuss and Implement
Understand Wireless
Wireless Network
Network Fundamentals
Security Measures

Discuss Different Types of Wireless Network Authentication
Methods
The objective of this section is to explain the various authentication protocols and
authentication methods such as the open system authentication, shared key authentication,
etc., used in wireless networks.

Module 11 Page 1443 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Wireless Network Security

Authentication Protocols
It performs flexible authentication via protected tunnels. It is an
EAP method used for authenticating a secure session between a
client and a server for wireless network access

o ' It provides a digital attestation process in which a digital certificate
L[] l' EAP-TLS provided by the certificate authority (CA) needs to be signed by
both communication ends

- \V
It is an advanced version of EAP TLS that uses a PKI certificate to
EAP-TTLS } build a secure tunnel between a client and an authentication server
~ for safe key exchange

It specifies the use of EAPoL (EAP over LAN) and EAPoW (EAP over
p IEEE802.1X WAN) for authentication

Prot It is a security standard for wireless networks to connect wireless
Wi-Fi ected devices to AP/WPS-enabled routers. It uses EAP authentication
Setup (WPS)
to exchange credentials wirelessly

Copyright © by EC- IL All Rights Reserved. Reproduction
is Strictly Prohibited.

Authentication Protocols

An authentication protocol is a cryptographic protocol that provides secure communication by
validating client and server credentials. Discussed below are various authentication protocols
used in wireless environments.
EAP Protocol

EAP is a request/response-based authentication framework that employs authentication
algorithms to validate identities. It is used to negotiate authentication credentials, OTP
verification, fingerprint authentication, smart cards, and generic authentication mechanisms
such as username/password validation. The three components of EAP, along with an effective
authentication algorithm, are responsible for encrypting and authenticating the data between
the transmitter and receiver.
The components of EAP are as follows.
= Supplicant
It is the primary component of EAP, where a pre-installed software runs on a computer
or mobile phone at the user or client end. It is an entity requesting for network access.
= Authenticator

Authenticators are ethernet switches and wireless access points that grant or deny
network access to the supplicant based on the instructions provided by the
authentication server.

Module 11 Page 1444 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Wireless Network Security

Authentication Server

The authentication server provides instructions on granting or denying a supplicant's
network access request based on the validation of the client’s credentials. Usually, these
servers are configured with a software tool that is compatible with EAP and RADIUS or
the software running independently on an authenticator’s hardware.

Discussed below are different variations of EAP.

EAP-FAST

EAP-FAST performs flexible authentication via protected tunnels. It is an EAP method
used for secure session authentication between a client and server for wireless network
access. This method also addresses vulnerabilities such as weak passwords observed in
Lightweight EAP (LEAP) by performing mutual authentication over a Transport Layer
Security (TLS) tunnel between the two communicating ends in three phases.
Phases of EAP-FAST

EAP-FAST consists of the following three phases.

o Phase 0 (PAC Provisioning)
It is a basic and an important phase of EAP-FAST in which the authentication server
creates a protected access credential (PAC) that holds information specific to a peer
or supplicant either manually or by using an automation process. After creating the
PAC, the authentication server passes it on to the supplicant. The PAC can also be
exchanged via Diffie Hellman key exchange, especially during automatic
provisioning. PAC provisioning can be performed only once; hence, it is an optional
phase in the authentication method.
o Phase 1 (TLS Tunnel Establishment)
In this phase, the client and authentication server first perform a TLS handshake to
establish a secure TLS tunnel for exchanging authentication keys. It not only protects
the client identity but also ensures that a compatible protocol version is being used
by the server and client involved in the EAP-FAST authentication negotiation.
o Phase 2 (Authentication)
This phase allows the communication process between the client and server with
the required authentication and authorized policies. This phase involves a
consecutive series of requests and responses through the secure tunnel established
in the previous phase. This exchange process includes the EAP method within the
tunnel range.

EAP-TLS

EAP Transport Layer Security (TLS) is an IETF open-standard Transport Layer Security
(TLS) protocol that is well suited for secure wireless authentication processes. It includes
a digital attestation process in which a digital certificate provided by the certificate
authority (CA) must be signed by both communication ends. In simple terms, both the

Module 11 Page 1445 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Wireless Network Security

client and server end should digitally sign and configure the certificate to establish
secure communication. The identities in this method are carried in cleartext before the
certification process is initiated.

Working of EAP TLS
The working of EAP TLS can be understood by considering a peer/client on one end and
an authenticator on the other end. The communication between the peer and
authenticator can be initiated through EAP negotiation, after which the authenticator
sends the peer an EAP request and identity packet. Upon receiving this packet, the peer
responds to the authenticator with an EAP response status and identity packet that
carries the peer’s user ID. During the common forward stage, the authenticator or a
pass-through device receives EAP packets from the peer, which are further
encapsulated for backend authentication.
= EAP-TTLS

EAP Tunneled Transport Layer Security (TTLS) is an advanced version of EAP TLS. As in
PEAP, it utilizes a PKI certificate to build a secure tunnel between the client and
authentication server for safe key exchange. For secure communication, the EAP
encapsulates the TLS session.
Phases of EAP-TTLS
The following are the two phases involved in EAP-TTLS.

o Handshake Phase

In this phase, the server and client are either authenticated mutually, or a server
alone is authenticated through the standard TLS procedures. Subsequently, the
authentication server creates keying data for building a secure tunnel with the client
for information exchange.

o Data Phase

In this phase, either the client and server are mutually authenticated or a client
alone is authenticated to a server through a random authentication method
encapsulated within the protected tunnel. In this case, the method can be either
EAP alone or other mechanisms such as MS-CHAP, MS-CHAP-V2, and PAP. It
supports conventional password-oriented authentication protocols, as well as
existing protocols, to defend against eavesdropping and other MITM attacks.
IEEE802.1X

IEEE802.1X is an IEEE standard that offers an authentication method based on ports over the
data link layer to users who are attempting to access a local area network (LAN) or wireless
local area network (WAN). It specifies the use of EAP over LAN (EAPolL) and EAP over WAN
(EAPOW). EAPOW enables the routing device to pass only authentication data while restricting
unnecessary access to the network. It can be served by adopting either WAP2 or WPA3 security
implementations on the routing device. If it is used only for enterprise authentication, the
access point can be set to allow only EAPoW traffic.

Module 11 Page 1446 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Wireless Network Security

= Working of IEEE 802.1X
IEEE 802.1X involves three components of EAP: the supplicant or client, authenticator,
and authentication server. Before the supplicant/user is allowed to access a server
through an authenticator, the authenticating server validates and authorizes the user’s
credentials.

This process can be implemented through the following steps.
o Step 1: The supplicant that wishes to access the network from a specific port using
LAN/WLAN should provide valid credentials such as a digital certificate or username
and password to the authenticator, which was provided by the network
administrator in advance.
o Step 2: The authenticator forwards these credentials to an authentication server,
which decides whether the user should be granted or denied access to the network
service.

o Step 3: The authenticator forwards these credentials to an authentication server,
which decides whether the user should be granted or denied access to the network
service.

Protected Extensible Authentication Protocol (PEAP)
PEAP includes EAP within a secure TLS tunnel. PEAP authentication is the same as EAP-TTLS but
needs a server’s PKl-based certificate to establish an encrypted TLS tunnel and validate the
server. Subsequently, PEAP establishes a tunnel between the authentication server and
supplicant/client. This mechanism provides security against password guessing, password
sniffing, and other types of MITM attacks. The supplicant in this approach is not required to
have a certificate for validation and can be authenticated by the server itself. In most cases, the
encryption keys are transferred using the server’s public key. The working of PEAP-EAP-TLS is
the same as that of EAP-TLS, but PEAP-EAP-TLS provides additional security by encrypting a part
of the clients’ certificates.
PEAPVO/EAP-MSCHAPv2 and PEAPv1/EAP-GTC are two authentication mechanisms approved
for WPA and WPA2 connections. PEAP VO and PEAP V1 are known as outer authentication
techniques and establish a protected TLS tunnel for securing further authentication
mechanisms. On the other hand, EAP-MSCHAPv2 and EAP-GTC are known as inner
authentication techniques and offer the facility to authenticate supplicants. EAP-PEAP also
offers services such as server-to-client authentication, exchange of keys, encryption and
validation of messages, packet fragmentation and reassembling, and quicker reconnections
compared to the EAP methods.
Wi-Fi Protected Setup (WPS)
Wi-Fi Protected Setup (WPS) is a security standard for wireless networks that is used to connect
wireless devices to an access point or WPS-enabled router. Using WPS, it is easy to connect a
new device to the access point and automate the connection process. To use WPS, both the
client and access point should be compatible with WPS technology. This standard is only
applicable for wireless networks that use password encryption mechanisms such as Wi-Fi

Module 11 Page 1447 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Wireless Network Security

Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2). It uses EAP authentication to
exchange credentials wirelessly.
The following are the two ways to add or connect a new device to a network.

= PIN authentication: In this method, the user needs to enter the WPS-configured PIN
into the WPS-supported device. Subsequently, the router authenticates the device by
verifying the PIN and allows the device to connect to it. This PIN is an eight-digit
number, generated automatically in the WPS-enabled router, and cannot be changed by
the user. Hence, it can be vulnerable to brute-force attacks.
= Push-button authentication: By simply pressing the WPS push button on the WPS-
enabled router or pressing the virtual button in the configuration dashboard of the
router, discovery mode can be enabled. It allows the nearest WPS-enabled wireless
devices to connect without entering a PIN or password.

Module 11 Page 1448 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.