Chapter 11 - 03 - Discuss Different Types of Wireless Network Authentication Methods - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Wireless Network Security Exam 212-82 Module Flow Discuss Different Types Understand Wireless Network ofWireless Network Ruthentication Methods Encryption Mechanisms Discuss and Implement Wireless Network Security Measures Understand Wireless Network Fundamentals Discuss Methods Different Types of Wireless Network Authentication The objective of this section is to explain the various authentication protocols and authentication methods such as the open system authentication, shared key authentication, etc., used in wireless networks. Module 11 Page 1443 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Wireless Network Security Exam 212-82 Authentication Protocols It performs flexible authentication via protected tunnels. It is an EAP method used for authenticating a secure session between a client and a server for wireless network access o L[] l' ' It provides a digital attestation process in which a digital certificate provided by the certificate authority (CA) needs to be signed by both communication ends EAP-TLS - EAP-TTLS p \V ~ IEEE802.1X Prot Wi-Fi ected Setup (WPS) } It is an advanced version of EAP TLS that uses a PKI certificate to build a secure tunnel between a client and an authentication server for safe key exchange It specifies the use of EAPoL (EAP over LAN) and EAPoW (EAP over WAN) for authentication It is a security standard for wireless networks to connect wireless devices to AP/WPS-enabled routers. It uses EAP authentication to exchange credentials wirelessly Copyright © by Authentication EC- IL All Rights Reserved. Reproduction is Strictly Prohibited. Protocols An authentication protocol is a cryptographic protocol that provides secure communication by validating client and server credentials. Discussed below are various authentication protocols used in wireless environments. EAP Protocol EAP is a request/response-based authentication framework that employs authentication algorithms to validate identities. It is used to negotiate authentication credentials, OTP verification, fingerprint authentication, smart cards, and generic authentication mechanisms such as username/password validation. The three components of EAP, along with an effective authentication algorithm, are responsible for encrypting and authenticating the data between the transmitter and receiver. The components of EAP are as follows. = Supplicant It is the primary component of EAP, where a pre-installed software runs on a computer or mobile phone at the user or client end. It is an entity requesting for network access. = Authenticator Authenticators are ethernet switches and wireless access points that grant or deny network access to the authentication server. Module 11 Page 1444 supplicant based on the instructions provided by the Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Wireless Network Security Exam 212-82 Authentication Server The authentication server provides instructions on granting or denying a supplicant's network access request based on the validation of the client’s credentials. Usually, these servers are configured with a software tool that is compatible with EAP and RADIUS or the software running independently on an authenticator’s hardware. Discussed below are different variations of EAP. EAP-FAST EAP-FAST performs flexible authentication via protected tunnels. It is an EAP method used for secure session authentication between a client and server for wireless network access. This method also addresses vulnerabilities such as weak passwords observed in Lightweight EAP (LEAP) by performing mutual authentication over a Transport Layer Security (TLS) tunnel between the two communicating ends in three phases. Phases of EAP-FAST EAP-FAST consists of the following three phases. o Phase 0 (PAC Provisioning) It is a basic and an important phase of EAP-FAST in which the authentication server creates a protected access credential (PAC) that holds information specific to a peer or supplicant either manually or by using an automation process. After creating the PAC, the authentication server passes it on to the supplicant. The PAC can also be exchanged via Diffie Hellman key exchange, especially during automatic provisioning. PAC provisioning can be performed only once; hence, it is an optional phase in the authentication method. o Phase 1 (TLS Tunnel Establishment) In this phase, the client and authentication server first perform a TLS handshake to establish a secure TLS tunnel for exchanging authentication keys. It not only protects the client identity but also ensures that a compatible protocol version is being used by the server and client involved in the EAP-FAST authentication negotiation. o Phase 2 (Authentication) This phase allows the communication the required authentication and process between the client and server with authorized policies. This phase involves a consecutive series of requests and responses through the secure tunnel established in the previous phase. This exchange process includes the EAP method within the tunnel range. EAP-TLS EAP Transport Layer Security (TLS) is an IETF open-standard Transport Layer Security (TLS) protocol that is well suited for secure wireless authentication processes. It includes a digital attestation process in which a digital certificate provided by the certificate authority (CA) must be signed by both communication ends. In simple terms, both the Module 11 Page 1445 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Wireless Network Security Exam 212-82 client and server end should digitally sign and configure the certificate to establish secure communication. The identities in this method are carried in cleartext before the certification process is initiated. Working of EAP TLS The working of EAP TLS can be understood by considering a peer/client on one end and an authenticator on the other end. The communication between the peer and authenticator can be initiated through EAP negotiation, after which the authenticator sends the peer an EAP request and identity packet. Upon receiving this packet, the peer responds to the authenticator with an EAP response status and identity packet that the which carries the peer’s user ID. During the common forward stage, the authenticator or a pass-through from device receives EAP packets peer, are further encapsulated for backend authentication. = EAP-TTLS EAP Tunneled Transport Layer Security (TTLS) is an advanced version of EAP TLS. As in PEAP, it utilizes a PKI certificate to build a secure tunnel between the client and authentication server for safe encapsulates the TLS session. key exchange. For secure communication, the EAP Phases of EAP-TTLS The following are the two phases involved in EAP-TTLS. o Handshake Phase In this phase, the server and client are either authenticated mutually, or a server alone is authenticated through the standard TLS procedures. Subsequently, the authentication server creates keying data for building a secure tunnel with the client for information exchange. o Data Phase In this phase, either the client and server are mutually authenticated or a client alone is authenticated to a server through a random authentication method encapsulated EAP alone supports within the protected or other conventional mechanisms tunnel. such as password-oriented In this case, the method MS-CHAP, MS-CHAP-V2, authentication protocols, can be either and as PAP. well It as existing protocols, to defend against eavesdropping and other MITM attacks. IEEE802.1X IEEE802.1X is an IEEE standard that offers an authentication method based on ports over the data link layer to users who are attempting to access a local area network (LAN) or wireless local area network (WAN). It specifies the use of EAP over LAN (EAPolL) and EAP over WAN (EAPOW). EAPOW enables the routing device to pass only authentication data while restricting unnecessary access to the network. It can be served by adopting either WAP2 or WPA3 security implementations on the routing device. If it is used only for enterprise authentication, the access point can be set to allow only EAPoW traffic. Module 11 Page 1446 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Wireless Network Security = Exam 212-82 Working of IEEE 802.1X IEEE 802.1X involves three components of EAP: the supplicant or client, authenticator, and authentication server. Before the supplicant/user is allowed to access a server through an authenticator, the authenticating server validates and authorizes the user’s credentials. This process can be implemented through the following steps. o Step 1: The supplicant that wishes to access the network from a specific port using LAN/WLAN should provide valid credentials such as a digital certificate or username and password to the authenticator, which was provided by the network administrator in advance. o Step 2: The authenticator forwards these credentials to an authentication server, which decides whether the user should be granted or denied access to the network service. o Step 3: The authenticator forwards these credentials to an authentication server, which decides whether the user should be granted or denied access to the network service. Protected Extensible Authentication Protocol (PEAP) PEAP includes EAP within a secure TLS tunnel. PEAP authentication is the same as EAP-TTLS but needs a server’s PKl-based certificate to establish an encrypted TLS tunnel and validate the server. Subsequently, supplicant/client. This PEAP establishes mechanism sniffing, and other types of MITM a tunnel provides between security against the authentication password guessing, attacks. The supplicant in this approach server and password is not required to have a certificate for validation and can be authenticated by the server itself. In most cases, the encryption keys are transferred using the server’s public key. The working of PEAP-EAP-TLS is the same as that of EAP-TLS, but PEAP-EAP-TLS provides additional security by encrypting a part of the clients’ certificates. PEAPVO/EAP-MSCHAPv2 and mechanisms. other PEAPv1/EAP-GTC are two authentication mechanisms approved and are as for WPA and WPA2 connections. PEAP VO and PEAP V1 are known as outer authentication techniques and establish a protected TLS tunnel for securing further authentication On the hand, EAP-MSCHAPv2 EAP-GTC known inner authentication techniques and offer the facility to authenticate supplicants. EAP-PEAP also offers services such as server-to-client authentication, exchange of keys, encryption and validation of messages, packet fragmentation and reassembling, and quicker reconnections compared to the EAP methods. Wi-Fi Protected Setup (WPS) Wi-Fi Protected Setup (WPS) is a security standard for wireless networks that is used to connect wireless devices to an access point or WPS-enabled router. Using WPS, it is easy to connect a new device to the access point and automate the connection process. To use WPS, both the client and access point should be compatible with WPS technology. This standard is only applicable for wireless networks that use password encryption mechanisms such as Wi-Fi Module 11 Page 1447 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Wireless Network Security Exam 212-82 Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2). It uses EAP authentication to exchange credentials wirelessly. The following are the two ways to add or connect a new device to a network. = PIN authentication: In this method, the user needs to enter the WPS-configured PIN into the WPS-supported device. Subsequently, the router authenticates the device by verifying the PIN and allows the device to connect to it. This PIN is an eight-digit number, generated automatically in the WPS-enabled router, and cannot be changed by the user. Hence, it can be vulnerable to brute-force attacks. = Push-button enabled authentication: By simply pressing the WPS router or pressing the virtual router, discovery mode can be enabled. button push button on the WPS- in the configuration dashboard It allows the nearest WPS-enabled of the wireless devices to connect without entering a PIN or password. Module 11 Page 1448 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.