We kindly inform you that we have also www.cyberbajt.com Zamknij

Search results:

Raporty i testy urządzeń

  • wróć do listy testów i raportów

    The WLAN security

    Stanisław Sirko, 2007-07-11, Drukuj
  • 7.

    IEEE 802.1x - authentication and keys management

    The 802.11i standard is strongly connected with protocol and the IEEE 802.1x standard, which is realised certification and keys management with (in particular criptographical key distribution).It was originally created for wired network and at present was adopted to wireless medium as the part of 802.11i standard. The adaptation of this standard was mainly caused with need certification of authorized users and preventing from the unauthorized access sides to from founding the unsecured wireless medium – that is radio waves.

    The port conception as the single access point of client to network is opened by the 802.1x specification. Such a solution harmonizes well with wireless networks, where every client can be assigned to one access point only. The 802.1x standard defines protections based on Controlled of Postages and Uncontrolled of Postages, introduced in picture 2. The Controlled of Postages provides to the accredited client with access to the network. It usually offers full range of services and is blocked till certification finished with success. Uncontrolled of Postages enables the access to the minimal administrative services set, and via this port are transmitted data connected with the certificate 802.1x process. As the port conception is comprehended the process between client device of wireless network and access point.

     

     

    The 802.1x architecture demands 3 elements, presented on the follows picture 3:

    • authenticated side (supplicant) – the subject on the one of logic slice LAN end, point to point type, which is authenticated by certificating side;
    • authenticating side (authenticator) - the subject on the one of logic slice LAN end, point to point type, which authenticates subject connected to the network at another end;
    • authentication server (AS) – the subject authentication service delivered for needs of authenticating side;


    The customer of the wireless network acts as the device waiting for authenticating (suppliant), and access point - of authenticating function of device (authenticator). The access point takes over function of presented switch at the picture, in the 802.1x standard. The authentication server which lets for effective users accounts managing, their authorisations and certificates, should be attached to the cable net section which the access point is attached. RADIUS server most often serves as this function.

    The user certification in the 802.1x standard is realised with the EAP protocol (Extensible Authentication Protocol). Picture 3 shows the messages exchange of EAP occurs between 802.1x devices.


    Picture 3. Authentication with the RADIUS server diagram

     

    The EAP protocol does not specify any authentication method, however is a carier of specific EAP method. There are many authentication EAP methods which the most often forms with device and software producers shared. Usually meets are:

    • The EAP-TLS is a original EAP protocol for 802.11 standard. It is popularly implemented by the most of hardware and software producers. For this method it is demanded the client authentication based on certificates of public key. Such a certificates are usually stored on intelligent cards. The requirement concerning use of EAP-TLS certificates gives advantage over others solutions, however it increases cost of security system management considerably. All devices which are compatible with WPA and WPA2 supported this method. Defaultly, the EAP-TLS is available in the MAC OS 10.3 and higher system, Windows 2000 SP4, Windows XP, Windows Mobile 2003 and higher.
    • The EAP-TTLS was created by Funk and Certicom company. It has not support for default setup of Windows (2000/XP/Mobile 2003/CE). The support appears in Windows 2003 only. Nonetheless the EAP-TTLS is the most popular EAP protocol.
    • The PEAPv0/EAP-MSCHAPv2 is simply sometimes called PEAP, despite it has a few variants (v0, v1, v2). It was created by Microsoft with cooperate of RSA Data Security ans Cisci Systems. PEAP is the second after EAP-TTLS as regard of protocol usability and is supported by whole product family of Microsoft and MAC OS 10.3 or higher. The PEAPv0 is not acknowledged as secure, that is why work on PEAPv1 and PEAPv2 are i progress.
    • PEAPv1/EAP-GTC was offered by the Cisco Systems as the alternative for PEAPv0. It does not have support in default Windows install and has not gained large popular yet, nonetheless is favoured in the hardware and software of Cisco System. It lets for application default authentication protocol but requires support of examply EAP-GTC. It is worthwhile mention that other protocol, favoured by Cisco System, the LEAP was also acknowledged as unsecure by lack of immunity for dictionary attack, that is why the LEAP is replaced by the EAP-FAST.


    In case of wireless networks the 802.1x mechanism is used moreover for distribution of keys. It is realised by generating two key sets. The first set is created by keys called pairwise keys or session keys. These keys are unique for every connecting the client with the access point. The session keys guarantee the privacy of connection and remove the problem of „one WEP key for all”. The second set is created by group or grouped keys, which are used for movement encryption of multicast type. Both kinds of keys have 128-bite size. The pairwise keys are created on the base of Pairwise Master Key (PMK) at 256-bite size. Every device is received from RADIUS server for the PMK key. In similar way are created the pairwise keys on the basis of main GMK key (Group Master Key).


    In the small office networks or home network environment RADIUS servers with the database of users belong to the rarity. In such a case the keys are being generated on the basis of initially agreed PMK keys which are led by hand, as the same as in the WEPcase.

  • dalej wstecz

Hold on there sparky! Using IE? Really? Come on now. You really need to move on and get a better browser.