Re: Wireless WPA2 MSCHAPv2

[Joseph N Kurtin <joseph.kurtin () NORTHWESTERN EDU>]

Hi, All.  

It's been stated already in this thread that if your clients are
configured to validate the public certificate of the host that terminates
your PEAP connection, you're likely in good shape*, but I wanted to add a
little description to explain why.

PEAP is designed such that if an 802.1x supplicant sees a problem and
chooses not to build the TLS tunnel, the MSCHAP exchanges will not begin
at all.

Digging a little deeper, The PEAP tunnel is a TLS tunnel between a client
and RADIUS server (or something else if you're terminating PEAP on your
wireless controller, AP, etc...) built in order to allow for a secure
exchange of credential information, MSCHAP or otherwise.

After this tunnel is built, a negotiation takes place within the tunnel
between the 802.1x supplicant and a AAA server to pick an inner
authentication protocol.  Next, the negotiated credential comparison
(MSCHAPv2 in our case) is done within the same tunnel.  This is also why
attributes sometimes need to be handed back outside the tunnel in some
environments--the wireless infrastructure can be unaware of portions of
the conversation between the supplicant and AAA server.


-Joseph

*Most deployments terminate PEAP directly on the RADIUS server, but if you
terminate PEAP on a different device, your risk is now increased if the
path between your PEAP termination and RADIUS server is not secured.



On 7/31/12 6:36 PM, "Steve Bohrer" <skbohrer () SIMONS-ROCK EDU> wrote:
> On Jul 31, 2012, at 8:58 AM, Parker, Ben C wrote:
>
> > Reading through the news, I saw that at Defcon MSCHAPv2  has been
> > effectively compromised.
> > https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/This
> >  includes the use of it in WPA2 connections to radius servers for
> > authentication.  Per the article, the current recommendation for
> > enterprise wireless deployments is to move to using client
> > certificates for authentication.
>
> I'm over my head on crypto stuff, but in discussion about this crack
> on slashdot ( 
> http://science.slashdot.org/story/12/07/30/167210/new-moxie-marlinspike-to
> ol-cracks-crypto-passwords
>  ) a couple of commenters suggest that the PEAP layer of PEAP-
> MSCHAPv2 802.1x wireless auth protects the MSCHAPv2 from the sort of
> sniffing that this crack exploits.
>
> Here's quotes from two comments:
>
> From http://science.slashdot.org/comments.pl?sid=3014645&cid=40821639 :
> "For WPA2-Enterprise the MSCHAPv2 session is usually wrapped in a PEAP
> (SSL) session. This should be safe as long as your client is
> configured to validate the server-side certificate only against CAs
> that are not likely to be compromised (i.e. a rougue cert generated).
> Preferably, one should also validate the certificate's subject
> (usually the name of the RADIUS server)."
>
>
> From http://science.slashdot.org/comments.pl?sid=3014645&cid=40822837 :
> "Those eduroam sites that use MSCHAPv2 use PEAP-MSCHAPv2. You have to
> crack the PEAP before you can crack the MSCHAPv2."
>
> Any of the experts here wish to confirm or deny if PEAP-MSCHAPv2 is
> still okay in the face of this new tool?
>
> Thanks,
>
> Steve Bohrer
> Network Admin
> Bard College at Simon's Rock
> 413-528-7645