Security Basics mailing list archives
Re: What can WPA/WPA2 use for Encryption
From: martin <martiniscool () gmail com>
Date: Tue, 25 Aug 2009 22:36:52 +0100
GuysThanks once again for all the replies. I've glanced through all of them but not had a chance to read them all (and links) in-depth yet
One final thing however, escentially this circuit will be just the 2 AP's - there will be no clients on this "microwave" network. So the authentication will only be done between the 2 AP's - if we did go for a RADIUS solution, how would this work ? Would one AP act as "master" & the second AP would be authenticated by the first ? How do AP's in a "traditional" corporate environment authenticate each other & ensure they are not communicating with a rogue AP ?
Thanks again MOn 25 Aug 2009, at 20:05, Chris Brenton <cbrenton () chrisbrenton org> wrote:
On Tue, 2009-08-25 at 18:18 +0100, martin wrote:Thanks very much for the speedy reply Chris.Always glad to help. :)Regarding WPA, I take it that PSK & TKIP are just authentication methods then ?WPA comes in two flavors, home and enterprise. WPA-PSK is the home or "personal" implementation, and to the best of my knowledge it only supports a pre-shared secret (or key). WPA enterprise is the hardcore version with a RADIUS interface that supports a wide range of authentication options. There is a pretty cool write up on it here: http://wiki.freeradius.org/WPA_HOWTO TKIP is a different animal. Once we knew WEP was hosed we neededsomething better. The problem was we had a ton of access points alreadydeployed with processors optimized for RC4 encryption. You could field upgrade to change the code, but you could not do much about the processors without replacing the whole AP. This is where TKIP came from. Its designed to be compatible with older(but field upgraded) APs that will not work with AES. Today however, ifyou have all modern APs, you are suppose to be using CCMP with support for AES.With that said, I *hate* WPA in the enterprise. It creates an additional point of management and limits you to AES for data privacy. IMHO AES isnever going to last the intended 30 years like DES. I have a write up here: http://www.chrisbrenton.org/2009/07/aes-is-becoming-very-close-to-broken/So what to do? In my previous post I gave a link to where I explain you are better off linking wireless in with your VPN solution. Single pointof management, better security options, same people tend to use VPN & wireless, plus a bunch of other reasons. See that link if this sounds interesting.In this case, what other authentication methods are available ? Does 802.1x fall into this category ? Or is this something additional to WPA entirely ?Yup. 802.1x describes the RADIUS interface I described above.Also, what would AES use to encrypt the payload ? Is there always a shared secret of some kind, akin to a users' password in AD ?Actually, the AES keys get changed over time. The AP uses the session key to create an EAP key message to the client. Nice thing about this setup is that brute forcing one key does not compromise all data, just the data protected with that one key. Cheers, Chris -- www.chrisbrenton.org
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- What can WPA/WPA2 use for Encryption martin (Aug 25)
- Re: What can WPA/WPA2 use for Encryption John Morrison (Aug 26)
- Re: What can WPA/WPA2 use for Encryption Jared Curtis (Aug 26)
- Re: What can WPA/WPA2 use for Encryption Israel Junior (Aug 26)
- Re: What can WPA/WPA2 use for Encryption Michael Painter (Aug 26)
- Message not available
- Re: What can WPA/WPA2 use for Encryption martin (Aug 26)
- Re: What can WPA/WPA2 use for Encryption Jon Janego (Aug 26)
- Re: What can WPA/WPA2 use for Encryption martin (Aug 26)
- <Possible follow-ups>
- Re: What can WPA/WPA2 use for Encryption martin (Aug 26)