Re: What can WPA/WPA2 use for Encryption

[martin <martiniscool () gmail com>]

Guys

Thanks once again for all the replies. I've glanced through all of  
them but not had a chance to read them all (and links) in-depth yet

One final thing however, escentially this circuit will be just the 2  
AP's - there will be no clients on this "microwave" network. So the  
authentication will only be done between the 2 AP's - if we did go for  
a RADIUS solution, how would this work ?  Would one AP act as "master"  
& the second AP would be authenticated by the first ?  How do AP's in  
a "traditional" corporate environment authenticate each other & ensure  
they are not communicating with a rogue AP ?

Thanks again
M

On 25 Aug 2009, at 20:05, Chris Brenton <cbrenton () chrisbrenton org>  
wrote:

> On Tue, 2009-08-25 at 18:18 +0100, martin wrote:
> > Thanks very much for the speedy reply Chris.
>
> Always glad to help. :)
>
> > Regarding WPA, I take it that PSK & TKIP are just authentication
> > methods then ?
>
> WPA comes in two flavors, home and enterprise. WPA-PSK is the home or
> "personal" implementation, and to the best of my knowledge it only
> supports a pre-shared secret (or key). WPA enterprise is the hardcore
> version with a RADIUS interface that supports a wide range of
> authentication options. There is a pretty cool write up on it here:
> http://wiki.freeradius.org/WPA_HOWTO
>
> TKIP is a different animal. Once we knew WEP was hosed we needed
> something better. The problem was we had a ton of access points  
> already
> deployed with processors optimized for RC4 encryption. You could field
> upgrade to change the code, but you could not do much about the
> processors without replacing the whole AP.
>
> This is where TKIP came from. Its designed to be compatible with older
> (but field upgraded) APs that will not work with AES. Today however,  
> if
> you have all modern APs, you are suppose to be using CCMP with support
> for AES.
>
> With that said, I *hate* WPA in the enterprise. It creates an  
> additional
> point of management and limits you to AES for data privacy. IMHO AES  
> is
> never going to last the intended 30 years like DES. I have a write up
> here:
>
> http://www.chrisbrenton.org/2009/07/aes-is-becoming-very-close-to-broken/
>
> So what to do? In my previous post I gave a link to where I explain  
> you
> are better off linking wireless in with your VPN solution. Single  
> point
> of management, better security options, same people tend to use VPN &
> wireless, plus a bunch of other reasons. See that link if this sounds
> interesting.
>
> > In this case, what other authentication methods are
> > available ?  Does 802.1x fall into this category ?  Or is this
> > something additional to WPA entirely ?
>
> Yup. 802.1x describes the RADIUS interface I described above.
>
> > Also, what would AES use to encrypt the payload ?  Is there always a
> > shared secret of some kind, akin to a users' password in AD ?
>
> Actually, the AES keys get changed over time. The AP uses the session
> key to create an EAP key message to the client. Nice thing about this
> setup is that brute forcing one key does not compromise all data, just
> the data protected with that one key.
>
> Cheers,
> Chris
> --
> www.chrisbrenton.org

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------