Cisco develops WLAN security protocol to defeat password attacks

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,90163,00.html

By BOB BREWIN 
FEBRUARY 12, 2004

Cisco Systems Inc. has developed a new wireless LAN security protocol
designed to defeat brute force dictionary attacks that capture a
user's passwords, and it submitted a draft of the protocol to the
Internet Engineering Task Force (IETF) on Monday.

Cisco developed the new WLAN Extensible Authentication
Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) to
defeat dictionary attacks against unencrypted passwords in its
earlier, proprietary Lightweight Extensible Authentication Protocol
(LEAP). Cisco posted a security bulletin last August warning users
that LEAP is vulnerable to such attacks.

Ron Seide, WLAN product line manager at Cisco, said EAP-FAST protects
against dictionary attacks by sending password authentication between
a WLAN client and wireless LAN access points through a secure,
encrypted tunnel. Seide added that EAP-FAST also eliminates the need
for enterprises to install separate servers to handle the digital
certificates used in another WLAN security system, the Protected
Extensible Authentication Protocol (PEAP).

Seide said that Cisco believes that EAP-FAST complements PEAP as well
as LEAP, "bringing together some of the key advantages of LEAP's
convenience and flexibility with the password protection tunneling of
PEAP".

According to Seide, Cisco submitted EAP-FAST to the IETF for inclusion
in the 802.1x wireless LAN security protocol that is under development
and expects to have it available for download for free from its Web
site by the end of March. Seide said Cisco doesn't intend EAP-FAST as
a replacement for LEAP but as an addition to its WLAN security suite
of products, which includes PEAP.

Cisco also intends to make EAP-FAST available to partners in its Cisco
Compatible Extensions (CCX) program, Seide said. Cisco's CCX wireless
LAN chip partners include Intel Corp. and Atheros Communications Inc.
Hardware manufacturers that are part of the CCX program include Dell
Inc., Hewlett-Packard Co. and Toshiba Corp.

EAP-FAST will be available to CCX partners later this year, Seide
said, but he didn't specify an exact date.

Enterprise users of Cisco WLAN products contacted by Computerworld
said they have had little time to evaluate EAP-FAST since Cisco posted
the draft just this week. Mark Wiesenberg, director of network
services at Sharp HealthCare in San Diego, said his company “continues
to study the area of wireless LAN security and is fully committed to
using standards-based solutions. We will track how this proposal is
received by the IETF and evaluate a position based on industry
acceptance."

Joshua Wright, a systems engineer and deputy director of training at
the SANS Institute in Bethesda, Md., called EAP-FAST an "excellent
alternative" to PEAP or the EAP Transport Security Layer also
supported by Cisco, without requiring the use of digital certificates.

"As is the case with many draft standards, the quality of the protocol
is often determined in implementation, which I haven't seen yet," said
Wright, who developed an automated dictionary attack tool against LEAP
last year while working at Johnson & Wales University in Providence,
R.I.

He said he is a "little concerned" about accommodations in the
protocol to allow anonymous Diffie-Hellman exchanges that make
EAP-FAST vulnerable to the same dictionary attack flaws that plague
LEAP. Diffie-Hellman is an encryption scheme based on a public-key
infrastructure where information transmitted between users is
encrypted with a public key and decrypted with a private key.

Wright acknowledged that the draft EAP-FAST specification doesn't
recommend the use of Diffie-Hellman in the protocol, but he said if it
is used, it could negate much of the security of EAP-FAST.

Cisco spokeswoman Linda Horiuchi said in a statement, "Anonymous DH is
an option for provisioning the credential to the client machine, not
for authenticating the user. If anonymous DH is used for credential
provisioning, it is likely to be used once, during initial
provisioning, not with every authentication. Further, a dictionary
attack on anonymous DH would have to be an active attack, not an
offline attack.

“An organization that is concerned about a vulnerability during
initial credential provisioning should use a mechanism other than
unauthenticated DH for initial credential provisioning. However, many
organizations may consider the exposure window so small that
unauthenticated DH is a prudent choice."

Wright, who last year said he planned to publicly release his LEAP
dictionary attack tool this month, said Cisco asked him to delay that
release "a bit longer." Wright agreed to do so "as long as Cisco
continues to work toward providing a secure alternative to LEAP
users."

Chris Kozup, an analyst at Meta Group Inc., said that EAP-FAST is a
better protocol than LEAP and that Cisco is opening it up to the IETF.  
Kozup said he expects other vendors to adopt the protocol quickly.

 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.