Compaq Evo n800c Wireless Security - Page 26

including smart cards, Kerberos, Public Key Encryptions, and One Time Passwords. Many others - manual

Get Compaq Evo n800c - Notebook PC PDF manuals and user guides View all Compaq Evo n800c manuals
Add to My Manuals
Save this manual to your list of manuals

Page 26 highlights

Wireless Security White Paper 26 • For security reasons, the authentication information must be cryptologically secure. This implies that the Authenticator cannot decrypt the credentials. • The model must be extensible to new authentication mechanisms as they are invented and implemented. In order to ensure that the Authenticator can always identify and interpret new authentication mechanisms, any authentication types must be encapsulated using the Extensible Authentication Protocol (EAP) as specified in RFC 2284. EAP already supports multiple authentication schemes including smart cards, Kerberos, Public Key Encryptions, and One Time Passwords. Many others can be added. The biggest security consideration of 802.1x is that its sole purpose is authentication. It does not provide integrity, encryption, replay protection or non-repudiation. These would need to be implemented with complementary schemes such as IPSec. There are also other points of vulnerability that must be addressed in any implementation of 802.1x: • Piggybacking on an authenticated port - Multiple end stations on a port must be detected and disconnected • Interception of credentials - Passwords must always be encrypted • Subversion of authentication negotiation - It should not be possible to provoke a lesser form of authentication by interfering with the authentication process 802.11b WLANs are ideal candidates for 802.1x authentication since they represent a completely uncontrolled periphery. While it is possible to restrict physical access to wired LANs, this is not feasible in a wireless environment. It is much more difficult to monitor and enforce the air space around office buildings than the ports and wiring within them. This vulnerability is currently addressed using Wired Equivalent Privacy (WEP), which is available on 802.11b Access Points. If WEP is in use, then all stations must configure a symmetric passphrase in order to connect. All transmission is then encrypted with 40-128 bit encryption. Recently, there have been alleged cryptological weaknesses with the WEP algorithms that have cast a shadow on its use. Beyond these there is a fundamental problem with key distribution and update. Since WEP keys are typically symmetrical (the same on the Access Point and all connecting stations) they must be changed in unison. Clearly this is difficult to orchestrate when large user populations are involved. There have been solutions, including automating regular key changes, for example, using logon scripts; however, they are non-standard and require additional work. There are also problems ensuring that employees who leave the company no longer have access to the network, since they could "remember" their WEP key. Another aspect of the problem arises when users connect to multiple different wireless LANs (e.g. in public areas or at customer sites). Current WEP implementations require that the user manually change the WEP key each time a new network is selected, which is tedious and interferes with any automated key changes. 802.1x solves all of these problems. It is not necessary to distribute any keys. The user can authenticate to a central Authentication server, which stores per-user credentials that can be disabled or modified as needed.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
Wireless Security White Paper
26
For security reasons, the authentication information must be cryptologically secure. This
implies that the Authenticator cannot decrypt the credentials.
The model must be extensible to new authentication mechanisms as they are invented and
implemented.
In order to ensure that the Authenticator can always identify and interpret new authentication
mechanisms, any authentication types must be encapsulated using the Extensible Authentication
Protocol (EAP) as specified in RFC 2284. EAP already supports multiple authentication schemes
including smart cards, Kerberos, Public Key Encryptions, and One Time Passwords. Many others
can be added.
The biggest security consideration of 802.1x is that its sole purpose is authentication. It does not
provide integrity, encryption, replay protection or non-repudiation. These would need to be
implemented with complementary schemes such as IPSec.
There are also other points of vulnerability that must be addressed in any implementation of
802.1x:
Piggybacking on an authenticated port – Multiple end stations on a port must be detected and
disconnected
Interception of credentials – Passwords must always be encrypted
Subversion of authentication negotiation – It should not be possible to provoke a lesser form
of authentication by interfering with the authentication process
802.11b WLANs are ideal candidates for 802.1x authentication since they represent a completely
uncontrolled periphery. While it is possible to restrict physical access to wired LANs, this is not
feasible in a wireless environment. It is much more difficult to monitor and enforce the air space
around office buildings than the ports and wiring within them.
This vulnerability is currently addressed using Wired Equivalent Privacy (WEP), which is
available on 802.11b Access Points. If WEP is in use, then all stations must configure a
symmetric passphrase in order to connect. All transmission is then encrypted with 40-128 bit
encryption.
Recently, there have been alleged cryptological weaknesses with the WEP algorithms that have
cast a shadow on its use. Beyond these there is a fundamental problem with key distribution and
update. Since WEP keys are typically symmetrical (the same on the Access Point and all
connecting stations) they must be changed in unison. Clearly this is difficult to orchestrate when
large user populations are involved.
There have been solutions, including automating regular key changes, for example, using logon
scripts; however, they are non-standard and require additional work. There are also problems
ensuring that employees who leave the company no longer have access to the network, since they
could “remember” their WEP key.
Another aspect of the problem arises when users connect to multiple different wireless LANs
(e.g. in public areas or at customer sites). Current WEP implementations require that the user
manually change the WEP key each time a new network is selected, which is tedious and
interferes with any automated key changes.
802.1x solves all of these problems. It is not necessary to distribute any keys. The user can
authenticate to a central Authentication server, which stores per-user credentials that can be
disabled or modified as needed.