HP Evo n180 Wireless Security - Page 26
including smart cards, Kerberos, Public Key Encryptions, and One Time Passwords. Many others - manual
View all HP Evo n180 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 26 highlights
Wireless Security White Paper 26 • For security reasons, the authentication information must be cryptologically secure. This implies that the Authenticator cannot decrypt the credentials. • The model must be extensible to new authentication mechanisms as they are invented and implemented. In order to ensure that the Authenticator can always identify and interpret new authentication mechanisms, any authentication types must be encapsulated using the Extensible Authentication Protocol (EAP) as specified in RFC 2284. EAP already supports multiple authentication schemes including smart cards, Kerberos, Public Key Encryptions, and One Time Passwords. Many others can be added. The biggest security consideration of 802.1x is that its sole purpose is authentication. It does not provide integrity, encryption, replay protection or non-repudiation. These would need to be implemented with complementary schemes such as IPSec. There are also other points of vulnerability that must be addressed in any implementation of 802.1x: • Piggybacking on an authenticated port - Multiple end stations on a port must be detected and disconnected • Interception of credentials - Passwords must always be encrypted • Subversion of authentication negotiation - It should not be possible to provoke a lesser form of authentication by interfering with the authentication process 802.11b WLANs are ideal candidates for 802.1x authentication since they represent a completely uncontrolled periphery. While it is possible to restrict physical access to wired LANs, this is not feasible in a wireless environment. It is much more difficult to monitor and enforce the air space around office buildings than the ports and wiring within them. This vulnerability is currently addressed using Wired Equivalent Privacy (WEP), which is available on 802.11b Access Points. If WEP is in use, then all stations must configure a symmetric passphrase in order to connect. All transmission is then encrypted with 40-128 bit encryption. Recently, there have been alleged cryptological weaknesses with the WEP algorithms that have cast a shadow on its use. Beyond these there is a fundamental problem with key distribution and update. Since WEP keys are typically symmetrical (the same on the Access Point and all connecting stations) they must be changed in unison. Clearly this is difficult to orchestrate when large user populations are involved. There have been solutions, including automating regular key changes, for example, using logon scripts; however, they are non-standard and require additional work. There are also problems ensuring that employees who leave the company no longer have access to the network, since they could "remember" their WEP key. Another aspect of the problem arises when users connect to multiple different wireless LANs (e.g. in public areas or at customer sites). Current WEP implementations require that the user manually change the WEP key each time a new network is selected, which is tedious and interferes with any automated key changes. 802.1x solves all of these problems. It is not necessary to distribute any keys. The user can authenticate to a central Authentication server, which stores per-user credentials that can be disabled or modified as needed.