Re: Questions about WPA2 and WPA in Wireless Security

Re: Questions about WPA2 and WPA in Wireless Security http://www.dslreports.com/forum/r16787052 en Sat, 28 Nov 2009 18:39:36 EDT Sat, 28 Nov 2009 18:39:36 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17065242 Jason Cohen : My girlfriend's new Toshiba A105-S4064 laptop with an Intel Pro Wireless 3945 A/B/G was causing problems before with the Windows XP Supplicant. I just checked the drivers installed on the device and they are over a year old despite the fact that Intel releases updates frequently and the laptop is less than a month old. I checked Toshiba's site and they only show one Wireless driver update, which is far older than the newest Intel one.

Instead, I went ahead and downloaded the newest Intel driver released about a week ago which adds some fixes for the 3945 A/B/G card. I chose to use Intel's Supplicant which offers much more information and better security options. Unlike the XP Supplicant you can use password protected client certificates or smart cards, you can specify the Server certificate Common Name rather than just the Trusted Root CA, you can use any one of EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-FAST, LEAP, and DHE-RSA-AES256-SHA (DH for Key Exchange, RSA for authentication, AES-256-CBC for Encryption, SHA1 for integrity) is used by default for the TLS exchange which isn't even offered by the MS Supplicant. Remember, the MS supplicant doesn't support AES for the TLS exchange, and doesn't support Diffie-Hellman as the key exchange method so you don't get Perfect Forward Secrecy. By default MS uses RSA for authentication & key exchange, RC4 for encryption and MD5 for integrity.

Oh, and the Intel supplicant connects faster than the MS supplicant. The MS supplicant can take anywhere from 2-35 seconds - usually takes 5 seconds or less, or 35 seconds. I don't really know why this is the case. When I capture traffic with Wireshark, I see that Windows just sits and does nothing and then after 34 seconds initiates the EAP exchange and completes in under a second. I've noticed this phenomenon with a WG511, WG511T and the Intel card. Otherwise, Windows starts the EAP exchange immediately and I'm connected in several seconds.

Both the Odyssey Client and the Intel client seem to connect reliably every time in a few seconds, so I'm guessing the problem is only with the MS supplicant. I guess there's a good, free alternative to the MS supplicant for those with Intel cards who don't want to spend $50 on the Odyssey client. One other cool thing about the Intel client is that it will show you all the APs & their MACs associated with a certain SSID.

However, there is one warning of caution. The Intel client doesn't seem to work well when an AP's SSID is disabled. It will allow you to connect and show the network with the assigned SSID in the list of available networks, but if you connect to a new network, the old network dissapears from the list and is shown only as no_ssid. It seems like the client isn't associating the Profile and assigned SSID with the AP. You can still connect by going to the Profile and selecting "Connect" but you can't connect from the list of available networks. This is only an issue if you want to be able to switch between multiple networks manually. The Intel client will still automatically connect to most preferred profile, regardless of whether the network broadcasts its SSID or not which is more than can be said for XP.

The XP supplicant will usually connect to the first available network in the list that broadcasts an SSID even if another network that doesn't broadcast its SSID is higher in priority. This is a known issue with the Windows supplicant, and Microsoft says that if you want a fix, you can upgrade to Vista which will behave as expected.

Now that I've got the Intel card working in my girlfriend's laptop, I have decommissioned the WG511 and altered my DD-WRT security settings to WPA2 RADIUS ONLY with AES encryption. Before I was using WPA2 RADIUS MIXED with AES encryption.

(Interestingly, DD-WRT allows you to force AES even in mixed mode, so AES is used for unicast & multicast traffic). The only Mixed Mode available on most routers is TKIP+AES which allows clients to select from AES or TKIP as the unicast cipher. TKIP is always used for multicast traffic even if all clients are using AES for unicast traffic.

If you're not sure what your AP supports and the web interface is vague you can capture some 802.11 traffic with airodump. You'll probably need Linux for this as Windows drivers generally don't allow 802.11 traffic capture- so no AP beacons- only regular traffic.

When you capture a Beacon (IEEE protocol, Beacon Frame) under Tagged Parameters you should several fields. The ones that are relevant are the RSN Information field and the "Vendor Specific: WPA" field. The RSN field is for WPA2 settings and the WPA field is for WPA settings. If you are using Mixed mode you should see both fields. If you are using WPA2 Only, you should see just the RSN field.

When you expand the field you should see a Multicast Cipher Suite and a Unicast Cipher Suite. These are the ciphers that your AP will accept. Preferably, you only want to offer AES if your devices support it. Also, there's an RSN Capabilities field that will tell you if your AP supports Pre-Authentication which may be useful for roaming.

The auth key management suite will say PSK if you're using a Pre-Shared Key and WPA if you are using 802.11x.

This is what you would see for a WPA2 RADIUS MIXED beacon with AES as the only cipher choice:

RSN Information
Tag Number: 48 (RSN Information)
Tag length: 20
Tag interpretation: RSN IE, version 1
Tag interpretation: Multicast cipher suite: AES (CCM)
Tag interpretation: # of unicast cipher suites: 1
Tag interpretation: Unicast cipher suite 1: AES (CCM)
Tag interpretation: # of auth key management suites: 1
Tag interpretation: auth key management suite 1: WPA
RSN Capabilities: 0x0000

Vendor Specific: WPA
Tag Number: 221 (Vendor Specific)
Tag length: 24
Tag interpretation: WPA IE, type 1, version 1
Tag interpretation: Multicast cipher suite: AES (CCM)
Tag interpretation: # of unicast cipher suites: 1
Tag interpretation: Unicast cipher suite 1: AES (CCM)
Tag interpretation: # of auth key management suites: 1
Tag interpretation: auth key management suite 1: WPA
Tag interpretation: Not interpreted]]> http://www.dslreports.com/forum/remark,17065242 Wed, 11 Oct 2006 01:26:33 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17049005 Jason Cohen : Thanks, I believe the WRT54Gv4 is pretty much identical to the WRT54GL. The WRT54GL came out after revision 5 and 6 of the WRT54G which used the VxWorks firmware. »en.wikipedia.org/wiki/Wrt54g#Har···evisions states that the WRT54GL is identical to the WRT54Gv4 but with a different model #, so I guess the WRT54GL is unlikely to support a Re-Authentication timeout either. ]]> http://www.dslreports.com/forum/remark,17049005 Sun, 08 Oct 2006 14:17:37 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17047709 jbibe : I don't have a WRT54GL, but I have configured four or five WRT54G_V4 devices. The WRT54G_V4 Linksys firmware does not include a Re-Authentication time control.]]> http://www.dslreports.com/forum/remark,17047709 Sun, 08 Oct 2006 08:11:16 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17044564 Jason Cohen : Thanks for the information. I guess the problem then is either with my AP or with DD-WRT. You don't happen to use DD-WRT with any devices, do you? Do you know if the Linksys firmware for the WRT54GL 1.1 supports a Re-Authentication Timer?]]> http://www.dslreports.com/forum/remark,17044564 Sat, 07 Oct 2006 14:47:48 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17042973 jbibe : Thanks Jason for the additional information. I have setup FR-1.1.3 on FC5. I will run some experiments to see what happens when I include Session-Timeout in the Accept Message.

Edit: I added Session-Timeout = 300 to the users file. Re-Authentication now occurs every 300 seconds instead of the 1800 seconds configured in the access point. I have not checked to see if re-authentication occurs at the 300 second interval and the time set in the access point.

I will run the same test on an access point that does not include a re-authentication timer. The manual claims the device accepts timing information from a RADIUS server.

Edit2: I checked two more access points. Neither device includes a re-authentication time. Neither device uses the Session-Timeout information.]]> http://www.dslreports.com/forum/remark,17042973 Sat, 07 Oct 2006 07:46:58 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17040765 Jason Cohen : Ok, I have received the answer to my question from Alan Dekok, one of the Freeradius developers. He states that Freeradius can force client re-authentication by sending a Session-Timeout message to the AP in the Access Accept message, however the AP must support this. Apparently DD-WRT doesn't. So, the Freeradius support is there- but the AP firmware must also support it.

He states that:
" There really isn't a good way to do this, if the AP doesn't support it.

Alan DeKok."

For anyone interested, I have also discovered a bug in Freeradius that causes the freeradius daemon to become a zombie process when restarted or stopped.

When I enable the "check_cert_cn = %{User-Name}" option in eap.conf and successfully authenticate one or more users , a restart or stop of the radiusd service leads to a zombie process which needs to be killed with "kill -9". If this option is disabled, as is the default setting, radiusd can be restarted normally without issue. This issue does not occur if either a) no users have attempted to authenticate, or b) users have authenticated but were rejected.]]> http://www.dslreports.com/forum/remark,17040765 Fri, 06 Oct 2006 19:10:37 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17040452 Jason Cohen : I configured Freeradius to send a Session-Timeout message in the RADIUS Access Accept message but it has no effect. I confirmed that the Access Accept message did in fact have "Simultaneous-Use = 1800" set, but it was ignored by the AP. Since it's sending the message to the AP, it appears that the AP must be able to understand the message to act on it, which my AP apparently isn't doing.

Perhaps someone could try this with another AP or with different firmware:

You just need to add this line early in the "users" file so that it's the default option.

DEFAULT
Session-Timeout = 1800

That will apply a Session-Timeout of 1800 seconds to all users. You can confirm that a Session-Timeout message is being sent by running Freeradius in debug mode (radiusd -X). The Access Accept Message should now include "Session-Timeout = 1800". ]]> http://www.dslreports.com/forum/remark,17040452 Fri, 06 Oct 2006 18:16:31 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17039639 Jason Cohen : Thanks for the quick reply. As always, it was very helpful. I read something using the Session-Timeout parameter in the RADIUS Accept message with Freeradius, but I'm not sure how this can be setup. I'm going to send a question to the Freeradius mailing list to see if this is possible, because the documentation doesn't provide an answer. I'll post a response here if I receive one. ]]> http://www.dslreports.com/forum/remark,17039639 Fri, 06 Oct 2006 15:49:24 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17039442 jbibe : The following quote is from "802.11i-2004.pdf", paragraph 8.5.1.2, page 75. This applies to TKIP and CCMP.

"The PTK shall not be used longer than the PMK lifetime as determined by the minimum of the PMK lifetime indicated by the AS, e.g., Session-Timeout + dot1xAuthTxPeriod or from the dot11RSNAConfig-PMKLifetime MIB variable. When RADIUS is used and the Session-Timeout attribute is not in the RADIUS Accept message, and if the key lifetime is not otherwise specified, then the PMK lifetime is infinite."

As far as I know, FreeRADIUS does not include a Session-Timeout.

Most Enterprise (and some SOHO) access points include a re-authentication timeout to refresh the PMK at preset intervals.

Edit: I assume (but I have never verified) that access points automatically refresh the PTK before the packet number reaches the 2**48 for CCMP. ]]> http://www.dslreports.com/forum/remark,17039442 Fri, 06 Oct 2006 15:10:28 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,17039009 Jason Cohen : I was reading up on AES-CCMP and I found this Microsoft Technet Article titled "Wi-Fi Protected Access 2 Data Encryption and Integrity" which states that "AES CCMP rekeys automatically to derive new sets of temporal keys." See: »www.microsoft.com/technet/commun···805.mspx

Since, Counter Mode Cipher Block Chaining-Message Authentication Code (CBC-MAC) or CCMP is a new mode for AES which was specifically designed for usage in WPA2, I couldn't find much specifics about the statement made in the MS article, although I've also seen it said in other places. Does anyone have any information on how often the rekeying occurs?

I sent a feature request to the DD-WRT forum to add a re-authentication timeout option which would allow the AP to force clients to re-authenticate after a specified time interval. Currently, I'm stuck doing so on the client side, or not doing so at all.]]> http://www.dslreports.com/forum/remark,17039009 Fri, 06 Oct 2006 13:44:24 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16998267 Jason Cohen : Thanks for the info. I installed tinyCA and it answered both my questions.]]> http://www.dslreports.com/forum/remark,16998267 Fri, 29 Sep 2006 13:39:27 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16997743 Brano : There's nice GUI front-end for openssl called TinyCA »tinyca.sm-zone.net ... you may want to check it out. Makes life easier ;)]]> http://www.dslreports.com/forum/remark,16997743 Fri, 29 Sep 2006 12:04:23 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16997651 Jason Cohen : I actually installed Freeradius from source so if I wrote a howto, the directories would be different. For example my freeradius configuration directory is /usr/local/etc/raddb/ and my log directory is /usr/local/var/log/radius/.

When creating the Certificate Authority do you know how to specify the hash function? openssl.cnf has an option default_md = md5. If changed to default_md = sha1, all server and client certificates use SHA1 for the signature algorithm. However, when I create the root CA it always uses md5 regardless of the setting in openssl.cnf even though it reads openssl.cnf to get information about the certificates's attributes and key size.

Also, what's the command to create the CA in DER format rather than PEM? ]]> http://www.dslreports.com/forum/remark,16997651 Fri, 29 Sep 2006 11:46:40 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16996749 jbibe :

said by Jason Cohen

:

If you would like I could combine all these resources, provide the scripts I made, and write a howto on setting up Freeradius for EAP-TLS. I can also include a section on hardening Freeradius to use stronger cipher suites for TLS, larger certificates/private keys, and larger DH keys for the ephemeral key agreement.

I believe that this would be an excellent addition. Two user groups require help installing FreeRADIUS. One group uses the latest version of FreeRADIUS to make a complete install. Several HOWTO articles are available to help this first group. The second group use a pre-packaged version of FreeRADIUS. Once installed, this second group needs to build and install certificates, and configure the server. Your suggested writeup should provide valuable information for this second group. A section on hardening would be of value to both groups.

By the way, it is not necessary to use Certificate Snap-in with Windows XP, if the certificates are in the DER format, unless you want to place the certificates in an unusual location. I use cacert.pem and server.pem in the server, and root.der and client.p12 in Windows XP. If the certs are in the DER format, the user can right click on root.der, select Install Certificate, and then accept the default settings as Windows installs the certificate. After installing root.der, the user follows the same basic procedure to install client.p12.

In addition to the hardening information, the user should also be reminded to set the proper permissions on eap.conf, radiusd.conf, and the certificates. Some information on hardening radiusd.conf (e.g., setting user=nobody) would also be useful.]]> http://www.dslreports.com/forum/remark,16996749 Fri, 29 Sep 2006 08:29:43 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16994937 Jason Cohen : Yeah, I know that Airsnort on Linux supports packet injection which allows you to crack WEP very quickly. I was just pointing out that even if WEP was implemented properly and didn't use weak keys, and have the numerous problems it does, repeats of IV values would still occur as the key never changes and 8 million packets isn't that many. ]]> http://www.dslreports.com/forum/remark,16994937 Thu, 28 Sep 2006 22:10:15 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16994759 ghost16825 :

said by Jason Cohen

:

Ah, I see what you are saying. WEP uses a 24 bit IV so there are only approximately 16.8 million possible IVs meaning that you would expect a repeat every 8.4 million packets. In two hours I transferred 6 million packets (2 million up, 4 million down)- so transferring a large amount of data with WEP virtually ensures that the same IV will be used twice. In addition, WEP is known for its weak selection of IVs. If each packet is 1500 bytes you would only need 12 GB of data. And this is probably too high since there are many small upstream packets which contain very little data. The real number is probably closer to 4-6 GB.

With a 48 bit IV, you have 281 trillion possible IVs, so you would expect a repeat every 140.5 trillion packets if the IV was chosen randomly. Thus, if IVs are chosen randomly and each packet was 1500 bytes you need approximately 192 petabytes of data before an IV was reused.

I'm not sure if you're aware of this or not, but there is much faster way to get a repeat of the IV, as demonstrated in a recent FBI case where the WEP key was recovered in ~15 minutes. I believe this involves re-injecting used ?keys? into the connection, so the access point continually generates a new IV. I don't think this requires a lot of technical expertise to do either.
--
The previous signature has been removed due to recent and continuing website "ownership" issues.]]> http://www.dslreports.com/forum/remark,16994759 Thu, 28 Sep 2006 21:43:29 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16994407 No_Strings :

said by Jason Cohen

:

If you would like ...

What I would like doesn't count for much. Trust me. ;)

I do think, though, that there is a ton of useful information in this thread that could be coalesced into a great piece of documentation. Just putting it into the FAQ as is probably would not be as helpful. Your offer to do that is a generous one.

That way, it's preserved for posterity and will keep someone else from having to reinvent the wheel.

Thanks.]]> http://www.dslreports.com/forum/remark,16994407 Thu, 28 Sep 2006 20:58:15 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16994191 Jason Cohen : Well, jbibe already has a good howto online, however it's a bit outdated with the changes that have occured in Freeradius.

I used Paranoid Penguin's howto primarily. »www.linuxjournal.com/article/8095 (part II) and »www.linuxjournal.com/article/8151 (part III). Everything in that document works well. It also tells you how to setup the Windows clients with the Certificate Snap-in. The only problem with the howto is that it uses individual commands to build the server and client certificates rather than scripts so what should take one command becomes a 3 step process (build the certificate request and private key, get CA to sign your request and build a certificate, convert certificate to p12 format). To remedy this I built 3 scripts - one to create server certificates, one to build server certificate, and one to create a CRL (Certificate Revocation List) and revoke user certificates. None of the howtos cover setting up a CRL, but it's pretty useful to know, I think.

If you would like I could combine all these resources, provide the scripts I made, and write a howto on setting up Freeradius for EAP-TLS. I can also include a section on hardening Freeradius to use stronger cipher suites for TLS, larger certificates/private keys, and larger DH keys for the ephemeral key agreement.

]]> http://www.dslreports.com/forum/remark,16994191 Thu, 28 Sep 2006 20:07:17 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16993871 No_Strings : I don't suppose either or both of you would like to maybe collect all of the great stuff in this thread and make a reference document out of it for the FAQ, would you?

It would sure save someone else a lot of Googling & bloodletting.
--
TSA "security" officer: "I don't like going through people's underwear as much as they don't." OC Register article]]> http://www.dslreports.com/forum/remark,16993871 Thu, 28 Sep 2006 19:23:19 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16993770 Jason Cohen : I can now confirm that the Funk Odyssey client can successfully force re-authentication at a specified interval. The default is 1 hour, and I have it set for .5. My Freeradius logs show re-authentications every 30 minutes give or take a second.

It also provides the ability to specify a trusted Root CA and Server certificate common name. If the server uses a certificate from the same CA but with a different Common Name, you will be asked if you want to trust the server. Windows only allows server authentication based on Root CA. Any valid certificate by that CA is authenticated, which poses a serious issue for corporations and Universities (like Brandeis) that have chosen to use a Public CA (in this case Thawte's Premium Server CA) for their server certificate so that users don't have to install a Root CA certificate. A browser can check the CN of the certificate against the URL of the website, but no such verification is possible for a Wireless network. ]]> http://www.dslreports.com/forum/remark,16993770 Thu, 28 Sep 2006 19:06:37 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16991815 Jason Cohen : Ah, I see what you are saying. WEP uses a 24 bit IV so there are only approximately 16.8 million possible IVs meaning that you would expect a repeat every 8.4 million packets. In two hours I transferred 6 million packets (2 million up, 4 million down)- so transferring a large amount of data with WEP virtually ensures that the same IV will be used twice. In addition, WEP is known for its weak selection of IVs. If each packet is 1500 bytes you would only need 12 GB of data. And this is probably too high since there are many small upstream packets which contain very little data. The real number is probably closer to 4-6 GB.

With a 48 bit IV, you have 281 trillion possible IVs, so you would expect a repeat every 140.5 trillion packets if the IV was chosen randomly. Thus, if IVs are chosen randomly and each packet was 1500 bytes you need approximately 192 petabytes of data before an IV was reused.]]> http://www.dslreports.com/forum/remark,16991815 Thu, 28 Sep 2006 13:45:37 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16991661 Jason Cohen : No problem. I'm glad to help. ]]> http://www.dslreports.com/forum/remark,16991661 Thu, 28 Sep 2006 13:22:19 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16991348 jbibe : Thanks for the details about your setup.

I should probably rebuild my FreeRADIUS server to take advantage of the higher security.

Again, thanks for the information.]]> http://www.dslreports.com/forum/remark,16991348 Thu, 28 Sep 2006 12:31:45 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16991026 Jason Cohen : I setup a new CA (and this time made sure to use sha1 as the default hash function in openssl.cnf) with 3072 bit certificates. I then created 3072 bit server and client certificates and created a 3072 bit DH parameter file and set the DH keysize to 3072 bits in eap.conf. This made no noticeable slowdown in performance. Authentication takes 1-2 seconds and another few seconds are needed to get a DHCP lease. I'm fully connected and able to browse in 5-7 seconds.

I was wrong before about the server offering cipher suites. The client sends its list of cipher suites and the server picks the highest one on the client's list that they both support. So, in the case of the Odyssey client that would be DH-RSA-AES256-SHA (TLS_DH_RSA_WITH_AES_256_CBC_SHA). However, you can force any setting you want on the server. I'm currently using 'HIGH' which requires ciphers larger than 128 bits. I could also just specify DH-RSA-AES256-SHA, but if I did that, a regular MS Windows client wouldn't be able to connect. I guess Microsoft thinks that RC4-MD5 is good enough for anyone, and if they need more they can buy Vista. Basically, if you are using the Windows supplicant with EAP-TLS, EAP-PEAP, or EAP-TTLS, by default RSA is used for authentication and key exchange, so you do not get the advantage of perfect forward secrecy. If your client key is compromised, so are all the past master keys, and thus wireless sessions you had in the past. With DH, a new DH keypair is created on each authentication, so a compromise of your private key grants access but does not reveal past communications. If you are using the Windows supplicant, I would suggest using the 'HIGH' setting in Freeradius as that will force the Windows clients to support EDH-RSA-DES-CBC3-SHA which uses DH for key exchange, RSA for authentication, 3DES (not DES like it says) for encryption, and SHA-1 for integrity.

However, over the last few days I've been having a recurring problem. Whenever I start Freeradius either with radiusd in a terminal or as a service in Debian, I can not restart/kill radiusd properly if it's authenticated any clients. Restarting the service says it's successful but the log says something is already using port 1812. top shows 100% cpu usage after i try to restart radiusd as well. kill will not work. I need to use kill -9. No errors are thrown when I try to kill it in debug mode either. It just says exiting and sits there but doesn't die. ]]> http://www.dslreports.com/forum/remark,16991026 Thu, 28 Sep 2006 11:39:50 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16990208 jbibe : Thanks for the additional information about the cipher suites. It confirms my dim memory that the first Windows cipher suite was always selected.

Thanks also for the information about the latest version of Odyssey. I have not used this version. It looks like they made some nice improvements.

I didn't get a chance to update my comment that a 6GB download was not significant when CCMP is being used. If we assume that every frame contains 1500 bytes, a 6GB download contains 4M frames (i.e., packets). This translates to about 2**22 packets. This is a small fraction of the maximum (i.e., 2**48). Even if the estimate is off by a factor of 4, a 6GB download is not significant. When CCMP is in use, it is reasonable for customer grade access points to ignore re-authentication. It is also reasonable for enterprise grade access points require reconfirmation of a client's identity at short periods of time, perhaps every 30 minutes.]]> http://www.dslreports.com/forum/remark,16990208 Thu, 28 Sep 2006 09:03:15 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16989026 Jason Cohen : I downloaded the Funk Odyssey supplicant and now it works with AES256-SHA (RSA for Key exchange and Authentication, AES-256-CBC for encryption and SHA-1 for integrity) as well as DHE-RSA-AES256-SHA (DH for Key Exchange, RSA for authentication, AES-256-CBC for Encryption, SHA1 for integrity. See man 1 ciphers for more information.). When Freeradius does not specify a cipher (uses the 'DEFAULT' OpenSSL ciphersuite mode), Odyssey selects DHE-RSA-AES256-SHA, which is the strongest cipher suite offered by OpenSSL. Therefore it seems like DH is only used if a Windows client has a supplicant other than the default Microsoft Windows supplicant or is using Linux/OS X, as Windows XP always selects RC4-MD5 which uses RSA for key exchange and authentication.

It also adds a ton of new options like the ability to force a re-authentication with the RADIUS server at a specified interval. The Odyssey client provides much more information about your current connection as well. It tells you the encryption mode used for Unicast and Broadcast traffic (AES-CCMP), the TLS cipher suite (DHE,RSA,AES-256-CBC,SHA) and gives a signal strength indigtor in dB rather than meaningless bars. In addition, it has a survey tool which will tell you detailed information about the networks around you. It said that my network was running in WPA/WPA2 (Mixed Mode) with AES-CCMP encryption and that it supports Pre-Authentication.

Authentication takes about 1 second with the Funk client compared to 5-30 with Windows and re-authentication is so fast that it didn't cause skipping while streaming a video file over the network. I thought something was wrong so I ran freeradius in debug mode and the instant I hit reconnect or re-authenticate I could see output fly by showing a new MS-MPPE-Recv and MS-MPPE-Send key. However, for some reason I can no longer capture the EAP packets even after doing a full disconnect and reconnect to the network. I'm not sure why. ]]> http://www.dslreports.com/forum/remark,16989026 Thu, 28 Sep 2006 00:15:51 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16987957 Jason Cohen : I looked at the packet exchange during an authentication about three years. If my memory is correct, the choice is negotiated during the exchange. I don't remember the exact sequence. I seem to remember the same choice was always used.
The client sends its cipher suite which includes 11 choices. The server then sends its supported list which is usually just RC4-MD5. If the server offers more than one choice, the highest one on the client's list is used. RC4-MD5 is the first client choice, and RC4-SHA is the second.

Unfortunately, the Windows wireless supplicant can't do AES. This is what MS says about the matter:

"In addition to the Data Encryption Standard (DES) and Triple-DES (3DES), Windows Server "Longhorn" and Windows Vista support the following additional algorithms for encrypting data:
•

Advanced Encryption Standard (AES) with cipher block chaining (CBC) and a 128-bit key size (AES 128)
•

AES with CBC and a 192-bit key size (AES 192)
•

AES with CBC and a 256-bit key size (AES 256)

These new encryption algorithms cannot be used for a security association with a computer running Windows Server 2003, Windows XP, or Windows 2000.]]> http://www.dslreports.com/forum/remark,16987957 Wed, 27 Sep 2006 21:39:33 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16987748 jbibe : I seem to remember that Windows XP had a cipher list, and that one was always selected during the exchange. I don't remember the details anymore.]]> http://www.dslreports.com/forum/remark,16987748 Wed, 27 Sep 2006 21:04:04 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16987620 Jason Cohen : You have to manually set "dh_key_length" in eap.conf as it's not in the file by default. I only learned of its existence by running FreeRadius in debug mode with the -X flag. It shows every option set by Freeradius, including many default options which aren't shown in the configuration files.

I'm still don't think DH is even being used. The default cipher suite used by the server is TLS_RSA_WITH_RC4_MD5. Openssl provides this information about this ciphersuite: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5. So RSA is used for key exchange and authenticaiton, and 128 bit RC4 is used for encryption while MD5 is used for integrity.

You also can manually set this setting in eap.conf with the cipher_list setting which is included in the configuration file. Using a setting of 'HIGH' will use RSA for Kx/Auth, 3DES for encryption, and SHA1 for integrity. I also was able to use RC4-SHA which is the same as RC4-MD5 but uses SHA1 for integrity. ]]> http://www.dslreports.com/forum/remark,16987620 Wed, 27 Sep 2006 20:46:34 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16987152 jbibe :

said by Jason Cohen

:

So, is there any safe limit to the amount of data or the number of packets that is safe to encrypt with the same Temporal Key? I routinely stream TV shows from my MythTV server over the wireless network. The recordings are appx. 7 mbit/sec (as they're MPEG-2). This leads to massive amounts of data being transferred in the same session. So, for example, yesterday after watching two shows, Windows said that I had received 2 million packets, and sent 4 million- in a period of 2 hours. The total amount of data transferred was around 6 GB. Is this safe? I would think that as a single AES encryption key can be used to encrypt HDs with hundreds of GBs of data, this shouldn't be an issue, but I wanted to verify that it is in fact a safe practice.

CCM requires a new key for every session. It also requires a unique nonce value for each frame protected by the key. CCMP uses a unique 48-bit packet number for each frame.

Your downloads are not significant, even if your computer remains connected for extended periods of time. I recommend that you turn your computer off on a regular basis, but leaving it on for one day should not cause any security concerns.]]> http://www.dslreports.com/forum/remark,16987152 Wed, 27 Sep 2006 19:29:05 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16987128 jbibe :

said by Jason Cohen

:

I also am wondering about the DH parameters that are created in the Freeradius setup. The howto I followed on Paranoid Penguin [»www.linuxjournal.com/article/8151] said to use the command "openssl dhparam -check -text -5 512 -out dh" which creates a DH parameter file with a 512 bit prime. You recommended that one use, "openssl gendh >> dh" which also creates a 512 bit prime.

I use "openssl dhparam -check -text -5 512 -out dh" for the generation of the DH parameters. OpenSSL has obsoleted "openssl gendh >> dh".

Isn't this insecure, as the current recommended minimum for DH/DSS public keys is 1024 bits. 512 bit keys have already been broken, and 768 bit keys are also considered insecure. Incidentally, the default setting in Freeradius is "dh_key_length = 512" so in addition to creating a DH parameter file with a larger prime, you also need to manually set the DH key length in eap.conf.

I don't remember the dh_key_length setting. It may be one of the changes in the recent releases. I should download and review the latest server information.

Also, when I used Etherreal to capture the EAP-TLS authentiation, I saw that the server cipher suite for TLS was set to "TLS_RSA_WITH_RC4_128_MD5". This is the default setting that Freeradius uses when no cipher suite is manually selected. I'm confused because this ciphersuite does not include support for DH, and Freeradius by default uses the "rsa_key_exchange = no" setting. So, if DH isn't being used, and RSA isn't being used, how is the Master Key created? It seems like DH is necessary because if "dh_file = ..." is commented out, freeradius fails to start. What is DH being used for in the TLS exchange, and is a large DH key necessary or beneficial?

I looked at the packet exchange during an authentication about three years. If my memory is correct, the choice is negotiated during the exchange. I don't remember the exact sequence. I seem to remember the same choice was always used.

I don't remember the ability to select the cipher suite in FreeRADIUS. It may be one of the new features. The default cipher suite may be similar to MD5 authentication. MD5 is the default authentication method, even though the FreeRADIUS notes recommends against using MD5.

For my purposes, a large DH key is probably not necessary, but I am only protecting my home network. I never send anything important over the wireless network, and I only use the wireless network to beta test new wireless cards, access points and gateways. If I had more important wireless information to protect, I would probably increase the size of the key. At least, I would experiment with changing the key.]]> http://www.dslreports.com/forum/remark,16987128 Wed, 27 Sep 2006 19:23:29 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16985241 Jason Cohen : I read the NIST " Guide to IEEE 802.11i: Robust Security Networks" yesterday [»csrc.nist.gov/publications/draft···p800-97]. I have read on various sites as well on this forum that both WPA and WPA2 use unique encryption keys for each frame. However, the NIST document states that "CCM uses a new Temporal Key every session—with every new STA-AP association. Unlike TKIP, the use of AES at the core of CCM obviates the need to have per-packet keys. As a result, the two-phase key mixing functions of TKIP encapsulation are not present in the CCMP encapsulation." Thus, the encryption key used in WPA2 remains the same until you re-authenticate with the RADIUS server which generates a fresh PMK whereas in TKIP "A two-phase cryptographic key-mixing process occurs to produce a new key for every frame that is transmitted. The process takes a session Temporal Key along with the dynamically changing TSC to create a dynamic WEP key."

So, is there any safe limit to the amount of data or the number of packets that is safe to encrypt with the same Temporal Key? I routinely stream TV shows from my MythTV server over the wireless network. The recordings are appx. 7 mbit/sec (as they're MPEG-2). This leads to massive amounts of data being transferred in the same session. So, for example, yesterday after watching two shows, Windows said that I had received 2 million packets, and sent 4 million- in a period of 2 hours. The total amount of data transferred was around 6 GB. Is this safe? I would think that as a single AES encryption key can be used to encrypt HDs with hundreds of GBs of data, this shouldn't be an issue, but I wanted to verify that it is in fact a safe practice. ]]> http://www.dslreports.com/forum/remark,16985241 Wed, 27 Sep 2006 13:45:30 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16985132 Jason Cohen : jbibe,

Thanks for the response. I also am wondering about the DH parameters that are created in the Freeradius setup. The howto I followed on Paranoid Penguin [»www.linuxjournal.com/article/8151] said to use the command "openssl dhparam -check -text -5 512 -out dh" which creates a DH parameter file with a 512 bit prime. You recommended that one use, "openssl gendh >> dh" which also creates a 512 bit prime. Isn't this insecure, as the current recommended minimum for DH/DSS public keys is 1024 bits. 512 bit keys have already been broken, and 768 bit keys are also considered insecure. Incidentally, the default setting in Freeradius is "dh_key_length = 512" so in addition to creating a DH parameter file with a larger prime, you also need to manually set the DH key length in eap.conf.

Also, when I used Etherreal to capture the EAP-TLS authentiation, I saw that the server cipher suite for TLS was set to "TLS_RSA_WITH_RC4_128_MD5". This is the default setting that Freeradius uses when no cipher suite is manually selected. I'm confused because this ciphersuite does not include support for DH, and Freeradius by default uses the "rsa_key_exchange = no" setting. So, if DH isn't being used, and RSA isn't being used, how is the Master Key created? It seems like DH is necessary because if "dh_file = ..." is commented out, freeradius fails to start. What is DH being used for in the TLS exchange, and is a large DH key necessary or beneficial? ]]> http://www.dslreports.com/forum/remark,16985132 Wed, 27 Sep 2006 13:29:03 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16983210 jbibe : The "Key Renewal Timeout" refers to the Group Transient Key, not the Pairwise Transient Key. Based on my limited tests with Linksys consumer grade devices, the Pairwise Transient Key is not changed. Some, but not all, ZyXEL consumer grade access points include two timeout periods, the Group Key Renewal Timeout and the Re-Authentication Timeout. Since you don't see a re-authentication in your logs, your access point does not include a re-authentication timeout control.

FreeRADIUS does not include any timers. The access point controls all of the timeout periods.]]> http://www.dslreports.com/forum/remark,16983210 Wed, 27 Sep 2006 04:41:29 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16978256 Jason Cohen :

said by jbibe

said by Jason Cohen

:

1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK?

In most cases the answer is yes, the Enterprise mode is more secure than the PSK mode. Most access points use a single PSK when operating in the WPA-PSK or WPA2-PSK modes. Although the specification (802.11i) allows the use of multiple PSKs, most access points do not provide this feature. This means that cases where PSK is in use there is a single PMK, since the PMK=PSK.

In the Enterprise mode, every station has a different PMK. During authentication, the RADIUS server produces a new Master Key (MK). The RADIUS server transfers the MK to the station. The RADIUS server and station then derive the PMK. Beyond producing a new PMK with during the initial connection, many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK.

So, let me see if I understand you correctly. Since WPA/WPA2 PSK mode use the PSK as the PMK, and all clients share the same PSK, it should be fairly trivial to capture and decrypt traffic from other clients on the network. If you capture the EAPOL packets from the client's initial four-way handshake, then you have the SNonce, ANonce, STA and AP MACs as well as the PMK. Now, you just need to concotenate this information and put it through the HMAC-SHA1 one way hash function which gives you the Pairwise Transient Key (PTK) used by that client, and from that the TK (Temporal Key) used for data encryption/integrity can be derived. You now can decrypt any captured data packets sent by the client.

Also, as you noted since the PMK never changes, it's more open to attack whereas with 802.1x every client station has its own PMK, and a new PMK is created upon each authentication with the RADIUS server. Because each client has a unique PMK, no client can discover the PMK or PTK used by any other client. This seems to be a significant advantage over PSK mode in a business environment where you don't necessarily want clients to be able to snoop on eachother's communications, whereas in a home environment, it probably doesn't matter.

I have a question about your statement that "many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK."

At least on the consumer level routers I've seen that support 802.1x authentication, the only option similar to what you are mentioning is "Key Renewal Timeout" period which is set to 1800 or 3600 seconds. However, I believe this just does a new four-way handshake, which would create a new PTK, and therefore a fresh TK to encrypt client traffic, but not a new PMK. I have my WHR-G54S set to timeout every 1800 seconds, but I only see successful logins in my freeradius log when I disconnect from the network and reconnect. Does DD-WRT simply not provide this feature to force re-authentication with the RADIUS server? I also thought this was a setting that you would create on the RADIUS server itself, rather than on the AP. ]]> http://www.dslreports.com/forum/remark,16978256 Tue, 26 Sep 2006 13:47:01 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16936734 Jason Cohen : I revoked a certificate I created with the Common Name "Rhaina", updated the CRL, reloaded freeradius and verified tha the certificate would no longer allow authentication. The freeradius log showed that the certificate failed due to the fact that it was revoked. Then I created a new certificate with the same Common Name, and again, I was unable to authenticate as it stated the certificate was revoked. Shouldn't I be able to create a new certificate with the same common name? I know that you can do so in OpenVPN. I'm not sure why it's saying this certificate is revoked as it's new and shows up in index.txt as a good cert. I even created a new CRL thinking that might be the issue, and reloaded freeradius but it still says the certificate has been revoked.

If I create a certificate with a different common name, "Rhaina Cohen", for example, it authenticates fine.

Edit: I figured out the problem. The certificate was corrupt . I was able to revoke another certificate, create a new certificate with the same common name, and authenticate with the new certificate after updating the CRL. ]]> http://www.dslreports.com/forum/remark,16936734 Tue, 19 Sep 2006 22:36:41 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16934004 Jason Cohen : I received my new Bufalo WHR-G54S today and set it up in WPA2 RADIUS mode with AES encryption. My RADIUS server seems to be working perfectly. I watched the log as it authenticated clients (which occurs nearly instantaneously) and I receive a "Auth: Login OK" message as I should. I even setup a Certificate Revocation List so I can revoke clients if I need to.

Despite my apparent success, I'm seeing some error messages before the login. The errors don't seem to cause any problems. Should I be worried?

Tue Sep 19 15:39:25 2006 : Info: Ready to process requests.
Tue Sep 19 15:39:34 2006 : Error: TLS_accept:error in SSLv3 read client certificate A
Tue Sep 19 15:39:34 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
Tue Sep 19 15:39:34 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
Tue Sep 19 15:39:34 2006 : Auth: Login OK: [Jason Wittlin-Cohen] (from client WLAN port 8 cli 00095b93459e)

In addition, does anyone know if FreeRadius allows multiple users to authenticate with the same certificate? If possible, I would like to require that a certificate can not be used by multiple clients (no simultaneous connections by the same cert). This is the default policy in OpenVPN.

My school's WPA2 WLAN uses EAP-TLS on a computer cluster (it was an area which was difficult to wire). I noticed that every computer in the cluster uses the same client certificate. This seems like bad security practice and just plain stupid. It seems that the whole point of EAP is to allow per-user authentication. If you're going to use the same certificate for every user, are you that much better off than simply using a PSK? ]]> http://www.dslreports.com/forum/remark,16934004 Tue, 19 Sep 2006 15:46:52 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16932284 jasonwc : I still have a few questions. First, jbibe's revised instructions say to do "openssl gendh >> dh" to generate a DH file. However, this by default creates 512 bit safe primes. I thought the size of the primes was supposed to match the public key. So, for example, in OpenVPN, if you create 2048 bit public keys, the DH file creates a 2048 bit safe prime. Is this necessary or advantageous? Will any harm come from simply using my OpenVPN DH file?

Secondly, what is the difference between an exportable and a non-exportable certificate? If the private key isn't encrypted (which seems impossible to do with Windows Zero Configuration tool), then how exactly does Windows stop you from exporting the certificate. If you can locate the private key in the registry, can't you just recreate the key without exporting it?

Also, how would one create a non-exportable client certificate in OpenSSL?

Edit: Ignore my last question. I now realize that you select the option to make a certificate non-exportable in Windows. ]]> http://www.dslreports.com/forum/remark,16932284 Tue, 19 Sep 2006 11:06:43 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16930655 Jason Cohen : I figured out that the problem was that I forgot to uncomment an "}" after the TLS section. Anyways, after that occurred I ran into tons of errors about missing libraries. I was about to give up until I decided to just compile freeradius from source (as I should have done the first time). The weird problems that I was getting before went away and I was greeted with this message:

Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

This time I didn't have to make any configuration changes to radiusd.conf.

I just purchased a Buffalo WHR-G54S Wireless Router which I will be using to replace my crap Netgear WGR614 wireless router (drops connections, must be restarted every few days, overheats etc.) I'm planning to load DD-WRT v23sp2 on the router so I can use it with the RADIUS server I just created in EAP-TLS mode with WPA2. I guess I'll find out if it works tomorrow.]]> http://www.dslreports.com/forum/remark,16930655 Tue, 19 Sep 2006 01:04:08 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16930569 No_Strings : Sounds like you have a typo in the config file - a missing curly bracket (or an extra one).

Double-check the changes you made to the config files for a syntax error.]]> http://www.dslreports.com/forum/remark,16930569 Tue, 19 Sep 2006 00:44:06 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16930420 Jason Cohen : Also, when I use the standard radiusd.conf file I receive the error:

jasonsdesktop:/etc/freeradius# freeradius -x
Starting - reading configuration files ...
/etc/freeradius/radiusd.conf[413]: Unable to open file "@raddbdir@/proxy.conf": No such file or directory
Errors reading radiusd.conf

I fixed this issue by manually specifying the location of the configuration directory.

confdir = ${raddbdir}

to

confdir = /etc/freeradius

Once I did that, I began receiving the "Unexpected End of File" error. ]]> http://www.dslreports.com/forum/remark,16930420 Tue, 19 Sep 2006 00:12:28 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16930391 Jason Cohen : I've installed Freeradius on my Debian Sarge server and set it up using a combination of jbibe's instructions and instructions found here: »www.linuxjournal.com/node/8151/print. I made changes where necessary- as configuration files were stored in different locations and all EAP related settings are now in eap.conf rather than radiusd.conf. Anyways, I believe I have everything setup properly but when I attempt to start freeradius I get this error:

"jasonsdesktop:/etc/freeradius# /usr/sbin/freeradius -x
Starting - reading configuration files ...
/etc/freeradius/eap.conf[336]: Unexpected end of file
Errors reading radiusd.conf"

I thought the problem might be due to a corrupt file so I downloaded another version off Freeradius's site but I still get the same error. Any idea what would cause this error?]]> http://www.dslreports.com/forum/remark,16930391 Tue, 19 Sep 2006 00:07:11 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16864562 jansson_mark : Actually the best option is to use PEAP-TTLS, since it also provides encrypted tunnel for the data and authentication.]]> http://www.dslreports.com/forum/remark,16864562 Fri, 08 Sep 2006 14:01:13 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16864550 jansson_mark :

said by Jason Cohen :
...WPA/WPA2-PSK with an arbitrary passprhase. If his AP's signal is stronger than your own your system will automatically attempt to authenticate with his AP. This will fail, but in attempting to authenticate, you have allowed the attacker to log your passphrase.

Wrong. In TKIP and AES-CCMP the actual passphrase is never sent to recipient. The passphrase acts as a shared secret and remains secret, since the actual passphrase is not sent to the AP nor to the client, its simply used as one part of data used to create hash to create encryption/decryption keys.
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.]]> http://www.dslreports.com/forum/remark,16864550 Fri, 08 Sep 2006 13:59:52 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16787052 Jason Cohen :

said by jbibe

said by Jason Cohen

:

1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK?

What security risk is entailed by having a single PMK? I would think that the biggest risk of PSK mode is that any client on the wireless network can decrypt the traffic from any other client. ]]> http://www.dslreports.com/forum/remark,16787052 Sun, 27 Aug 2006 00:15:50 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16783621 jbibe : Be careful with my original writeup. FreeRADIUS has been modified so that some of the information is outdated. For example, a portion of the radiusd.conf file has been extracted and placed in the eap.conf file.

For more information about building a FreeRADIUS server look at the following document which provides information about building a server for PEAP authentication:

»www.tldp.org/HOWTO/html_single/8021X-HOWTO/

Most of the recent Linux releases include a prepackaged FreeRADIUS server that can be installed with little or no trouble. The major tasks are configuring the server, and producing and installing the the required certificates.

Other members here use a FreeRADIUS server for authentication. If you get stuck, ask your question here or on the freeradius.org mail list.

I use WPA2 with a FreeRADIUS server. The server is normally configured for TLS.]]> http://www.dslreports.com/forum/remark,16783621 Sat, 26 Aug 2006 12:40:37 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16783442 Jason Cohen : If that's the case, I think I will setup FreeRadius with EAP-TLS on my Debian server using the instructions you provide here: »FreeRADIUS/WinXP Authentication Setup

EAP-TLS is the most secure EAP mode, correct? I would think it is as it uses server and client certificates, nullifying the problem of weak passwords, and allowing bidirectional authentication.]]> http://www.dslreports.com/forum/remark,16783442 Sat, 26 Aug 2006 11:57:35 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16782531 jbibe :

said by Jason Cohen

:

1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK?

2) Is WPA2-PSK vulnerable to offline dictionary/brute-force attack like WPA-PSK or does AES-CCMP remedy the offline attack issue?

Yes. There is no difference.

3) Does the fact that WPA/WPA2-PSK fails to allow a client to authenticate the server allow for an attack which attempts to trick the user's client into automatically authenticating with his rogue AP, thus giving up your secret passphrase?

I'm assuming here that the passphrase is sent to authenticate, rather than the hash of the passphrase, which would then be used to compare against the hash stored in the AP. If this is the case, then the best the attacker could do is mount an offline attack on your password hash- which he could pretty much do anyways).

Neither the passphrase nor its hash (the PSK) is sent. Each side verifies that the other side has the PMK during the 4-handshake,]]> http://www.dslreports.com/forum/remark,16782531 Sat, 26 Aug 2006 05:35:45 EDT Re: Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16782484 Jason Cohen : I just read that anyone who knows the PSK (Pre-Shared Key)can derive the PTKs (Pairwise Transient Key) used to encrypt traffic for every client on the wireless network. So, any authorized user on a WPA-PSK or WPA2-PSK wireless network can capture in plain text all data transmitted over the wireless network by any client. This probably isn't an issue for home use but would be a problem for a small business. I guess I found the answer to my question. ]]> http://www.dslreports.com/forum/remark,16782484 Sat, 26 Aug 2006 04:41:16 EDT Questions about WPA2 and WPA http://www.dslreports.com/forum/remark,16782255 Jason Cohen : 1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK?

Many people on this forum have stated that WPA/WPA2-Enterprise (RADIUS server with EAP Authentication- probably EAP-TLS) is the most secure wireless security option. I see why this would generally be the case, but I don't see why it's necessarily so.

The major advantage of using WPA/WPA2-Enterprise is that it's much easier to administer and is more secure when there are more than a few users. Rather than handing out the same shared passphrase, each user can be authenticated with their own username/password or better yet, their own certificate and private key. However, this doesn't make Enterprise intrinsically more secure. It IS more secure in a corporate environment where there are many users, but it provides no real advantage if you only have 2 or 3 clients where administration isn't a problem. Set a strong password and forget about it. If the password is disclosed, set a new one and change the client machines. This will be easier and faster than setting up a Radius server.

The only known vulnerability to PSK mode is that if you use a weak or short password, you are vulnerable to an offline dictionary or brute-force attack. However, this isn't really a problem with WPA/WPA2-PSK, but rather stupid user practices. Fortunately the problem is easily remedied by using a good password. In addition, unless you are using EAP-TLS with client side certificates, users can still choose bad passwords in Enterprise mode. Even an online attack could allow discovery of very poor passwords, which are commonly used. Again, it seems that the users practices, and not WPA/WPA2-PSK is the problem.

There's simply no reason not to use a password of the maximum length (63 ASCII characters or 64 HEX). You only need to enter the password onto the client machine once, so remembering the password isn't the issue. It's simple to create a 63 character psuedo-randomly generated passphrase which is then hashed by the router to create a 64 character HEX key. This should have approximately 256 bits of entropy, which is actually stronger than a 2048 bit RSA certificate (about 112 bits of entropy). Both WPA/WPA2-Enterprise (Radius with EAP-TLS) and WPA/WPA2-PSK with a 63/64 character passphrase should be essentially uncrackable for the foreseeable future.

As most home users only have a few wireless clients, the primary advantage of WPA-Enterprise which is ease of administration, is unnecessary. You can setup your router and wireless clients in one day and forget about it.

I just don't see how WPA/WPA2-Enterprise is more secure in a home setup. There's no reason to use a weak password, so both Enterprise and Personal WPA/WPA2 are essentially unbreakable for the foreseeable future. If the password is disclosed, it is quite easy to change the configuration on the handful of clients. I therefore see no security advantage to using Enterprise mode for a home user. The one exception I can think of is that a certificate stored on a smart card must be physically stolen while a password can be stolen if someone can compromise your machine. But if that's the case, you have more important security problems to deal with.

2) Is WPA2-PSK vulnerable to offline dictionary/brute-force attack like WPA-PSK or does AES-CCMP remedy the offline attack issue?

3) Does the fact that WPA/WPA2-PSK fails to allow a client to authenticate the server allow for an attack which attempts to trick the user's client into automatically authenticating with his rogue AP, thus giving up your secret passphrase? (I'm wondering if this is an answer to my first question)

In PSK mode, there is no way for a client to authenticate the server, to ensure that it's not a rogue AP. In Enterpriise mode, the client would check the server's certificate just as a client connecting to an SSH server verifes the server's public key before connecting.

In PSK mode, you simply connect to the server with the SSID you have specified in your list of preferred wireless networks. Thus, an attacker could create an AP with the same SSID as your AP using WPA/WPA2-PSK with an arbitrary passprhase. If his AP's signal is stronger than your own your system will automatically attempt to authenticate with his AP. This will fail, but in attempting to authenticate, you have allowed the attacker to log your passphrase. The user would probably notice that something strange was occuring at this point, but if the rogue AP was disconnected immediately after the initial authentication attempt, the user may not realize what has occurred.

I'm assuming here that the passphrase is sent to authenticate, rather than the hash of the passphrase, which would then be used to compare against the hash stored in the AP. If this is the case, then the best the attacker could do is mount an offline attack on your password hash- which he could pretty much do anyways). ]]> http://www.dslreports.com/forum/remark,16782255 Sat, 26 Aug 2006 02:15:48 EDT