how-to block ads
|
Jason Cohen
join:2004-11-06
Waltham, MA
2 edits | Questions about WPA2 and WPA
1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK?
Many people on this forum have stated that WPA/WPA2-Enterprise (RADIUS server with EAP Authentication- probably EAP-TLS) is the most secure wireless security option. I see why this would generally be the case, but I don't see why it's necessarily so.
The major advantage of using WPA/WPA2-Enterprise is that it's much easier to administer and is more secure when there are more than a few users. Rather than handing out the same shared passphrase, each user can be authenticated with their own username/password or better yet, their own certificate and private key. However, this doesn't make Enterprise intrinsically more secure. It IS more secure in a corporate environment where there are many users, but it provides no real advantage if you only have 2 or 3 clients where administration isn't a problem. Set a strong password and forget about it. If the password is disclosed, set a new one and change the client machines. This will be easier and faster than setting up a Radius server.
The only known vulnerability to PSK mode is that if you use a weak or short password, you are vulnerable to an offline dictionary or brute-force attack. However, this isn't really a problem with WPA/WPA2-PSK, but rather stupid user practices. Fortunately the problem is easily remedied by using a good password. In addition, unless you are using EAP-TLS with client side certificates, users can still choose bad passwords in Enterprise mode. Even an online attack could allow discovery of very poor passwords, which are commonly used. Again, it seems that the users practices, and not WPA/WPA2-PSK is the problem.
There's simply no reason not to use a password of the maximum length (63 ASCII characters or 64 HEX). You only need to enter the password onto the client machine once, so remembering the password isn't the issue. It's simple to create a 63 character psuedo-randomly generated passphrase which is then hashed by the router to create a 64 character HEX key. This should have approximately 256 bits of entropy, which is actually stronger than a 2048 bit RSA certificate (about 112 bits of entropy). Both WPA/WPA2-Enterprise (Radius with EAP-TLS) and WPA/WPA2-PSK with a 63/64 character passphrase should be essentially uncrackable for the foreseeable future.
As most home users only have a few wireless clients, the primary advantage of WPA-Enterprise which is ease of administration, is unnecessary. You can setup your router and wireless clients in one day and forget about it.
I just don't see how WPA/WPA2-Enterprise is more secure in a home setup. There's no reason to use a weak password, so both Enterprise and Personal WPA/WPA2 are essentially unbreakable for the foreseeable future. If the password is disclosed, it is quite easy to change the configuration on the handful of clients. I therefore see no security advantage to using Enterprise mode for a home user. The one exception I can think of is that a certificate stored on a smart card must be physically stolen while a password can be stolen if someone can compromise your machine. But if that's the case, you have more important security problems to deal with.
2) Is WPA2-PSK vulnerable to offline dictionary/brute-force attack like WPA-PSK or does AES-CCMP remedy the offline attack issue?
3) Does the fact that WPA/WPA2-PSK fails to allow a client to authenticate the server allow for an attack which attempts to trick the user's client into automatically authenticating with his rogue AP, thus giving up your secret passphrase? (I'm wondering if this is an answer to my first question)
In PSK mode, there is no way for a client to authenticate the server, to ensure that it's not a rogue AP. In Enterpriise mode, the client would check the server's certificate just as a client connecting to an SSH server verifes the server's public key before connecting.
In PSK mode, you simply connect to the server with the SSID you have specified in your list of preferred wireless networks. Thus, an attacker could create an AP with the same SSID as your AP using WPA/WPA2-PSK with an arbitrary passprhase. If his AP's signal is stronger than your own your system will automatically attempt to authenticate with his AP. This will fail, but in attempting to authenticate, you have allowed the attacker to log your passphrase. The user would probably notice that something strange was occuring at this point, but if the rogue AP was disconnected immediately after the initial authentication attempt, the user may not realize what has occurred.
I'm assuming here that the passphrase is sent to authenticate, rather than the hash of the passphrase, which would then be used to compare against the hash stored in the AP. If this is the case, then the best the attacker could do is mount an offline attack on your password hash- which he could pretty much do anyways). | |
Jason Cohen
join:2004-11-06
Waltham, MA
1 edit | I just read that anyone who knows the PSK (Pre-Shared Key)can derive the PTKs (Pairwise Transient Key) used to encrypt traffic for every client on the wireless network. So, any authorized user on a WPA-PSK or WPA2-PSK wireless network can capture in plain text all data transmitted over the wireless network by any client. This probably isn't an issue for home use but would be a problem for a small business. I guess I found the answer to my question. | |
jbibe
Premium,MVM
join:2001-02-22
4 edits | reply to Jason Cohen
said by Jason Cohen  :1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK? In most cases the answer is yes, the Enterprise mode is more secure than the PSK mode. Most access points use a single PSK when operating in the WPA-PSK or WPA2-PSK modes. Although the specification (802.11i) allows the use of multiple PSKs, most access points do not provide this feature. This means that cases where PSK is in use there is a single PMK, since the PMK=PSK.
In the Enterprise mode, every station has a different PMK. During authentication, the RADIUS server produces a new Master Key (MK). The RADIUS server transfers the MK to the station. The RADIUS server and station then derive the PMK. Beyond producing a new PMK with during the initial connection, many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK.
2) Is WPA2-PSK vulnerable to offline dictionary/brute-force attack like WPA-PSK or does AES-CCMP remedy the offline attack issue? Yes. There is no difference.
3) Does the fact that WPA/WPA2-PSK fails to allow a client to authenticate the server allow for an attack which attempts to trick the user's client into automatically authenticating with his rogue AP, thus giving up your secret passphrase?
I'm assuming here that the passphrase is sent to authenticate, rather than the hash of the passphrase, which would then be used to compare against the hash stored in the AP. If this is the case, then the best the attacker could do is mount an offline attack on your password hash- which he could pretty much do anyways). Neither the passphrase nor its hash (the PSK) is sent. Each side verifies that the other side has the PMK during the 4-handshake, | |
Jason Cohen
join:2004-11-06
Waltham, MA
1 edit | If that's the case, I think I will setup FreeRadius with EAP-TLS on my Debian server using the instructions you provide here: »FreeRADIUS/WinXP Authentication Setup
EAP-TLS is the most secure EAP mode, correct? I would think it is as it uses server and client certificates, nullifying the problem of weak passwords, and allowing bidirectional authentication. | |
jbibe
Premium,MVM
join:2001-02-22
| Be careful with my original writeup. FreeRADIUS has been modified so that some of the information is outdated. For example, a portion of the radiusd.conf file has been extracted and placed in the eap.conf file.
For more information about building a FreeRADIUS server look at the following document which provides information about building a server for PEAP authentication:
»www.tldp.org/HOWTO/html_single/8021X-HOWTO/
Most of the recent Linux releases include a prepackaged FreeRADIUS server that can be installed with little or no trouble. The major tasks are configuring the server, and producing and installing the the required certificates.
Other members here use a FreeRADIUS server for authentication. If you get stuck, ask your question here or on the freeradius.org mail list.
I use WPA2 with a FreeRADIUS server. The server is normally configured for TLS. | |
Jason Cohen
join:2004-11-06
Waltham, MA
| reply to jbibe
said by jbibe :said by Jason Cohen :1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK? In most cases the answer is yes, the Enterprise mode is more secure than the PSK mode. Most access points use a single PSK when operating in the WPA-PSK or WPA2-PSK modes. Although the specification (802.11i) allows the use of multiple PSKs, most access points do not provide this feature. This means that cases where PSK is in use there is a single PMK, since the PMK=PSK. In the Enterprise mode, every station has a different PMK. During authentication, the RADIUS server produces a new Master Key (MK). The RADIUS server transfers the MK to the station. The RADIUS server and station then derive the PMK. Beyond producing a new PMK with during the initial connection, many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK. What security risk is entailed by having a single PMK? I would think that the biggest risk of PSK mode is that any client on the wireless network can decrypt the traffic from any other client. | |
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| reply to Jason Cohen
said by Jason Cohen :
...WPA/WPA2-PSK with an arbitrary passprhase. If his AP's signal is stronger than your own your system will automatically attempt to authenticate with his AP. This will fail, but in attempting to authenticate, you have allowed the attacker to log your passphrase.
Wrong. In TKIP and AES-CCMP the actual passphrase is never sent to recipient. The passphrase acts as a shared secret and remains secret, since the actual passphrase is not sent to the AP nor to the client, its simply used as one part of data used to create hash to create encryption/decryption keys.
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. | |
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland | reply to Jason Cohen
Actually the best option is to use PEAP-TTLS, since it also provides encrypted tunnel for the data and authentication. | |
Jason Cohen
join:2004-11-06
Waltham, MA
| reply to Jason Cohen
I've installed Freeradius on my Debian Sarge server and set it up using a combination of jbibe's instructions and instructions found here: »www.linuxjournal.com/node/8151/print. I made changes where necessary- as configuration files were stored in different locations and all EAP related settings are now in eap.conf rather than radiusd.conf. Anyways, I believe I have everything setup properly but when I attempt to start freeradius I get this error:
"jasonsdesktop:/etc/freeradius# /usr/sbin/freeradius -x
Starting - reading configuration files ...
/etc/freeradius/eap.conf[336]: Unexpected end of file
Errors reading radiusd.conf"
I thought the problem might be due to a corrupt file so I downloaded another version off Freeradius's site but I still get the same error. Any idea what would cause this error? | |
Jason Cohen
join:2004-11-06
Waltham, MA
| Also, when I use the standard radiusd.conf file I receive the error:
jasonsdesktop:/etc/freeradius# freeradius -x
Starting - reading configuration files ...
/etc/freeradius/radiusd.conf[413]: Unable to open file "@raddbdir@/proxy.conf": No such file or directory
Errors reading radiusd.conf
I fixed this issue by manually specifying the location of the configuration directory.
confdir = ${raddbdir}
to
confdir = /etc/freeradius
Once I did that, I began receiving the "Unexpected End of File" error. | |
No_Strings
Premium,Mod
join:2001-11-22
The OC | Sounds like you have a typo in the config file - a missing curly bracket (or an extra one).
Double-check the changes you made to the config files for a syntax error. | |
Jason Cohen
join:2004-11-06
Waltham, MA
1 edit | I figured out that the problem was that I forgot to uncomment an "}" after the TLS section. Anyways, after that occurred I ran into tons of errors about missing libraries. I was about to give up until I decided to just compile freeradius from source (as I should have done the first time). The weird problems that I was getting before went away and I was greeted with this message:
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
This time I didn't have to make any configuration changes to radiusd.conf.
I just purchased a Buffalo WHR-G54S Wireless Router which I will be using to replace my crap Netgear WGR614 wireless router (drops connections, must be restarted every few days, overheats etc.) I'm planning to load DD-WRT v23sp2 on the router so I can use it with the RADIUS server I just created in EAP-TLS mode with WPA2. I guess I'll find out if it works tomorrow. | |
jasonwc
join:2006-08-24
East Brunswick, NJ
2 edits | reply to Jason Cohen
I still have a few questions. First, jbibe's revised instructions say to do "openssl gendh >> dh" to generate a DH file. However, this by default creates 512 bit safe primes. I thought the size of the primes was supposed to match the public key. So, for example, in OpenVPN, if you create 2048 bit public keys, the DH file creates a 2048 bit safe prime. Is this necessary or advantageous? Will any harm come from simply using my OpenVPN DH file?
Secondly, what is the difference between an exportable and a non-exportable certificate? If the private key isn't encrypted (which seems impossible to do with Windows Zero Configuration tool), then how exactly does Windows stop you from exporting the certificate. If you can locate the private key in the registry, can't you just recreate the key without exporting it?
Also, how would one create a non-exportable client certificate in OpenSSL?
Edit: Ignore my last question. I now realize that you select the option to make a certificate non-exportable in Windows. | |
Jason Cohen
join:2004-11-06
Waltham, MA
| reply to Jason Cohen
I received my new Bufalo WHR-G54S today and set it up in WPA2 RADIUS mode with AES encryption. My RADIUS server seems to be working perfectly. I watched the log as it authenticated clients (which occurs nearly instantaneously) and I receive a "Auth: Login OK" message as I should. I even setup a Certificate Revocation List so I can revoke clients if I need to.
Despite my apparent success, I'm seeing some error messages before the login. The errors don't seem to cause any problems. Should I be worried?
Tue Sep 19 15:39:25 2006 : Info: Ready to process requests.
Tue Sep 19 15:39:34 2006 : Error: TLS_accept:error in SSLv3 read client certificate A
Tue Sep 19 15:39:34 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
Tue Sep 19 15:39:34 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
Tue Sep 19 15:39:34 2006 : Auth: Login OK: [Jason Wittlin-Cohen] (from client WLAN port 8 cli 00095b93459e)
In addition, does anyone know if FreeRadius allows multiple users to authenticate with the same certificate? If possible, I would like to require that a certificate can not be used by multiple clients (no simultaneous connections by the same cert). This is the default policy in OpenVPN.
My school's WPA2 WLAN uses EAP-TLS on a computer cluster (it was an area which was difficult to wire). I noticed that every computer in the cluster uses the same client certificate. This seems like bad security practice and just plain stupid. It seems that the whole point of EAP is to allow per-user authentication. If you're going to use the same certificate for every user, are you that much better off than simply using a PSK? | |
Jason Cohen
join:2004-11-06
Waltham, MA
1 edit | reply to Jason Cohen
I revoked a certificate I created with the Common Name "Rhaina", updated the CRL, reloaded freeradius and verified tha the certificate would no longer allow authentication. The freeradius log showed that the certificate failed due to the fact that it was revoked. Then I created a new certificate with the same Common Name, and again, I was unable to authenticate as it stated the certificate was revoked. Shouldn't I be able to create a new certificate with the same common name? I know that you can do so in OpenVPN. I'm not sure why it's saying this certificate is revoked as it's new and shows up in index.txt as a good cert. I even created a new CRL thinking that might be the issue, and reloaded freeradius but it still says the certificate has been revoked.
If I create a certificate with a different common name, "Rhaina Cohen", for example, it authenticates fine.
Edit: I figured out the problem. The certificate was corrupt . I was able to revoke another certificate, create a new certificate with the same common name, and authenticate with the new certificate after updating the CRL. | |
Jason Cohen
join:2004-11-06
Waltham, MA
| reply to jbibe
said by jbibe :said by Jason Cohen :1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK? In most cases the answer is yes, the Enterprise mode is more secure than the PSK mode. Most access points use a single PSK when operating in the WPA-PSK or WPA2-PSK modes. Although the specification (802.11i) allows the use of multiple PSKs, most access points do not provide this feature. This means that cases where PSK is in use there is a single PMK, since the PMK=PSK. In the Enterprise mode, every station has a different PMK. During authentication, the RADIUS server produces a new Master Key (MK). The RADIUS server transfers the MK to the station. The RADIUS server and station then derive the PMK. Beyond producing a new PMK with during the initial connection, many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK. So, let me see if I understand you correctly. Since WPA/WPA2 PSK mode use the PSK as the PMK, and all clients share the same PSK, it should be fairly trivial to capture and decrypt traffic from other clients on the network. If you capture the EAPOL packets from the client's initial four-way handshake, then you have the SNonce, ANonce, STA and AP MACs as well as the PMK. Now, you just need to concotenate this information and put it through the HMAC-SHA1 one way hash function which gives you the Pairwise Transient Key (PTK) used by that client, and from that the TK (Temporal Key) used for data encryption/integrity can be derived. You now can decrypt any captured data packets sent by the client.
Also, as you noted since the PMK never changes, it's more open to attack whereas with 802.1x every client station has its own PMK, and a new PMK is created upon each authentication with the RADIUS server. Because each client has a unique PMK, no client can discover the PMK or PTK used by any other client. This seems to be a significant advantage over PSK mode in a business environment where you don't necessarily want clients to be able to snoop on eachother's communications, whereas in a home environment, it probably doesn't matter.
I have a question about your statement that "many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK."
At least on the consumer level routers I've seen that support 802.1x authentication, the only option similar to what you are mentioning is "Key Renewal Timeout" period which is set to 1800 or 3600 seconds. However, I believe this just does a new four-way handshake, which would create a new PTK, and therefore a fresh TK to encrypt client traffic, but not a new PMK. I have my WHR-G54S set to timeout every 1800 seconds, but I only see successful logins in my freeradius log when I disconnect from the network and reconnect. Does DD-WRT simply not provide this feature to force re-authentication with the RADIUS server? I also thought this was a setting that you would create on the RADIUS server itself, rather than on the AP. | |
jbibe
Premium,MVM
join:2001-02-22
| The "Key Renewal Timeout" refers to the Group Transient Key, not the Pairwise Transient Key. Based on my limited tests with Linksys consumer grade devices, the Pairwise Transient Key is not changed. Some, but not all, ZyXEL consumer grade access points include two timeout periods, the Group Key Renewal Timeout and the Re-Authentication Timeout. Since you don't see a re-authentication in your logs, your access point does not include a re-authentication timeout control.
FreeRADIUS does not include any timers. The access point controls all of the timeout periods. | |
Jason Cohen
join:2004-11-06
Waltham, MA
1 edit | jbibe,
Thanks for the response. I also am wondering about the DH parameters that are created in the Freeradius setup. The howto I followed on Paranoid Penguin [»www.linuxjournal.com/article/8151] said to use the command "openssl dhparam -check -text -5 512 -out dh" which creates a DH parameter file with a 512 bit prime. You recommended that one use, "openssl gendh >> dh" which also creates a 512 bit prime. Isn't this insecure, as the current recommended minimum for DH/DSS public keys is 1024 bits. 512 bit keys have already been broken, and 768 bit keys are also considered insecure. Incidentally, the default setting in Freeradius is "dh_key_length = 512" so in addition to creating a DH parameter file with a larger prime, you also need to manually set the DH key length in eap.conf.
Also, when I used Etherreal to capture the EAP-TLS authentiation, I saw that the server cipher suite for TLS was set to "TLS_RSA_WITH_RC4_128_MD5". This is the default setting that Freeradius uses when no cipher suite is manually selected. I'm confused because this ciphersuite does not include support for DH, and Freeradius by default uses the "rsa_key_exchange = no" setting. So, if DH isn't being used, and RSA isn't being used, how is the Master Key created? It seems like DH is necessary because if "dh_file = ..." is commented out, freeradius fails to start. What is DH being used for in the TLS exchange, and is a large DH key necessary or beneficial? | |
Jason Cohen
join:2004-11-06
Waltham, MA
| I read the NIST " Guide to IEEE 802.11i: Robust Security Networks" yesterday [»csrc.nist.gov/publications/draft···p800-97]. I have read on various sites as well on this forum that both WPA and WPA2 use unique encryption keys for each frame. However, the NIST document states that "CCM uses a new Temporal Key every session—with every new STA-AP association. Unlike TKIP, the use of AES at the core of CCM obviates the need to have per-packet keys. As a result, the two-phase key mixing functions of TKIP encapsulation are not present in the CCMP encapsulation." Thus, the encryption key used in WPA2 remains the same until you re-authenticate with the RADIUS server which generates a fresh PMK whereas in TKIP "A two-phase cryptographic key-mixing process occurs to produce a new key for every frame that is transmitted. The process takes a session Temporal Key along with the dynamically changing TSC to create a dynamic WEP key."
So, is there any safe limit to the amount of data or the number of packets that is safe to encrypt with the same Temporal Key? I routinely stream TV shows from my MythTV server over the wireless network. The recordings are appx. 7 mbit/sec (as they're MPEG-2). This leads to massive amounts of data being transferred in the same session. So, for example, yesterday after watching two shows, Windows said that I had received 2 million packets, and sent 4 million- in a period of 2 hours. The total amount of data transferred was around 6 GB. Is this safe? I would think that as a single AES encryption key can be used to encrypt HDs with hundreds of GBs of data, this shouldn't be an issue, but I wanted to verify that it is in fact a safe practice. | |
jbibe
Premium,MVM
join:2001-02-22
| reply to Jason Cohen
said by Jason Cohen :I also am wondering about the DH parameters that are created in the Freeradius setup. The howto I followed on Paranoid Penguin [» www.linuxjournal.com/article/8151] said to use the command "openssl dhparam -check -text -5 512 -out dh" which creates a DH parameter file with a 512 bit prime. You recommended that one use, "openssl gendh >> dh" which also creates a 512 bit prime. I use "openssl dhparam -check -text -5 512 -out dh" for the generation of the DH parameters. OpenSSL has obsoleted "openssl gendh >> dh".
Isn't this insecure, as the current recommended minimum for DH/DSS public keys is 1024 bits. 512 bit keys have already been broken, and 768 bit keys are also considered insecure. Incidentally, the default setting in Freeradius is "dh_key_length = 512" so in addition to creating a DH parameter file with a larger prime, you also need to manually set the DH key length in eap.conf. I don't remember the dh_key_length setting. It may be one of the changes in the recent releases. I should download and review the latest server information.
Also, when I used Etherreal to capture the EAP-TLS authentiation, I saw that the server cipher suite for TLS was set to "TLS_RSA_WITH_RC4_128_MD5". This is the default setting that Freeradius uses when no cipher suite is manually selected. I'm confused because this ciphersuite does not include support for DH, and Freeradius by default uses the "rsa_key_exchange = no" setting. So, if DH isn't being used, and RSA isn't being used, how is the Master Key created? It seems like DH is necessary because if "dh_file = ..." is commented out, freeradius fails to start. What is DH being used for in the TLS exchange, and is a large DH key necessary or beneficial?
I looked at the packet exchange during an authentication about three years. If my memory is correct, the choice is negotiated during the exchange. I don't remember the exact sequence. I seem to remember the same choice was always used.
I don't remember the ability to select the cipher suite in FreeRADIUS. It may be one of the new features. The default cipher suite may be similar to MD5 authentication. MD5 is the default authentication method, even though the FreeRADIUS notes recommends against using MD5.
For my purposes, a large DH key is probably not necessary, but I am only protecting my home network. I never send anything important over the wireless network, and I only use the wireless network to beta test new wireless cards, access points and gateways. If I had more important wireless information to protect, I would probably increase the size of the key. At least, I would experiment with changing the key. | |
|
