Menu
homeiOS

Encryption wpa2 presence of lan port. What is the difference between WPA and WPA2. Introduction - WiFi Vulnerabilities

There are many dangerous risks associated with wireless protocols and encryption methods. Thus, the robust design of various wireless security protocols is used to minimize them. These wireless security protocols provide prevention of unauthorized access to computers by encrypting transmitted data in wireless network.

Difference between WPA2, WPA, WEP Wi-Fi protocols

Most wireless access points have the option to enable one of three wireless encryption standards:

  1. WEP (Wired Equivalent Privacy)
  2. WPA2

WEP or Wired Equivalent Privacy

The first wireless security network was WEP or Wired Equivalent Privacy protocol. It started with 64-bit encryption (weak) and eventually went all the way to 256-bit encryption (strong). The most popular implementation in routers is still 128-bit encryption (in-between). This was considered as Possible Solution until security researchers discovered several vulnerabilities in it, allowing hackers to crack the WEP key within minutes. He used CRC or Cyclic Redundancy Check.

WPA or Wi-Fi Protected Access

To address the shortcomings of WEP, WPA was developed as a new security standard for wireless protocols. To ensure message integrity, he used integrity protocolTKIP or Temporal Key Integrity. This was different from WEP in some ways, which used CRC or Cyclic Redundancy Check. TKIP was thought to be much stronger than CRC. Its use ensured that each data packet was transmitted using a unique encryption key. The key combination increased the difficulty of decoding the keys and thereby reduced the number of intrusions from outside. However, like WEP, WPA also had a disadvantage. Thus, WPA was extended in WPA 2.

WPA2

WPA 2 is currently recognized as the most secure protocol. One of the most important changes visible between WPA and WPA2 is the mandatory use of algorithms AES (Advanced Encryption Standard) and introduction CCMP (Counter Cipher Mode with Blockchain Authentication Code Protocol) as a replacement for TKIP. CCM mode combines Confidentiality Mode (CTR) and Chain Code Authentication (CBC-MAC) for authentication. These modes have been widely studied and appear to have well-understood cryptographic properties that provide good security and performance in software or hardware to date.

IN Lately Many “exposing” publications have appeared about the hacking of some new protocol or technology that compromises the security of wireless networks. Is this really so, what should you be afraid of, and how can you ensure that access to your network is as secure as possible? Do the words WEP, WPA, 802.1x, EAP, PKI mean little to you? This short overview will help bring together all the encryption and radio access authorization technologies used. I will try to show that a properly configured wireless network represents an insurmountable barrier for an attacker (up to a certain limit, of course).

Basics

Any interaction between the access point (network), and wireless client, built on:
  • Authentication- how the client and the access point introduce themselves to each other and confirm that they have the right to communicate with each other;
  • Encryption- what scrambling algorithm for transmitted data is used, how the encryption key is generated, and when it changes.

The parameters of a wireless network, primarily its name (SSID), are regularly advertised by the access point in broadcast beacon packets. In addition to the expected security settings, requests for QoS, 802.11n parameters, supported speeds, information about other neighbors, etc. are transmitted. Authentication determines how the client presents itself to the point. Possible options:

  • Open- so-called open network, in which all connected devices are authorized at once
  • Shared- the authenticity of the connected device must be verified with a key/password
  • EAP- the authenticity of the connected device must be verified using the EAP protocol by an external server
The openness of the network does not mean that anyone can work with it with impunity. To transmit data in such a network, the encryption algorithm used must match and, accordingly, the encrypted connection must be correctly established. The encryption algorithms are:
  • None- no encryption, data is transmitted in clear text
  • WEP- cipher based on the RC4 algorithm with different static or dynamic key lengths (64 or 128 bits)
  • CKIP- proprietary replacement for Cisco's WEP, early version of TKIP
  • TKIP- Improved WEP replacement with additional checks and protection
  • AES/CCMP- the most advanced algorithm based on AES256 with additional checks and protection

Combination Open Authentication, No Encryption widely used in guest access systems such as providing Internet in a cafe or hotel. To connect, you only need to know the name of the wireless network. Often this connection is combined with additional check to the Captive Portal by redirecting the user's HTTP request to additional page, where you can request confirmation (login-password, agreement with the rules, etc.).

Encryption WEP is compromised and cannot be used (even in the case of dynamic keys).

Commonly occurring terms WPA And WPA2 determine, in fact, the encryption algorithm (TKIP or AES). Due to the fact that client adapters have supported WPA2 (AES) for quite some time, there is no point in using TKIP encryption.

Difference between WPA2 Personal And WPA2 Enterprise is where the encryption keys used in mechanics come from AES algorithm. For private (home, small) applications, a static key (password, code word, PSK (Pre-Shared Key)) with a minimum length of 8 characters is used, which is set in the access point settings, and is the same for all clients of a given wireless network. Compromise of such a key (they spilled the beans to a neighbor, an employee was fired, a laptop was stolen) requires an immediate password change for all remaining users, which is only realistic if there are a small number of them. For corporate applications, as the name suggests, a dynamic key is used, individual for each currently running client. This key can be periodically updated during operation without breaking the connection, and is responsible for its generation additional component- an authorization server, and almost always this is a RADIUS server.

All possible parameters safety information is summarized in this plate:

Property Static WEP Dynamic WEP WPA WPA 2 (Enterprise)
Identification User, computer, WLAN card User, computer
User, computer
User, computer
Authorization
Shared key

EAP

EAP or shared key

EAP or shared key

Integrity

32-bit Integrity Check Value (ICV)

32-bit ICV

64-bit Message Integrity Code (MIC)

CRT/CBC-MAC (Counter mode Cipher Block Chaining Auth Code - CCM) Part of AES

Encryption

Static key

Session key

Per-packet key via TKIP

CCMP (AES)

Key distribution

One-time, manual

Pair-wise Master Key (PMK) segment

Derived from PMK

Derived from PMK

Initialization vector

Text, 24 bits

Text, 24 bits

Advanced vector, 65 bit

48-bit packet number (PN)

Algorithm

RC4

RC4

RC4

AES

Key length, bits

64/128
64/128
128
up to 256

Required infrastructure

No

RADIUS

RADIUS

RADIUS

If everything is clear with WPA2 Personal (WPA2 PSK), enterprise solution requires additional consideration.

WPA2 Enterprise



Here we are dealing with an additional set of different protocols. On the client side there is a special component software The supplicant (usually part of the OS) interacts with the authorizing part, the AAA server. IN in this example displays the operation of a unified radio network built on lightweight access points and a controller. In the case of using access points with “brains”, the entire role of an intermediary between clients and server can be taken on by the point itself. In this case, the client supplicant data is transmitted over the radio formed in the 802.1x protocol (EAPOL), and on the controller side it is wrapped in RADIUS packets.

The use of the EAP authorization mechanism in your network leads to the fact that after successful (almost certainly open) client authentication by the access point (together with the controller, if any), the latter asks the client to authorize (confirm its authority) with the infrastructure RADIUS server:

Usage WPA2 Enterprise requires a RADIUS server on your network. At the moment, the most efficient products are the following:

  • Microsoft Network Policy Server (NPS), former IAS- configured via MMC, free, but you need to buy Windows
  • Cisco Secure Access Control Server (ACS) 4.2, 5.3- configured via a web interface, sophisticated in functionality, allows you to create distributed and fault-tolerant systems, expensive
  • FreeRADIUS- free, configured using text configs, not convenient to manage and monitor

In this case, the controller carefully monitors the ongoing exchange of information and waits for successful authorization or refusal of it. If successful, the RADIUS server is able to transmit to the access point Extra options(for example, which VLAN to place the subscriber in, which IP address to assign, QoS profile, etc.). At the end of the exchange, the RADIUS server allows the client and the access point to generate and exchange encryption keys (individual, valid only for this session):

EAP

The EAP protocol itself is containerized, that is, the actual authorization mechanism is left to the user internal protocols. At the moment, the following have received any significant distribution:
  • EAP-FAST(Flexible Authentication via Secure Tunneling) - developed by Cisco; allows authorization using a login and password transmitted within the TLS tunnel between the supplicant and the RADIUS server
  • EAP-TLS(Transport Layer Security). Uses infrastructure public keys(PKI) to authorize the client and server (applicant and RADIUS server) through certificates issued by a trusted certification authority (CA). Requires issuing and installing client certificates on each wireless device, so is only suitable for a managed corporate environment. The Windows Certificate Server has facilities that allow the client to generate its own certificate if the client is a member of a domain. Blocking a client can easily be done by revoking its certificate (or through accounts).
  • EAP-TTLS(Tunneled Transport Layer Security) is similar to EAP-TLS, but does not require a client certificate when creating a tunnel. In such a tunnel, similar to a browser SSL connection, additional authorization is performed (using a password or something else).
  • PEAP-MSCHAPv2(Protected EAP) - similar to EAP-TTLS in terms of the initial establishment of an encrypted TLS tunnel between the client and server, requiring a server certificate. Subsequently, such a tunnel is authorized using the well-known MSCHAPv2 protocol.
  • PEAP-GTC(Generic Token Card) - similar to the previous one, but requires one-time password cards (and the corresponding infrastructure)

All of these methods (except EAP-FAST) require a server certificate (on the RADIUS server) issued by a certification authority (CA). In this case, the CA certificate itself must be present on the client’s device in the trusted group (which is easy to implement using group policy on Windows). Additionally, EAP-TLS requires an individual client certificate. Client authentication is performed as follows: digital signature, so (optional) by comparing the certificate provided by the client to the RADIUS server with what the server retrieved from the PKI infrastructure (Active Directory).

Support for any of the EAP methods must be provided by a client-side supplicant. The standard built-in Windows XP/Vista/7, iOS, Android provides at least EAP-TLS, and EAP-MSCHAPv2, which makes these methods popular. Intel client adapters for Windows come with a ProSet utility that extends available list. Cisco AnyConnect Client does the same.

How reliable is it?

After all, what does it take for an attacker to hack your network?

For Open Authentication, No Encryption - nothing. Connected to the network, and that's it. Since the radio medium is open, the signal travels in different sides, blocking it is not easy. If you have the appropriate client adapters that allow you to listen to the air, network traffic is visible in the same way as if the attacker had connected to the wire, to the hub, to the SPAN port of the switch.
WEP-based encryption requires only IV brute force time and one of many freely available scanning utilities.
For encryption based on TKIP or AES, direct decryption is possible in theory, but in practice there have been no cases of hacking.

Of course, you can try to guess the PSK key or password for one of the EAP methods. There are no known common attacks against these methods. You can try using methods social engineering, or

WPA encryption involves using a secure Wi-Fi network. In general, WPA stands for Wi-Fi Protected Access, that is, protected.

Majority system administrators they know how to configure this protocol and know quite a lot about it.

But also ordinary people can learn a lot about what WPA is, how to configure it and how to use it.

True, on the Internet you can find many articles on this subject, from which it is impossible to understand anything. So today we will talk in simple language O difficult things.

A little theory

So, WPA is a protocol, technology, program that contains a set of certificates used during transmission.

To put it simply, this technology allows you to use various methods For Wi-Fi protection networks.

It could be electronic key, which is also a special certificate of the right to use this network (we’ll talk about this later).

In general, with the help of this program, only those who have the right to do so will be able to use the network and that’s all you need to know.

For reference: Authentication is a security measure that allows you to establish the identity of a person and his right to access the network by comparing his reported and expected data.

For example, a person can be authenticated when they attach their . If he simply enters his login and password, this is only authorization.

But a fingerprint allows you to check whether this person is really logging in, and not someone took his data and entered with their help.

Rice. 1. Fingerprint scanner on your smartphone

And also in the diagram there is a WLC - wireless local network controller. On the right is the authentication server.

All this is connected by a regular Switch (a device that simply connects different network devices). The key is sent from the controller to the authentication server and stored there.

When a client tries to connect to a network, it must transmit to the LAP a key that it knows. This key goes to the authentication server and is compared with with the right key.

If the keys match, the signal propagates freely to the client.

Rice. 2. Sample WPA scheme in Cisco Pocket Tracer

Components of WPA

As we said above, WPA uses special keys that are generated every time you try to start transmitting a signal, that is, turn on Wi-Fi, and also change every time.

WPA includes several technologies that help generate and transmit these same keys.

The figure below shows the general formula, which includes all the components of the technology under consideration.

Rice. 3. Formula with WPA ingredients

Now let's look at each of these components separately:

  • 1X is a standard that is used to generate that same unique key, with the help of which authentication takes place in the future.
  • EAP is the so-called Extensible Authentication Protocol. It is responsible for the format of messages with which keys are transmitted.
  • TKIP is a protocol that made it possible to expand the key size to 128 bytes (previously, in WEP, it was only 40 bytes).
  • MIC is a mechanism for checking messages (in particular, they are checked for integrity). If messages do not meet the criteria, they are sent back.

It is worth saying that now there is already WPA2, which, in addition to all of the above, also uses CCMP and AES encryption.

We won't talk about what it is now, but WPA2 is more secure than WPA. That's all you really need to know.

One more time from the very beginning

So, you have . Used on the network WPA technology.

To connect to Wi-Fi, each device must provide a user certificate, or, more simply, a special key issued by the authentication server.

Only then will he be able to use the network. That's all!

Now you know what WPA is. Now let's talk about what is good and what is bad about this technology.

Advantages and disadvantages of WPA encryption

The advantages of this technology would include the following:

  1. Enhanced data transmission security (compared to WEP, its predecessor, WPA).
  2. Tighter Wi-Fi access control.
  3. Compatible with big amount devices that are used to organize a wireless network.
  4. Centralized management security. The center in this case is the authentication server. Due to this, attackers are not able to gain access to hidden data.
  5. Enterprises can use their own security policies.
  6. Easy to set up and continue to use.

Of course, this technology also has disadvantages, and they are often quite significant. In particular, we're talking about here's what it's about:

  1. A TKIP key can be cracked in a maximum of 15 minutes. This was stated by a group of specialists in 2008 at the PacSec conference.
  2. In 2009, specialists from Hiroshima University developed a method for hacking any network that uses WPA in one minute.
  3. Using a vulnerability called Hole196 by experts, you can use WPA2 with your own key, and not with the one required by the authentication server.
  4. In most cases, any WPA can be cracked using a simple search of all possible options(brute force), as well as using the so-called dictionary attack. In the second case, the options are used not in a chaotic order, but according to the dictionary.

Of course, to take advantage of all these vulnerabilities and problems, you need to have special knowledge in the field of building computer networks.

All this is inaccessible to most ordinary users. Therefore, you don’t have to worry too much about someone gaining access to your Wi-Fi.

Rice. 4. Burglar and computer

Good day, dear readers of the blog site! Today we will talk about DIR-615 wireless security, about network security generally. I will tell you what the concept of WPA is. Below are step-by-step instructions setting up a wireless network using a wizard, about automatic and manual modes appointments network key. Next we will show how add a wireless device using the WPS wizard. Finally, I will provide a description of the WPA-Personal (PSK) and WPA-Enterprise (RADIUS) configurations.

Network Security

In this article, as promised, I will write about various levels security that you can use to protect your data from intruders. DIR-615 offers following types security:

What is WPA?

WPA, or Wi-Fi Protected Access Wi-Fi access), - This Wi-Fi standard, which was designed to improve security capabilities WEP.

2 major improvements over WEP:

  • Improved data encryption via TKIP. TKIP mixes the keys using a hashing algorithm and adding an integrity check feature, thereby ensuring that the keys cannot be tampered with. WPA2 is based on 802.11i and uses AES instead of TKIP.
  • User Authentication, which is generally absent in WEP, through EAP. WEP regulates access to a wireless network based on specific hardware MAC addresses a computer that is relatively easy to find out and steal. EAP is built on more secure system public key encryption to ensure that only authorized network users will be able to access the network.

WPA-PSK/WPA2-PSK uses a passphrase or key to authenticate your wireless connection. This key is an alphanumeric password between 8 and 63 characters in length. The password can include characters (!?*&_) and spaces. This key must be exactly the same key that is entered on your wireless router or access point.

WPA/WPA2 enables user authentication via EAP. EAP is built on a more secure public key encryption system to ensure that only authorized network users can access the network.

Wireless Setup Wizard

To launch the security wizard, open the morning Setup and then click the button Wireless Network Setup Wizard .

Automatic Network Key Assignment

Once this screen appears, the installation is complete. You will be provided with a detailed report of your network security settings.
Click Save , to continue.

Manual Network Key Assignment

Select wireless password security. it must be exactly 5 or 13 characters long. It can also be exactly 10 or 26 characters using 0-9 and A-F.
Click to continue.

Installation completed. You will be provided with a detailed report of your wireless security settings. Click Save to complete the Security Wizard.

Add a Wireless Device using the WPS Wizard

PBC: Select this option to use the method PBC to add a wireless client. Click Connect .

WPA-Personal (PSK) Configuration

It is recommended that you enable encryption on your wireless router before turning on your wireless network adapters. Please install the option wireless connection before enabling encryption. Your wireless signal may get worse when encryption is enabled due to additional overhead.


WPA-Enterprise (RADIUS) Configuration

It is recommended that you enable encryption on your wireless router before turning on your wireless network adapters. Please establish wireless connectivity before enabling encryption. Your wireless signal may degrade when you enable encryption due to additional overhead.

  1. Log in to the web-based configuration utility by opening a web browser window and entering the router's IP address (192.168.0.1). Click Setup , and then Wireless Settings From the left side.
  2. Next in Security Mode , select WPA-Enterprise.
    Comment: Should be disabled

Protocol WPA2 defined by the IEEE 802.11i standard, created in 2004 to replace . It implements CCMP and encryption AES, due to which WPA2 became more secure than its predecessor. Since 2006 support WPA2 is prerequisite for all certified devices.

Difference between WPA and WPA2

Finding the difference between WPA2 and WPA2 is not relevant for most users, since all wireless network security comes down to more or less choice complex password for access. Today the situation is such that all devices operating in Wi-Fi networks, are required to support WPA2, so the choice of WPA can only be determined by non-standard situations. Eg, OS older than Windows XP SP3 do not support WPA2 without applying patches, so machines and devices managed by such systems require the attention of a network administrator. Even some modern smartphones may not support the new encryption protocol, this mainly applies to off-brand Asian gadgets. On the other hand, some Windows versions older than XP do not support working with WPA2 at the GPO level, so in this case they require more fine-tuning of network connections.

The technical difference between WPA and WPA2 is the encryption technology, in particular, the protocols used. WPA uses the TKIP protocol, WPA2 uses the AES protocol. In practice, this means that the more modern WPA2 provides a higher degree of network security. For example, the TKIP protocol allows you to create an authentication key up to 128 bits in size, AES - up to 256 bits.

The difference between WPA2 and WPA is as follows:

  • WPA2 is an improvement over WPA.
  • WPA2 uses the AES protocol, WPA uses the TKIP protocol.
  • WPA2 is supported by all modern wireless devices.
  • WPA2 may not be supported by older operating systems.
  • WPA2 has a higher security level than WPA.

WPA2 Authentication

Both WPA and WPA2 operate in two authentication modes: personal And corporate (Enterprise). In WPA2-Personal mode from the entered in clear text passphrase a 256-bit key is generated, sometimes called a pre-shared key. The PSK key, as well as the identifier and length of the latter, together form the mathematical basis for the formation of the master pair key PMK (Pairwise Master Key), which is used to initialize a four-way handshake and generate a temporary pairwise or session key PTK (Pairwise Transient Key), for wireless interaction user device with an access point. Like the static protocol, the WPA2-Personal protocol has problems with key distribution and maintenance, which makes it more suitable for use in small offices than in enterprises.

However, WPA2-Enterprise successfully addresses the challenges of static key distribution and management, and its integration with most enterprise authentication services provides account-based access control. This mode requires login information such as a user name and password, a security certificate, or one-time password; authentication is carried out between workstation and a central authentication server. The access point or wireless controller monitors the connection and forwards authentication packets to the appropriate authentication server, usually . WPA2-Enterprise mode is based on the 802.1X standard, which supports port control-based user and machine authentication, suitable for both wired switches and wireless points access.

WPA2 encryption

The WPA2 standard is based on AES encryption who replaced DES standards and 3DES as the de facto industry standard. Computational-intensive, AES requires hardware support that is not always available in older WLAN equipment.

WPA2 uses the CBC-MAC (Cipher Block Chaining Message Authentication Code) protocol for authentication and data integrity, and Counter Mode (CTR) for data encryption and MIC checksum. The WPA2 Message Integrity Code (MIC) is nothing more than a checksum and, unlike WPA, provides data integrity for immutable 802.11 header fields. This prevents packet replay attacks that attempt to decrypt packets or compromise cryptographic information.

A 128-bit Initialization Vector (IV) is used to calculate MIC, AES and a temporary key are used to encrypt IV, and the result is a 128-bit result. Next, an exclusive OR operation is performed on this result and the next 128 bits of data. The result is encrypted using AES and TK, and then over last result and the next 128 bits of data again perform an exclusive OR operation. The procedure is repeated until all the payload is exhausted. The first 64 bits of the received last step results are used to calculate the MIC value.

A counter mode-based algorithm is used to encrypt data and MIC. As with MIC initialization vector encryption, execution of this algorithm begins with preload A 128-bit counter, where the counter field takes the counter value set to one instead of the value corresponding to the data length. Thus, a different counter is used to encrypt each packet.

The first 128 bits of data are encrypted using AES and TK, and then an exclusive OR operation is performed on the 128-bit result of this encryption. The first 128 bits of data produce the first 128-bit encrypted block. The preloaded counter value is incremented and encrypted using AES and a data encryption key. Then the exclusive OR operation is performed again on the result of this encryption and the next 128 bits of data.

The procedure is repeated until all 128-bit data blocks are encrypted. The final value in the counter field is then reset to zero, the counter is encrypted using the AES algorithm, and then the result of the encryption and the MIC are XORed. Result last operation docked to the encrypted frame.

Once the MIC is calculated using the CBC-MAC protocol, the data and MIC are encrypted. Then an 802.11 header and a CCMP packet number field are added to this information at the front, an 802.11 trailer is docked, and the whole thing is sent together to the destination address.

Data decryption is performed in the reverse order of encryption. To extract the counter, the same algorithm is used as for encrypting it. A counter mode-based decryption algorithm and TK key are used to decrypt the counter and the encrypted portion of the payload. The result of this process is decrypted data and check sum MIC. After this, the MIC for the decrypted data is recalculated using the CBC-MAC algorithm. If the MIC values ​​do not match, the packet is discarded. If the specified values ​​match, the decrypted data is sent to network stack and then to the client.