WLAN Security Describing EAP Authentications
Symmetric Keys
Asymmetric Keys
Digital Signature
Trusted Third Party
Certificates
PKI
EAP-TLS <ul><ul><li>Client support </li></ul></ul><ul><ul><li>Windows 2000, XP, Vista and Windows CE (natively supported) ...
EAP-TLS (Cont.)
EAP-FAST <ul><li>Considered in three phases: </li></ul><ul><ul><li>Protected Access Credentials (PAC) is generated in phas...
PAC Creation <ul><li>PAC consists of </li></ul><ul><ul><li>PAC-Key </li></ul></ul><ul><ul><li>PAC-Opaque </li></ul></ul><u...
PAC Exchange
EAP-FAST Authentication
PEAP <ul><ul><li>Hybrid authentication method </li></ul></ul><ul><ul><ul><li>Server side authentication with TLS </li></ul...
PEAP Authentication
LEAP <ul><ul><li>Cisco WLAN security solution </li></ul></ul><ul><ul><li>User authentication via user ID and password </li...
LEAP Authentication
Summary <ul><ul><li>Certificates are public keys; they allow both authentication and encryption. </li></ul></ul><ul><ul><l...
 
Upcoming SlideShare
Loading in...5
×

Iuwne10 S04 L04

408

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
408
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Iuwne10 S04 L04"

  1. 1. WLAN Security Describing EAP Authentications
  2. 2. Symmetric Keys
  3. 3. Asymmetric Keys
  4. 4. Digital Signature
  5. 5. Trusted Third Party
  6. 6. Certificates
  7. 7. PKI
  8. 8. EAP-TLS <ul><ul><li>Client support </li></ul></ul><ul><ul><li>Windows 2000, XP, Vista and Windows CE (natively supported) </li></ul></ul><ul><ul><li>Linux, Mac AirPort Extreme </li></ul></ul><ul><ul><li>Each client requires a user certificate </li></ul></ul><ul><ul><li>Infrastructure requirements </li></ul></ul><ul><ul><li>EAP-TLS-supported RADIUS server </li></ul></ul><ul><ul><li>RADIUS server requires a server certificate </li></ul></ul><ul><ul><li>Certificate Authority server (PKI Infrastructure) </li></ul></ul><ul><ul><li>Certificate management </li></ul></ul><ul><ul><li>Both client and RADIUS server certificates to be managed </li></ul></ul>
  9. 9. EAP-TLS (Cont.)
  10. 10. EAP-FAST <ul><li>Considered in three phases: </li></ul><ul><ul><li>Protected Access Credentials (PAC) is generated in phase zero (Dynamic PAC provisioning) </li></ul></ul><ul><ul><ul><li>Unique shared credential used to mutually authenticate client and server </li></ul></ul></ul><ul><ul><ul><li>Associated with a specific user-ID and an Authority ID </li></ul></ul></ul><ul><ul><ul><li>Removes the need for PKI </li></ul></ul></ul><ul><ul><li>A secure tunnel is established in phase one </li></ul></ul><ul><ul><li>Client is authenticated via the secure tunnel in phase two </li></ul></ul>
  11. 11. PAC Creation <ul><li>PAC consists of </li></ul><ul><ul><li>PAC-Key </li></ul></ul><ul><ul><li>PAC-Opaque </li></ul></ul><ul><ul><li>PAC-Info </li></ul></ul><ul><li>Server Generates a PAC-Key </li></ul><ul><li>PAC-Opaque and PAC-Info </li></ul><ul><li>The PAC-Opaque contains </li></ul><ul><ul><li>PAC-Key </li></ul></ul><ul><ul><li>Client user identity (I-ID) </li></ul></ul><ul><ul><li>Key lifetime </li></ul></ul><ul><li>PAC-Opaque is encrypted </li></ul><ul><li>with Master-Key </li></ul><ul><li>PAC-Info contains </li></ul><ul><li>the Authority Identity (A-ID) </li></ul>
  12. 12. PAC Exchange
  13. 13. EAP-FAST Authentication
  14. 14. PEAP <ul><ul><li>Hybrid authentication method </li></ul></ul><ul><ul><ul><li>Server side authentication with TLS </li></ul></ul></ul><ul><ul><ul><li>Client side authentication with EAP authentication types </li></ul></ul></ul><ul><ul><ul><ul><li>EAP-GTC </li></ul></ul></ul></ul><ul><ul><ul><ul><li>EAP-MSCHAPv2 </li></ul></ul></ul></ul><ul><ul><li>Clients do not require certificates </li></ul></ul><ul><ul><li>RADIUS server requires a server certificate </li></ul></ul><ul><ul><ul><li>RADIUS server self-issuing certificate capability </li></ul></ul></ul><ul><ul><ul><li>Purchase a server certificate per-server from public PKI entity </li></ul></ul></ul><ul><ul><ul><li>Setup a simple PKI server to issue server certificates </li></ul></ul></ul><ul><ul><li>Allows for one-way authentication types to be used </li></ul></ul><ul><ul><ul><li>One-time passwords </li></ul></ul></ul><ul><ul><ul><li>Proxy to LDAP, Unix, Microsoft NT and Active Directory, Kerberos </li></ul></ul></ul>
  15. 15. PEAP Authentication
  16. 16. LEAP <ul><ul><li>Cisco WLAN security solution </li></ul></ul><ul><ul><li>User authentication via user ID and password </li></ul></ul><ul><ul><li>Single login using Windows NT/2000 Active Directory </li></ul></ul><ul><ul><li>Dynamic WEP keys and mutual authentication </li></ul></ul><ul><ul><ul><li>Key integrity protocol/message integrity recommended </li></ul></ul></ul><ul><ul><li>Simplified deployment and administration </li></ul></ul><ul><ul><li>Supports multiple operating systems </li></ul></ul><ul><ul><ul><li>Windows, Mac OS, Windows CE, DOS, and Linux </li></ul></ul></ul><ul><ul><li>Strong password policy recommended </li></ul></ul>
  17. 17. LEAP Authentication
  18. 18. Summary <ul><ul><li>Certificates are public keys; they allow both authentication and encryption. </li></ul></ul><ul><ul><li>EAP-TLS is an authentication mechanism built upon certificate exchange. </li></ul></ul><ul><ul><li>EAP-FAST aims at providing the same level of security without certificates. </li></ul></ul><ul><ul><li>PEAP requires a certificate on the server but not on the client. </li></ul></ul><ul><ul><li>There are many other EAP types, such as Cisco LEAP. </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×