Wireless Authentication and Encryption Overview
WLAN Authentication Methods:
Open System
Open System authentication provides authentication without performing any type of user verification. It does not require the use of any credentials and allows any devices to connect to the wireless network. It provides simplicity. Although being part of the legacy WLAN security, 802.11 open system authentication still being adopted prior to 802.1X/EAP authentication.
Shared Key
Another legacy authentication from original 802.11 standard. Shared Key authentication is based on a challenge-response protocol. It requires WEP mechanisms to authenticate client stations and requires that a static WEP key be configured on both the client station device and the access point. Authentication will not work if the static WEP keys do not match. If Shared key authentication were successful, the same static WEP key that was used during the authentication process would also be used to encrypt the 802.11 data frame.
PSK (Pre-Shared Key)
The PSK is the most widely used method of Wi-Fi Authentication for SOHO wireless networks. The Wi-Fi Alliance name for PSK authentication is WPA-Personal or WPA2-Personal. It moves away from static encryption key to a dynamically generated keys using a simple passphrase as a seed. WPA/WPA2 personal allows an end user to enter a simple ASCII character string, dubbed a passphrase, anywhere from 8 to 63 characters in size. The ASCII passphrase is converted to the PSK by passphrase-PSK mapping.
802.1X/EAP
802.1X/EAP is the highly secure authentication method. The 802.1X standard is actually a port-based access control standard which was originally developed for the 802.3 Ethernet networks. Later it was being adopted to provide additional support for the 802.11 wireless networks.
802.1X authentication involves three parties: Supplicant is the client devices that want to be authenticated and access to the network. An authenticator is a network device (usually either an AP or a WLAN controller) that block or allow traffics which restrict the supplicant’s communication with the authentication server. Authentication server is typically a trusted server that receive, validate the credentials of the supplicant and respond to the request for network access.
Extensible Authentication Protocol (EAP) is the layer 2 authentication protocol operates over the data link layer to be used by the supplicant and the authentication server to communicate when performing the authentication process.
SAE (Simultaneous Authentication of Equals)
SAE was originally implemented for use in mesh networking of 802.11 WLANs in IEEE 802.11s. It is based on a Dragonfly key exchange, a password authentication key exchange based on a zero-knowledge proof key exchange. SAE is a secure key establishment protocol between devices, to provide stronger protections for users against password guessing attempts by third parties. It is more resistant to offline dictionary attacks because each instance of the authentication exchange only allows both parties to guess the password once. Wi-Fi Alliance announced WPA3 in 2018 to replace PSK authentication with SAE.
WLAN Encryption Methods:
WEP
Wired Equivalent Privacy (WEP) is a legacy encryption methods. It is a layer 2 encryption methods that use the ARC4 streaming cipher. Two methods of authentication can be used with WEP are Open System authentication and Shared Key authentication. WEP is consider to be vulnerable to being hacked; the encryption key can be derived by an eavesdropper who sees enough traffic.
TKIP
Temporal Key Integrity Protocol (TKIP) is a security protocol that was created to replace WEP. The encryption method also use ARC4 cipher, just as WEP encryption does. But TKIP uses dynamically created encryption keys as opposed to the static keys. All TKIP encryption keys are dynamically generated as a final result of the 4-Way Handshake, which is designed to defeat social engineering attack.
CCMP
Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) is an encryption protocol defined under the 802.11i amendment. This encryption method uses the Advanced Encryption Standard (AES) algorithm. Unlike ARC4 which is a streaming cipher, AES is a block cipher. Block cipher converts the plain text into cipher text by taking plain text’s block at a time. While stream cipher converts the plaint text into cipher text by taking 1 byte of plain text at a time. CCMP based on AES is considered much more secure than the WEP and TKIP. Besides, all CCMP encryption keys are also dynamically generated as a final result of the 4-Way Handshake.
GCMP
Galois/Counter Mode Protocol (GCMP) is being standardized in 802.11ad-2012. This encryption method also use AES cryptography. But unlike CCMP which uses a 128-bit AES key; GCMP can use either a 128-bit or 256-bit AES key. Wi-Fi Alliance added 256-bit Galois/Counter Mode Protocol (GCMP-256) for the authentication encryption in WPA3-Enterprise.
Reference:
- CWSP Certified Wireless Security Professional Official Study Guide