authentication

CTS 135: Authentication and Encryption Types

There are authentication and encryption types any Wi-Fi professional should know about..

Meet Dave Benham

Dave is a sharp Wireless Network Engineer and a great guy. He’s very knowledgeable in everything Wi-Fi and is cool to hang out with. This is one of the reasons we wanted you ask him some questions! Also, he has a great beard. Hear him on the episode!

Dave Benham and Cisco Live.

802.11 Authentication and Encryption Types

When it comes to Wi-Fi security, many people take a relaxed perspective. We wanted to help inform you on what is used in today’s networks with a little information on what’s to come in the future. Listen to the episode for the full discussion. Below is a short outline of what we talk about.

Wi-Fi Authentication

Open SSIDs

Commonly used in public areas like coffee shops, airports, malls, restaurants, hotels, etc. It’s also used as a guest network at many businesses. With an open SSID, the device selects the network and just joins without any type of user authentication. You’re on the network! The problem with an open SSID is it is highly insecure.

Pre-Shared Key (PSK)

The PSK is the most widely used method of Wi-Fi Authentication. A password is configured for the SSID and each device wanting to connect must input the correct password. PSK is used everywhere from homes to even business networks. The biggest management overhead of a PSK is changing it when an employee leaves or a device is lost. When this happens, and the PSK needs to change, it must be changed on every single device using that Wi-Fi network. For this reason, many people don’t change their PSK often.

802.1X (WPA2-Enterprise)

A way to keep your Wi-Fi network highly secure is to authenticate users and devices using 802.1X. It can be viewed as more complex to set up but nowadays there are services making it easier than ever to configure secure authentication. 802.1X is mainly used in the enterprise and is otherwise known as WPA2-Enterprise. Certificates may be needed either on the authentication server side and/or on the client side.

Simultaneous Authentication of Equals (SAE)

An improvement coming to Wi-Fi authentication is SAE. It strengthens the 4-way handshake which has been known to be insecure through a couple of methods that were revealed in 2018. It’s meant to protect PSK networks from offline dictionary attacks. Ask your vendor to implement this as soon as possible!

Device Provisioning Protocol (DPP)

The next iteration of WPS – which is a highly insecure method of connecting devices to the Wi-Fi network. DPP aims towards IoT devices or devices that don’t have a screen. It allows connecting of devices to a Wi-Fi network using a QR code or through NFC in a more secure manner.

Wi-Fi Encryption

None

Obviously the most insecure method. It’s used with open SSIDs. A new method for protecting open SSIDs with no security will be Open Wireless Encryption (OWE). Bug your vendor to implement it ASAP!

TKIP (WPA)

A deprecated encryption method but still used in many environments. It’s a legacy encryption method used when CCMP is not supported on devices. Temporal Key Integrity Protocol using the RC4 Cipher (Rivest Cipher 4). It’s also limited to 54 Mbps.

CCMP-AES (WPA2)

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol using the AES (Advanced Encryption Standards) Cipher. Implemented in WPA2 to improve on the weaker security methods prior to CCMP-AES. Used most of the time on modern Wi-Fi networks authenticated via PSK or 802.1X.

Links & Resources

CTS 015: Authentication and Association

In This Episode

Ep. 15 will be a solo show this week. I’m going to go a little technical and discuss how wireless devices connect to a wireless network through authentication and association.

Authentication and association occurs in three steps:

  1. Unauthenticated and unassociated
  2. Authenticated and unassociated
  3. Authenticated and associated

This is the 802.11 state machine. Authentication must occur before association. A device can never be unauthenticated and associated.

The authentication and association process

802.11 State Machine

Links and Resources