Wireless LAN – WLAN
BAT54-Rail/F..
Release
7.54
06/08
3.2
Development of WLAN security
39
The access point is thus a sort of middle man between client and server. it
doesn't have to check the contents of these packets, it just has to check that
no other data traffic to or from the client can occur. Over this "tunnel" through
the access point, the client and server authenticate one another, that is, the
server checks the client's access privilege to the network, and the client
checks that it is talking to the right network. "Wild" access points set up by
hackers can be recognized in this way.
A whole series of authentication processes exist which can be used in this
tunnel. A current process (and one supported by Windows XP) is for instance
TLS, in which server and client exchange certificates; another is TTLS, in
which only the server supplies a certificate—the client is authenticated using
only a username and password.
After the authentication phase, a secure tunnel even without WEP encryption
has been set up, in which the access point is connected in the next step. For
this, the RADIUS server sends the so-called 'Master Secret', a session key
calculated during the negotiation, to the access point. The LAN behind the
access point is considered secure in this scenario, so that this transmission
can be performed in clear text.
With this session key, the access point now takes over the tunnel and can
use it to provide the actual WEP key to the client. Depending on the capabil-
ities of the access point hardware, this can be a true session key (that is, a
WEP key which will only be used for data packets between the access point
and precisely this client), or a so-called group key, which the access point will
use for communication with multiple clients. Classical WEP hardware can
usually handle only group keys, these being the four mentioned in the chap-
ter on WEP.
The particular advantage of this procedure is that the access point can regu-
larly change the WEP key over the EAP tunnel, that is, it can perform a so-
called rekeying. In this way, WEP keys can be replaced by new ones long
before they run the risk of being cracked due to IV collisions. A common 'use
time' for such WEP keys might be 5 minutes.
The disadvantage of the procedure is its complexity. The maintenance of the
central RADIUS server and the certificates stored there is generally only pos-
sible in large installations with a separate IT department—it is less suitable
for use in the home or in smaller companies. These practical hurdles have
thus limited EAP/802.1x to professional use so far—the home user must sim-
ply make do with WEPplus, or address security problems on the applications
level.
To Next Page
Loading...
Need help?
General
