CWNP CWSP – Module 06 – SOHO 802.11 Security Part 2

5. Risks of WPA/WPA2

Now, all types of crypto systems do have their own set of risks. And there’s two of them anyway with the WPA and WPA, two Personal. And let me just tell you what that is. The first one is if you have a weak presaged key. I mean, let’s just face it. If it’s weak and it’s easy for somebody to be able to do either a dictionary or brute force attack, like I said before, right? The dictionary attacks or the rainbow tables or the brute force. I remember in the older days we had a hacking tool for wireless that was called Brutus and I thought that was kind of a fun name.

Anyway, the other of course, is social engineering. Social engineering is where you basically ask for the passphrase. Seriously, ask for it or maybe even just watch somebody type it. In one of the demonstrations, I think I showed you the difference when you’re connecting to a particular wireless network and you get this little box that pops open asking you to type in that passphrase.

And then there’s usually a little checkbox right there that says, do you want to hide the characters? So some people don’t like to because it might be a complicated passphrase. But if you put that little check box there, then all they’re going to see are these little dots. And so unless they’re watching you type on the keyboard, then they’re not going to be able to watch over your shoulder and see what’s on the screen. Now remember, Personal was designed for the Soho.

So if you think about it, if you’re a small office, home office, here’s your house. You got your wireless access point in here, odds are that there’s a finite distance. Maybe your neighbors can pick up on your WiFi barely, right, if their house is close to within range. But the hope is that Personal is fine because these people were thinking aren’t really hackers. I mean, I guess they could be, but that’s what we’re basically saying, that it’s safer because of where it’s being used. Whereas if I was in a large enterprise, that might be a whole different story.

In fact, I remember back when even before the 800 and 211, I was coming out, I had a friend who got a job with the security company. He was doing sales for the security company, but they would actually have this little truck with all their electronic equipment in it and they would drive through the city of Los Angeles, breaking into these wireless networks as they would drive by and then take a few documents. And then his job as a salesperson was is that he’d have to go visit that company like the next day and say, look, this is what we found by just driving by and we can offer services to help secure your networks. And then after a while, I think he got nervous because if you asked me, I don’t think that was completely legal. And then eventually that company did go out of business, so maybe it wasn’t completely legal. Okay, so one more time pass.

Phrases should also be complex. It increases this thought of or idea of entropy, which is a measure of uncertainty associated with a random variable, and I’ll just leave it at that. A measure of uncertainty. That means that the more complex it is, the more uncertain that people will be in trying to figure out what it is. If you think about, like, if you had like a quarter here, it has two sides. It has the heads and the tails. If you flip the coin, you know that the results will either be heads or tails.

So there’s not very much entropy. There’s not very much, I should say, uncertainty about what the results are going to be. But again, if you were rolling a die dice, die, whatever it is, does that look like a dice? A single one? I don’t know how they do that. The entropy is a little harder because now there’s up to six solutions of what it could be. So I think I hope, anyway, that they’re that kind of makes sense in what I’m trying to explain about what entropy is, the level of uncertainty or knowing the results, because the more complex it is, the harder that it is eventually going to be to be able to crack.

6. Another Risk Factor of WPA/2

Another risk factor when it comes to either WPA or WPA Two. So I’m cheating when I typed it out as slash Two. Anyway, is that the biggest problem is again, remember we’re talking about SoHos is that you may not have equipment that can support the extensible authentication protocol and that is because it could be a cost. And when I say cost, it might not even and be that your laptop or your mobile machines can’t support it, it just might be this access point that you purchased from a local electronic store. It might not support it. What else did I say? We also needed hardware. Again, hardware would be I’d put that in their hardware software as well.

That’s different to me than firmware because in order for us to get into this 802 one X to do WPA enterprise, as I said before, you’d have to have a number of servers and most your server software is not free. It’s very expensive for licensing and so we’d have to say no, we can’t afford that. So again, it’s a cost. Or like I said, it could be the hardware and the firmware, even if at some point maybe your access point could be able to handle doing EEP, but only if you did a new upgrade and the company that supports that product would do that. Okay? So if you were doing WPA Two personal and you were doing it at an enterprise, it does also leave you at risk because it’s not as secure.

Remember, the problem that we had, as I said before, is that like with social engineering, somebody could get your pre shared key. And if this was a large enterprise at the company headquarters, that would certainly put you at risk because then anybody could come into your network, some rogue machine and be able to connect because they tricked somebody out of their pre shared key. Whereas if we were doing the enterprise level, that rogue machine wouldn’t work because they also have to do authentication. They have to have a valid user account. Now, there are some other proprietary solutions that might be able to help, especially with this idea of the rogue machines.

And that is you could map the preshared key with the actual machine, which means that this rogue person wouldn’t be able to work because they didn’t have it mapped to the machine like was already previously done. In other words, it’s kind of like the machine is authenticating itself as well. And remember, proprietary solutions are not a bad thing. I prefer the open types of standards because if you use proprietary solution, you’re kind of stuck with whoever that vendor is that made your equipment. You have to pretty much buy stuff only from them.

7. Wi -Fi Protected Setup (WPS) Part1

Another Soho solution is this thing called WiFi Protected Setup or WPS? And what it was designed to do is to help those people who might not be tech savvy to simplify and automate the setup of WPA Two for homes or like I said, small businesses. And it is supported by the WiFi Alliance. In fact, if you were to look at your access point there’s generally like a little button that you can click on that’s called WPS. And as long as you have a machine that is able to support WPS then they can discover each other and set up the WPA Two to help. Basically the access point will find the enrollee and then the access point is usually the registrar. And the idea is that when these two are talking and doing those management frames they discover each other. And because you pushed WPS, then we have WPA Two running WPA Two personal and we have a connected device and the person doing it doesn’t have to know what it is that really went on.

You just know that you have fortunately a secure connection and you didn’t have to have the technosavvy knowledge to be able to make that happen. Now if you have a device that doesn’t have maybe that external button for WPS, then it’s going to have what generally I think would be called a router pin. And that’s usually on a label that’s stuck to the front or back or bottom of that access point. And you could just take that Pin number, supply that to this client that’s seeking to join and because of that use of that Pin number, you can still do the WPS. I mean that’s just another option. It really does depend on the access point. And in a little more scaled out solution you could also have an external registrar instead of the access point being the registrar. A little more complicated, a little more cost, but the access point could use that external registrar to basically allow the enrollee to be a part of that connection.

8. Wi -Fi Protected Setup (WPS) Part2

So as I said, the two most common options for administrations or administrators to be able to use WPS, as I said, is there’s usually a Pin number or it could be a push button configuration or both. I mean, you’ll always have at least the Pin number on an access point that supports WPS. Now, the registration protocol is what it goes through to make this connection and the things that it does for you, number one, I guess, troubleshooting basic connectivity. It certainly could be used to do that because as a part of the registration, if they’re for whatever reason it’s failing, it does have the ability to do some of the basic connectivity problems with the wireless channel, the registration protocol could run in what we call in band or out of band. I’m going to put o b.

The difference is whether or not these communications are happening over the same network that we’re sending data or if there’s another channel that we’re using to be able to make that happen. Anyway, it also provides a demonstrated identification of the enrollee to the registrar and the registrar to the enrollee. And that’s where we could do that on the out of band type of set up with the credentials, it does establish each device’s role.

Like I said, you’re either the AP or the registrar or you’re the enrollee. So this protocol figures out all of the different roles. And remember, the access point could also be the registrar. It also securely conveys the wireless LAN settings to the registrar and the enrollee. Again, that would again usually be the access point, is the registrar and eventually creates what we call an extended master session key or em SK. Now, one of the things we have to remember is that this process could be in band, out of band, it could be both. But one of the things that they have to do is again between the client and let’s just say our access point is both. The access point and the registrar is that they have to have a key exchange. We’re not using EEP. Remember we said that one of the things about a small office, home office, is that we probably don’t have the extensible authentication protocol. So they use this thing called Diffi Hellman. And I think I talked about what defy hellman is before. It’s a key exchange. Some people call it an encryption, but it’s really not encryption.

It’s just a mathematical trick, again, for two sides to be able to exchange bits of information that they would then derive the same session key on both sides. So it’s a way of exchanging a key without exchanging the key. And I know that sounds funny to say, but that’s what they’re doing. Now, if you think about all of the different parts of this registration protocol with what we went through, there’s actually two phases. I mean, we talked about what it accomplishes, but it really does this in two phases. So let’s put this towards the top, all right? So in the first phase, they are going to exchange public keys and the information about what role or what device has what role. Remember, the roles are down here, registrar role, the rest of that. It also enables the presence and feature discovery, but that’s also part of the management frames that they send. And then if they decide if the two devices decide that they liked what they heard, then they can move on to phase two. And here there may be up to three round trips of sending information, like the authentication and Credential provisioning. I just call it the Auth or Credential. Cred, whether or not you have Cred. I guess that’s what people say these days. And at that point, they also do mutual authentication.