802.11/Wi-Fi® Security
802.11 security frameworks are only concerned with over-the-air security (i.e. station to AP).
For station to station security, an application-layer solution, like SSL/TLS needs to be used.
Goals
What are the goals of any security framework?
- Communicate sensitive data (Goal: Data Privacy/Confidentiality)
- Address snooping or eavesdropping
- Guarantee data is unmodified (Goal: Data Integrity)
- Address tampering (man in the middle attacks)
- Assure source of data (Goal: Data Authenticity)
- Address redirection (man in the middle attacks)
Available Frameworks
Options: WEP40/104, WPA-PSK (Preshared Key), WPA/2-PSK, WPA/2-EAP (Extensible Authentication Protocol).
- WEP involves entering a phrase or hex equivalent (5 for WEP40 or 13 Bytes for WEP104):
- Not very secure, easily broken
- Best case for ad-hoc networks
- WPA-PSK uses TKIP:
- Not very secure, easily broken
- WPA/2-PSK uses 802.1x AES:
- Involves a changing key pair, it is started with a key calculated with SSID and phrase
- WPA/2-EAP is a number of different application methods.
Best Practices
- Use WEP, WPA?
- Both deprecated by Wi-Fi.org.
- WPA/2 is the current standard Wi-Fi®-certified security framework.
- PSK (Personal) Mode:
- Small (Residential/SOHO), or transient network
- Supported by most Wi-Fi® solutions today
- EAP (Enterprise) Mode:
- Large, permanent network
- EAP protocol processing capability is becoming available to stations
- PSK (Personal) Mode: