Page 208 - StudyBook.pdf
P. 208
192 Chapter 4 • Communication Security: Wireless
■ TLS Requires that the server supply a certificate and establish that it has
possession of the private key.
■ IKE Requires that the server show possession of a preshared key or pri-
vate key (this can be considered certificate authentication).
■ GSS_API (Kerberos) Requires that the server can demonstrate knowl-
edge of the session key.
Per-Packet Authentication
EAP can support per-packet authentication and integrity protection, but it is not
extended to all types of EAP messages. For example, negative acknowledgment
(NACK) and notification messages cannot use per-packet authentication and
integrity. Per-packet authentication and integrity protection works for the fol-
lowing (packet is encrypted unless otherwise noted):
■ TLS and IKE derive session key
■ TLS ciphersuite negotiations (not encrypted)
■ IKE ciphersuite negotiations
■ Kerberos tickets
■ Success and failure messages that use a derived session key (through WEP)
NOTE
EAP was designed to support extended authentication. When imple-
menting EAP, dictionary attacks can be avoided by using non-password-
based schemes such as biometrics, certificates, OTP, Smart Cards, and
token cards. Using a password-based scheme should require the use of
some form of mutual authentication so that the authentication process
is protected against dictionary attacks.
TEST DAY TIP
It is helpful to write out a table showing the various authentication
methods used in 802.11 networks (for example, open authentication,
shared-key authentication, and 802.1x authentication) with the various
properties each of these authentication methods require. This will help
keep them straight in your mind when taking the test.
www.syngress.com
