THE SERVER RETURNS A PASS OR FAIL. IF IT’S A PASS, THE USER CAN SE...

Question

10. The server returns a pass or fail. If it’s a pass, the user can send traffic.LEAPLightweight Extensible Authentication Protocol (LEAP) gets honorable mention heremainly because it is a Cisco EAP method that is still seen in 802.11b networks. LEAP isvulnerable to an offline exploit, and you should avoid it if possible. LEAP uses a propri-etary algorithm to create the initial session key.Authentication and EncryptionNow that you understand some of the methods used to authenticate users, it’s time to ex-plore some encryption methods. The beginning of this chapter discussed WEP. The prob-lem with WEP is that it can be broken easily. Therefore, other methods have beenestablished in an effort to provide more strength in encryption. In the following sections,you will learn about Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2(WPA2).WPA OverviewWPA was introduced in 2003 by the Wi-Fi Alliance as a replacement for WEP. WPA usesTemporal Key Integrity Protocol (TKIP) to automatically change the keys. TKIP still usesRC4; it just improves how it’s done. This is a major improvement over static WEP. WPAcan optionally support Advanced Encryption Standard (AES), but it’s not mandatory.WPA is based on 802.11i draft version 3. WEP uses RC4 encryption, which is very weak.The better alternative was to use AES encryption, but that would have required an equip-ment upgrade. To avoid an equipment upgrade, WPA was developed to use TKIP and alarger IV than WEP. This would make it more difficult to guess the keys while not requir-ing new hardware. Instead, you could simply perform a firmware upgrade in most cases.WPA offers two authentication modes:■ Enterprise mode: Enterprise mode WPA requires an authentication server. RADIUSis used for authentication and key distribution, and TKIP is used with the option ofAES available as well.■ Personal mode: Personal mode WPA uses preshared keys, making it the weaker op-tion, but the one that is most likely to be seen in a home environment.Figure 17-15 shows the process of WPA authentication.Key TopicClientAuthenticatorAuthenticationServerSecurity Capability Discovery

THE SERVER RETURNS A PASS OR FAIL. IF IT’S A PASS, THE USER CAN SE...

10. The server returns a pass or fail. If it’s a pass, the user can send traffic.

LEAP

Lightweight Extensible Authentication Protocol (LEAP) gets honorable mention here

mainly because it is a Cisco EAP method that is still seen in 802.11b networks. LEAP is

vulnerable to an offline exploit, and you should avoid it if possible. LEAP uses a propri-

etary algorithm to create the initial session key.

Authentication and Encryption

Now that you understand some of the methods used to authenticate users, it’s time to ex-

plore some encryption methods. The beginning of this chapter discussed WEP. The prob-

lem with WEP is that it can be broken easily. Therefore, other methods have been

established in an effort to provide more strength in encryption. In the following sections,

you will learn about Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2

(WPA2).

WPA Overview

WPA was introduced in 2003 by the Wi-Fi Alliance as a replacement for WEP. WPA uses

Temporal Key Integrity Protocol (TKIP) to automatically change the keys. TKIP still uses

RC4; it just improves how it’s done. This is a major improvement over static WEP. WPA

can optionally support Advanced Encryption Standard (AES), but it’s not mandatory.

WPA is based on 802.11i draft version 3. WEP uses RC4 encryption, which is very weak.

The better alternative was to use AES encryption, but that would have required an equip-

ment upgrade. To avoid an equipment upgrade, WPA was developed to use TKIP and a

larger IV than WEP. This would make it more difficult to guess the keys while not requir-

ing new hardware. Instead, you could simply perform a firmware upgrade in most cases.

WPA offers two authentication modes:

Enterprise mode: Enterprise mode WPA requires an authentication server. RADIUS

is used for authentication and key distribution, and TKIP is used with the option of

AES available as well.

Personal mode: Personal mode WPA uses preshared keys, making it the weaker op-

tion, but the one that is most likely to be seen in a home environment.

Figure 17-15 shows the process of WPA authentication.

Client

Authenticator

Authentication

Server

Security Capability Discovery

Bạn đang xem 10. - CCNA WIRELESS OFFICIAL EXAM CERTIFICATION GUIDE PART 38 DOC