2.3 - CompTIA A+ Core 2

2.3a - Wireless Encryption: Professor Messer

Protocols and encryption

• Criteria for wireless network security: Proper authentication, robust encryption, and wireless integrity.

• Wireless authentication: Controls who gets access to a wireless network - uses usernames, passwords, or multi-factor authentication (MFA).

• Wireless encryption: Ensures all wireless communication is protected from eavesdropping by converting it into an unreadable format.

• Wireless integrity: Ensures the received wireless data should be identical to the original sent data - uses message integrity checks (MICs) to guarantee this.

Wi-Fi Protected Access (WPA)

• Wi-Fi Protected Access (WPA): A security protocol designed to temporarily replace WEP (Wireless Equivalent Privacy), and its significant cryptographic weaknesses. Used Temporal Key Integrity Protocol (TKIP) for encryption and runs on existing hardware

Wi-Fi Protected Access 2 (WPA2)

• Wi-Fi Protected Access 2 (WPA2): A security protocol designed to be a long-term replacement for WEP/WPA. Uses AES (Advanced Encryption Standard) for encryption. Required an upgrade to physical wireless access points - AES requires stronger CPU/processor power than TKIP.

Wi-Fi Protected Access 3 (WPA3)

• Wi-Fi Protected Access 3 (WPA3): Upgrade to the WPA2 protocol - increases AES cryptographic strength options and security for initial key exchange, and provides encryption for open wireless networks.

Temporal Key Integrity Protocol (TKIP)

• Temporal Key Integrity Protocol (TKIP): Encryption standard used for WPA - functions by providing a new encryption key for every sent Wi-Fi packet.

Advanced Encryption Standard (AES)

• Advanced Encryption Standard (AES): Encryption standard used for WPA2/3 - functions by encrypting data in blocks of 128 bits, using sophisticated algorithms for improved security.

2.3b - Authentication Methods: Professor Messer

Authentication

• Authentication process (overview): Client device attempts to connect to an access point over the Internet. An authentication server checks the client device’s credentials, approves the credentials, and then allows access to the internal file server/internal network.

• Open system: Wireless network that requires no password to authenticate (e.g., coffee shop Wi-Fi).

• WPA2/3-Personal (WPA2/3-PSK): Uses WPA2 or WPA3 with a 256-bit pre-shared key (i.e., a password). Everyone on the network uses the same PSK.

• WPA2/3-Enterprise (WPA2/3-802.1X): Authenticates users individually with an authentication server (i.e., RADIUS).

Remote Authentication Dial-in User Service (RADIUS)

• Remote Authentication Dial-in User Service (RADIUS): Provides centralized authentication for users, including routers, firewalls, servers, and remote VPNs. Widely available on server OSs.

Terminal Access Controller Access-Control System (TACACS+)

• Terminal Access Controller Access-Control System (TACACS): Remote authentication protocol - originally created for ARPANET/dial-up access control. Pronounced (tac-ax).

• Terminal Access Controller Access-Control System (TACACS+): The latest version of TACACS - provides more authentication requests and response codes. Released in 1993 as an open standard. Widely used for CISCO switches/networking hardware.

Kerberos

• Kerberos: Network authentication protocol that allows a client to authenticate once, and gain system access for a limited time period (no need to re-authenticate to every service). Operates by issuing a ticket for the session, which is validated by an application server to gain access to the system.

Multifactor authentication (MFA)

• Multi-factor authentication (MFA): Authentication that uses more than one factor to verify a user’s identity.