- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - Enterprise Wi-Fi networks can keep using WPA2 security safely, despite a recent Defcon exploit that has been widely, but wrongly, interpreted as rendering it useless.
The exploit successfully compromised a legacy authentication protocol, MS-CHAPv2, which was created by Microsoft years ago. But the vulnerabilities of this protocol (and other similar ones) are well known, and Wi-Fi Protected Access 2 makes use of additional mechanisms to protect them. That protection is still in force, according to both the Wi-Fi Alliance and a wireless architect, who blogged in depth on this issue after the Defcon exploit was reported.
In the wake of the Defcon demonstration, enterprises were being urged by some to abandon MS-CHAP, the Protected Extensible Authentication Protocol (PEAP), WPA2 or all of the above. None of that is necessary.
“The Wi-Fi Alliance has reviewed the chapcrack tool and cloudcracker service announced last week at Defcon 20 and these tools do not present an exploitable vulnerability in Wi-Fi CERTIFIED products,” according to statement issued by the Wi-Fi Alliance, via Kelly Davis-Felner, the WFA marketing director. “These tools exploit previously-documented weaknesses in the use of Microsoft CHAP (MS-CHAP). All uses of MS-CHAP in WPA2 are protected by the Transport Layer Security (TLS) protocol. TLS is the same strong cryptographic technology that protects all online e-commerce transactions. TLS prevents interception of the MS-CHAP messages used in WPA2 Enterprise and effectively protects against attacks using chapcrack or cloudcracker.”
That’s a bare bones, but accurate description of why the exploit can’t affect a properly set up enterprise WLAN. Andew vonNagy, senior Wi-Fi architect at Aerohive Networks, fleshed out the description in a post on his personal blog, Revolution Wi-Fi.
As with almost everything in wireless security, there are conditions and qualifications. But for Wi-Fi networks that are properly using 802.1X authentication, and that have transport layer security properly implemented, then “the impact [of this exploit] is essentially zero,” vonNagy says.
The reason for that is because enterprise Wi-Fi security is a two-step process, first creating a secure encrypted tunnel, using the aforementioned Transport Layer Security, between the wireless client and a RADIUS server (authenticating the server) and only then using MS-CHAP to authenticate the client. If the first step is properly implemented, and MS-CHAP protected, the Defcon tools are helpless to attack it, according to vonNagy.
The argument he advances in his blog post even assumes that the tools demonstrated at Defcon can in fact crack MS-CHAP completely. His point: It doesn’t matter.
As Microsoft’s own webpage makes clear, PEAP is one member of a family of Extensible Authentication Protocol (EAP) protocols. It relies on Transport Layer Security (TLS) to create an encrypted channel between an authenticating PEAP client, for example a laptop or tablet, and a PEAP authenticator, in this case an enterprise Remote Authentication Dial-In User Service (RADIUS) server. PEAP can work with a variety of EAP authentication methods, one of them being EAP-MS-CHAPv2, which work inside the encrypted tunnel.