RE: 802.1x and PEAP

From: Rosenhan, David (David.Rosenhan_at_swiftbrands.com)
Date: 03/04/04

  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: Crypto Book Recommendations?"
    Date: Thu, 4 Mar 2004 13:18:02 -0700
    To: "Camillo Bucciarelli" <camillobucciarelli@yahoo.it>
    
    

    Camillo,

    Broadcast key rotation can only be done with an authentication server.

    TKIP and MIC are Cisco proprietary, if you have an AP running VXWorks
    and not IOS they you won't get a different vendors card other then a 340
    or 350 card to work with TKIP and MIC, period, even if you upgrade to
    IOS a different vendors card will not work with TKIP and MIC, but there
    are other options with IOS.

    If you upgrade to IOS on your AP (1200's and 350 AP's are up-gradable to
    IOS) then you have some new options, you can now use new IEEE standards
    like WPA, the problem is the manufacturers card has to support it. WPA
    is really new, even with Cisco 340 and 350 cards you have to use a
    separate piece of software (Like the Funk Odyssey client) to use WPA
    pre-shared keys. IEEE also included TKIP with WPA and you don't need a
    server to use it with the new IOS software on the 1200 and 350 AP's.
    Plus there are options for EAP with WPA and broadcast key rotation with
    authentication to a RADIUS server (Cisco has doc's that talk about how
    the ACS server works with all of this on their website).

    Thanks!

    David Rosenhan, CCNP
    Information Technology

    -----Original Message-----
    From: Camillo Bucciarelli [mailto:camillobucciarelli@yahoo.it]
    Sent: Thursday, March 04, 2004 8:43 AM
    To: shankarnarayan.d@netsol.co.in
    Cc: security-basics@securityfocus.com
    Subject: RE: 802.1x and PEAP

    Can I use these features(Enhanced MIC verification
    for WEP, Temporal Key Integrity Protocol, Broadcast
    WEP Key rotation) with a non-cisco wireless adatpter?
    Such as a 3com wireless PCMCIA?
    Actually I've tried a cisco aironet 340 wireless card.

    Regards,
    Camillo Bucciarelli

     --- shankarnarayan.d@netsol.co.in ha scritto: > This
    can be done best on the wireless networks
    > having AP's from Cisco. The
    > others are still in the process of accomplishing the
    > same on their Access
    > Points (most have done it, some are yet to
    > accomplish the same). The
    > broadcast key is negotiated for the first time and
    > then the same is changed
    > at periodic intervals (configurable by an
    > administrator). The old broadcast
    > key is used to encrypt the new key and the same is
    > broadcast out to all the
    > clients on the access point at the expiry of the
    > administrator defined time
    > limit. On a Cisco you would use the following
    > commands on the Aironet 1100/
    > 1200 (with IOS) in order
    >
    > BM_1036542configure terminal
    > BM_1036548
    > interface dot11radio { 0 | 1 }
    >
    > broadcast-key change seconds
    > BM_1036574
    > end
    > BM_1036580
    > copy running-config startup-config
    >
    > Rgds,
    > Shankar
    >
    >
    >
    > -----Original Message-----
    > From: Camillo Bucciarelli
    > [mailto:camillobucciarelli@yahoo.it]
    > Sent: Wednesday, March 03, 2004 3:03 PM
    > To: shankarnarayan.d@netsol.co.in
    > Subject: RE: 802.1x and PEAP
    >
    > Thanks,
    > this is what I need to know.
    >
    > I have another question: I need to use 802.1x in
    > order to enable the
    > "broadcast key rotation"?
    >
    > Camillo
    >
    > shankarnarayan.d@netsol.co.in wrote:
    > The Lines below have been pulled straight from the
    > PEAP working draft. This
    > clearly defines that the initial negotiation of the
    > PEAP is as in the TLS -
    > thus providing the necessary security.
    > Hope this answers your question OR have I got it
    > wrong - If you believe this
    > is not the information that you were looking for
    > request you to please
    > rephrase your question
    >
    > Shankar
    >
    > Protected EAP (PEAP) Version 2 is comprised of a
    > two-part
    > conversation:
    >
    > [1] In Part 1, a TLS session is negotiated, with
    > server authenticating
    > to the client and optionally the client to the
    > server. The
    > negotiated key is then used to encrypt the rest of
    > the
    > conversation.
    >
    > [2] In Part 2, within the TLS session, zero or more
    > EAP methods are
    > carried out. Part 2 completes with a success/failure
    > indication
    > protected by the TLS session or a protected error
    > (TLS alert).
    >
    > The PEAP conversation typically begins with an
    > optional identity
    > exchange. The initial identity exchange is used
    > primarily to route the
    > EAP
    > conversation to the EAP server. Since the initial
    > identity exchange
    > is in the clear, the peer MAY decide to place a
    > routing realm instead
    > of its real name in the EAP-Response/Identity.
    >
    > In short, the first exchange is based on TLS where
    > certificates are used
    > much in the same way as that used in the EAP-TLS.
    > The remaining information
    > of identity etc is then pumped through the TLS
    > tunnel. Hence, EAP-TLS may be
    > one of the methods (actually the most common method)
    > used to establish the
    > tunnel (using certificates)
    >
    > Shankar
    >
    > -----Original Message-----
    > From: Camillo Bucciarelli
    > [mailto:camillobucciarelli@yahoo.it]
    > Sent: Tuesday, March 02, 2004 3:46 PM
    > To: security-basics@securityfocus.com
    > Subject: 802.1x and PEAP
    >
    > Good morning,
    > I'm looking for detailed information about the
    > Protected EAP. I can't understand what the
    > supplicant
    > and Access Server use to establish the TLS tunnel.
    > Here's an example:
    >
    > Authenticating Peer Authenticator
    > ------------------- -------------
    > <- EAP-Request/
    > Identity
    > EAP-Response/
    > Identity (MyID) ->
    > <- EAP-Request/
    > EAP-Type=PEAP, V=0
    > (PEAP Start, S bit set)
    >
    > EAP-Response/
    > EAP-Type=PEAP, V=0
    > (TLS client_hello)->
    > <- EAP-Request/
    > EAP-Type=PEAP, V=0
    > (TLS server_hello,
    > TLS certificate,
    > [TLS server_key_exchange,]
    > [TLS certificate_request,]
    > TLS server_hello_done)
    > EAP-Response/
    > EAP-Type=PEAP, V=0
    > ([TLS certificate,]
    > TLS client_key_exchange,
    > [TLS certificate_verify,]
    > TLS change_cipher_spec,
    > TLS finished) ->
    > <- EAP-Request/
    > EAP-Type=PEAP, V=0
    > (TLS change_cipher_spec,
    > TLS finished)
    > EAP-Response/
    > EAP-Type=PEAP ->
    >
    > TLS channel established
    > (messages sent within the TLS channel)
    >
    > They exchange a server_key_exchange and a
    > client_key_exchange used to derive the session key.
    >
    >
    > It seems to me that the key exchange between the
    > client and the server is done in clear text, but
    > this
    > means that I can actually sniff this exchange. Now,
    > this seems not logical to me. Anyone here has any
    > idea about "where" I am wrong ? Do the two elements
    > hash in some way the keys ? Or, another possibility,
    > do we actually have the client key encrypted with
    > the
    > public key that belongs to the server - that is of
    > course available - and we have the server key *only*
    > that is transmitted in clear text ? In the TLS
    > protocol of course the two key are encrypted with
    > the
    > ublic key of the "other end". But in PEAP ?
    >
    > Thanks in advance,
    > Camillo
    >
    > =====
    > Camillo Bucciarelli
    >
    >
    >
    >
    >
    ______________________________________________________________________
    > Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi
    > allegati, l'antivirus,
    > il filtro Anti-spam
    >
    http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/
    >
    >
    ------------------------------------------------------------------------

    ---
    > Free 30-day trial: firewall with virus/spam
    > protection, URL filtering, VPN,
    > wireless security
    > 
    > Protect your network against hackers, viruses, spam
    > and other risks with
    > Astaro
    > Security Linux, the comprehensive security solution
    > that combines six
    > 
    === message truncated === 
    =====
    Camillo Bucciarelli
     
    ______________________________________________________________________
    Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati,
    l'antivirus, il filtro Anti-spam
    http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/
    ------------------------------------------------------------------------
    ---
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off 
    any course! All of our class sizes are guaranteed to be 10 students or
    less 
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of
    in-the-field 
    pen testing experience in our state of the art hacking lab. Master the
    skills 
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: Crypto Book Recommendations?"

    Relevant Pages

    • Re: Hat Firefox 4.0 =?iso-8859-15?Q?f=FCr?= Mac nun =?iso-8859-15?Q?endg=FCltig?= Se
      ... Nur weil der Server, den du fuer ... Aber das hat beides nichts mit TLS und hinterlegten Root-Zertifkkaten ... SSL-Verifizierten System und dem des Angreifers differnzieren /kann/. ... Verwendetst du einen Proxy mit Authentifizierung und hast die ...
      (de.comp.sys.mac.misc)
    • RE: 802.1x and PEAP
      ... I disagree with your comment about TKIP and MIC being proprietary. ... Broadcast key rotation can only be done with an authentication server. ... > the TLS - thus providing the necessary security. ... > protected by the TLS session or a protected error. ...
      (Security-Basics)
    • Re: Server name: What to enter?
      ... number you have specified in WME output properties for pull (WME can find ... LAN I.P. which is different to my outside I.P. Which is now the DynDNS ... Player and get the broadcast live. ... Let's address that first to see if a push to a server is what you need ...
      (microsoft.public.windowsmedia.encoder)
    • Re: Cannot receive emails from 1 sender...HELP!!!!
      ... The sender uses Postini as their email service...and a Postini support ... establish a TLS connection to the recipient's mail server ... negotiate a TLS connection with their server, ... Also, included below, is a traceroute to 64.105.122.50 detailing the ...
      (microsoft.public.windows.server.sbs)
    • Re: Server name: What to enter?
      ... )I use the free DynDNS Updater from www.dyndns.com to provide a ... Player and get the broadcast live. ... than one camera/mic (I have 3 cameras that I can flip between during live ... Let's address that first to see if a push to a server is what you need to ...
      (microsoft.public.windowsmedia.encoder)