Home page logo
/

basics logo Security Basics mailing list archives

RE: 802.1x and PEAP
From: shankarnarayan.d () netsol co in
Date: Fri, 5 Mar 2004 15:57:36 +0530


The algorithms used on the "Cisco Access Points" for TKIP & MIC are
proprietary to Cisco - pre-standard implementations (to put it in Cisco
Terminology). The word standard here refers to the proposed 802.11i (now in
draft).  As all the vendors have not accepted MIC and TKIP, in effect the
use of TKIP and MIC on Cisco Access Points would remain NOT Inter-operable. 

As the mail below rightly points out, WPA is an alternative, but vendors
have to support it. 

Just to add, WPA which can be called an interim fix-up uses two approaches -
the pre-shared key (between the AP and the Client) approach and the RADIUS
approach. The RADIUS approach is more for an Organization, whereas the
Pre-shared key approach is used for the home gateway users, given home users
cannot afford a RADIUS server.

Shankar




-----Original Message-----
From: Rosenhan, David [mailto:David.Rosenhan () swiftbrands com] 
Sent: Friday, March 05, 2004 1:48 AM
To: Camillo Bucciarelli
Cc: security-basics () securityfocus com; shankarnarayan.d () netsol co in
Subject: RE: 802.1x and PEAP

Camillo,

Broadcast key rotation can only be done with an authentication server. 

TKIP and MIC are Cisco proprietary, if you have an AP running VXWorks
and not IOS they you won't get a different vendors card other then a 340
or 350 card to work with TKIP and MIC, period, even if you upgrade to
IOS a different vendors card will not work with TKIP and MIC, but there
are other options with IOS.

If you upgrade to IOS on your AP (1200's and 350 AP's are up-gradable to
IOS) then you have some new options, you can now use new IEEE standards
like WPA, the problem is the manufacturers card has to support it.  WPA
is really new, even with Cisco 340 and 350 cards you have to use a
separate piece of software (Like the Funk Odyssey client) to use WPA
pre-shared keys.  IEEE also included TKIP with WPA and you don't need a
server to use it with the new IOS software on the 1200 and 350 AP's.
Plus there are options for EAP with WPA and broadcast key rotation with
authentication to a RADIUS server (Cisco has doc's that talk about how
the ACS server works with all of this on their website).

Thanks!

David Rosenhan, CCNP
Information Technology


-----Original Message-----
From: Camillo Bucciarelli [mailto:camillobucciarelli () yahoo it] 
Sent: Thursday, March 04, 2004 8:43 AM
To: shankarnarayan.d () netsol co in
Cc: security-basics () securityfocus com
Subject: RE: 802.1x and PEAP

Can I  use these features(Enhanced MIC verification
for WEP, Temporal Key Integrity Protocol, Broadcast
WEP Key rotation) with a non-cisco wireless adatpter?
Such as a 3com wireless PCMCIA? 
Actually I've tried a cisco aironet 340 wireless card.

Regards,
Camillo Bucciarelli

 --- shankarnarayan.d () netsol co in ha scritto: > This
can be done best on the wireless networks
having AP's from Cisco. The
others are still in the process of accomplishing the
same on their Access
Points (most have done it, some are yet to
accomplish the same). The
broadcast key is negotiated for the first time and
then the same is changed
at periodic intervals (configurable by an
administrator). The old broadcast
key is used to encrypt the new key and the same is
broadcast out to all the
clients on the access point at the expiry of the
administrator defined time
limit. On a Cisco you would use the following
commands on the Aironet 1100/
1200 (with IOS) in order
 
BM_1036542configure terminal
BM_1036548 
interface dot11radio { 0 | 1 }
 
broadcast-key change seconds
BM_1036574 
end
BM_1036580 
copy running-config startup-config
 
Rgds,
Shankar
 
 
 
-----Original Message-----
From: Camillo Bucciarelli
[mailto:camillobucciarelli () yahoo it] 
Sent: Wednesday, March 03, 2004 3:03 PM
To: shankarnarayan.d () netsol co in
Subject: RE: 802.1x and PEAP
 
Thanks,
this is what I need to know.
 
I have another question: I need to use 802.1x in
order to enable the
"broadcast key rotation"?
 
Camillo

shankarnarayan.d () netsol co in wrote:
The Lines below have been pulled straight from the
PEAP working draft. This
clearly defines that the initial negotiation of the
PEAP is as in the TLS -
thus providing the necessary security.
Hope this answers your question OR have I got it
wrong - If you believe this
is not the information that you were looking for
request you to please
rephrase your question

Shankar

Protected EAP (PEAP) Version 2 is comprised of a
two-part
conversation:

[1] In Part 1, a TLS session is negotiated, with
server authenticating
to the client and optionally the client to the
server. The
negotiated key is then used to encrypt the rest of
the
conversation.

[2] In Part 2, within the TLS session, zero or more
EAP methods are
carried out. Part 2 completes with a success/failure
indication
protected by the TLS session or a protected error
(TLS alert).

The PEAP conversation typically begins with an
optional identity
exchange. The initial identity exchange is used
primarily to route the
EAP
conversation to the EAP server. Since the initial
identity exchange
is in the clear, the peer MAY decide to place a
routing realm instead
of its real name in the EAP-Response/Identity.

In short, the first exchange is based on TLS where
certificates are used
much in the same way as that used in the EAP-TLS.
The remaining information
of identity etc is then pumped through the TLS
tunnel. Hence, EAP-TLS may be
one of the methods (actually the most common method)
used to establish the
tunnel (using certificates)

Shankar

-----Original Message-----
From: Camillo Bucciarelli
[mailto:camillobucciarelli () yahoo it] 
Sent: Tuesday, March 02, 2004 3:46 PM
To: security-basics () securityfocus com
Subject: 802.1x and PEAP

Good morning,
I'm looking for detailed information about the
Protected EAP. I can't understand what the
supplicant
and Access Server use to establish the TLS tunnel.
Here's an example:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=PEAP, V=0
(PEAP Start, S bit set)

EAP-Response/
EAP-Type=PEAP, V=0
(TLS client_hello)->
<- EAP-Request/
EAP-Type=PEAP, V=0
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=PEAP, V=0
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=PEAP, V=0
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-Type=PEAP ->

TLS channel established
(messages sent within the TLS channel)

They exchange a server_key_exchange and a
client_key_exchange used to derive the session key. 


It seems to me that the key exchange between the
client and the server is done in clear text, but
this
means that I can actually sniff this exchange. Now,
this seems not logical to me. Anyone here has any
idea about "where" I am wrong ? Do the two elements
hash in some way the keys ? Or, another possibility,
do we actually have the client key encrypted with
the
public key that belongs to the server - that is of
course available - and we have the server key *only*
that is transmitted in clear text ? In the TLS
protocol of course the two key are encrypted with
the
ublic key of the "other end". But in PEAP ?

Thanks in advance,
Camillo

=====
Camillo Bucciarelli





______________________________________________________________________
Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi
allegati, l'antivirus,
il filtro Anti-spam

http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/


------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam
protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam
and other risks with
Astaro
Security Linux, the comprehensive security solution
that combines six

=== message truncated === 

=====
Camillo Bucciarelli
 



______________________________________________________________________
Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati,
l'antivirus, il filtro Anti-spam
http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault