CompTIA Security+ 501 CompTIA Security+ SY0-501 Instructor: Ron Woerner, CISSP, CISM CompTIA Security+ Domain 6 – Cryptography & PKI 6.3 Given a scenario, install and configure wireless security settings Cybrary - Ron Woerner 1 CompTIA Security+ 501 6.3 Wireless Security ● Methods ● Authentication protocols ○ PSK vs. Enterprise vs. ○ EAP Open ○ PEAP ○ WPS ○ EAP-FAST ○ Captive portals ○ EAP-TLS ● Cryptographic protocols ○ EAP-TTLS ○ IEEE 802.1x ○ WPA ○ RADIUS Federation ○ WPA2 ○ CCMP ○ TKIP Wireless Access Methods ● Open authentication – only need to know the network name / SSID ○ Captive portal - web page that is launched first when connecting through a network ● Shared Authentication ○ The client and the wireless access point must negotiate and share a key prior to initiating communications ○ Pre-shared key (PSK) . Each user uses the same key to connect to the wi-fi network. ● Enterprise ○ A server handles distribution of cryptographic keys and/or digital certificates ○ Extensible Authentication Protocol (EAP) Cybrary - Ron Woerner 2 CompTIA Security+ 501 Wi-Fi protected setup (WPS) ● Standard to simplify Wireless Access Point (AP) set-up for home users Three modes: ● PIN entry ● Push-button configuration (PBC) ● Near Field Communication (NFC) Wireless Cryptographic protocols ● Wired Equivalent Privacy (WEP) : This original wireless encryption standard should not be used today ● Wi-Fi Protected Access (WPA) : WPA was developed in response to security concerns over WEP ● Wi-Fi Protected Access Version 2 (WPA2) ○ Required for Wi-Fi certified devices ○ Uses AES for encryption ○ Based on the IEEE 802.11i standard Cybrary - Ron Woerner 3 CompTIA Security+ 501 Wi-Fi Protected Access ● WPA-Personal (WPA-PSK) ○ Uses a pre-shared key to authenticate and validate users on a wireless LAN (WLAN) or Wi-Fi connection ● WPA-Enterprise (WPA-802.1X) ○ Increased security for larger organizations ○ Requires RADIUS authentication server ● Temporal Key Integrity Protocol (TKIP) ○ Based on RC4 ○ Uses a unique key with each packet ○ Considered depreciated Wi-Fi Protected Access 2 (WPA2) ● Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) ○ Replaced TKIP ○ Based on AES encryption cipher ○ CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity ● Fully implements the IEEE 802.11i-2004 Wi-Fi security standards Cybrary - Ron Woerner 4 CompTIA Security+ 501 Authentication protocols ● EAP ○ Requires an authentication server ○ Allows authentication methods beyond username/password ○ Provides support for public certificates ○ Four modes ■ PEAP – Protected EAP ■ EAP-TLS – EAP-Transport Layer Security ■ EAP-TTLS – EAP Tunneled Transport Layer Security ■ EAP-FAST – EAP Flexible Authentication via Secure Tunneling Extensible Authentication Protocol (EAP) ● PEAP ● EAP-FAST ● EAP-TLS ● EAP-TTLS Cybrary - Ron Woerner 5 CompTIA Security+ 501 Authentication protocols ● IEEE 802.1x ○ The IEEE standard for port-based network access control. ● RADIUS Federation ○ Using RADIUS to authenticate between entities. ○ As part of PEAP negotiation, client establishes a TLS session with a RADIUS server ○ Client authenticates with RADIUS server Exam Preparation Also known as WPA-Personal, this is a security mechanism used to authenticate and validate users on a wireless LAN (WLAN) or Wi-Fi connection? A. WPA-PSK B. PEAP C. WPA-TKIP D. WPA-CCMP Cybrary - Ron Woerner 6 CompTIA Security+ 501 Exam Preparation This network authentication protocol uses digital certificate-based mutual authentication, which occurs automatically with no intervention by the user. A. PEAP B. EAP-FAST C. EAP-TLS D. EAP-TTLS CompTIA Security+ Domain 6 – Cryptography & PKI 6.3 Given a scenario, install and configure wireless security settings Cybrary - Ron Woerner 7.