Page 794 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 794

(Key Reinstallation AttaCKs) was disclosed that is able to corrupt the
               initial four-way handshake between a client and WAP into reusing a

               previously used key and in some cases use a key composed of only
               zeros. Most vulnerable wireless devices have been updated or an
               update is available to resolve this issue. For more information, see
               https://www.krackattacks.com/.


               802.1X/EAP

               Both WPA and WPA2 support the enterprise authentication known as
               802.1X/EAP, a standard port-based network access control that

               ensures that clients cannot communicate with a resource until proper
               authentication has taken place. Effectively, 802.1X is a hand-off
               system that allows the wireless network to leverage the existing
               network infrastructure’s authentication services. Through the use of
               802.1X, other techniques and solutions such as Remote
               Authentication Dial-In User Service (RADIUS), Terminal Access
               Controller Access Control System (TACACS), certificates, smart cards,

               token devices, and biometrics can be integrated into wireless networks
               providing techniques for both mutual and multifactor authentication.

               Extensible Authentication Protocol (EAP) is not a specific mechanism
               of authentication; rather it is an authentication framework. Effectively,
               EAP allows for new authentication technologies to be compatible with
               existing wireless or point-to-point connection technologies. More than
               40 different EAP methods of authentication are widely supported.

               These include the wireless methods of LEAP, EAP-TLS, EAP-SIM,
               EAP-AKA, and EAP-TTLS. Not all EAP methods are secure. For
               example, EAP-MD5 and a pre-release EAP known as LEAP are also
               crackable.


               PEAP

               Protected Extensible Authentication Protocol (PEAP) encapsulates
               EAP methods within a TLS tunnel that provides authentication and
               potentially encryption. Since EAP was originally designed for use over

               physically isolated channels and hence assumed secured pathways,
               EAP is usually not encrypted. So PEAP can provide encryption for EAP
               methods.
   789   790   791   792   793   794   795   796   797   798   799