Page 795 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 795
LEAP
Lightweight Extensible Authentication Protocol (LEAP) is a Cisco
proprietary alternative to TKIP for WPA. This was developed to
address deficiencies in TKIP before the 802.11i/WPA2 system was
ratified as a standard. An attack tool known as Asleap was released in
2004 that could exploit the ultimately weak protection provided by
LEAP. LEAP should be avoided when possible; use of EAP-TLS as an
alternative is recommended, but if LEAP is used, a complex password
is strongly recommended.
MAC Filter
A MAC filter is a list of authorized wireless client interface MAC
addresses that is used by a wireless access point to block access to all
nonauthorized devices. While a useful feature to implement, it can be
difficult to manage and tends to be used only in small, static
environments. Additionally, a hacker with basic wireless hacking tools
can discover the MAC address of a valid client and then spoof that
address onto their attack wireless client.
TKIP
Temporal Key Integrity Protocol (TKIP) was designed as the
replacement for WEP without requiring replacement of legacy wireless
hardware. TKIP was implemented into 802.11 wireless networking
under the name WPA (Wi-Fi Protected Access). TKIP improvements
include a key-mixing function that combines the initialization vector
(IV) (i.e., a random number) with the secret root key before using that
key with RC4 to perform encryption; a sequence counter is used to
prevent packet replay attacks; and a strong integrity check named
Michael is used.
TKIP and WPA were officially replaced by WPA2 in 2004.
Additionally, attacks specific to WPA and TKIP (i.e., coWPAtty and a
GPU-based cracking tool) have rendered WPA’s security unreliable.
CCMP
CCMP (Counter Mode with Cipher Block Chaining Message
