Manualshelf

User's Manual

ManualsBrandsStrix Systems ManualsElectronicsAccess/One Network Transmitter
61626364656667686970
Table Of Contents
USER GUIDE
TTLS: Tunneled TLS uses a TLS tunnel to create a secure connection between the device and
the AP before user credentials are exchanged. The TLS tunnel is created using a server based
certificate only. Once the TLS tunnel exists, the supplicant authenticates with the server with
CHAP or MSCHAP. The credentials can even use clear text because the traffic is protected.
Advantages: easy to manage (one server certificate, no client certificate), very strong security
because of mutual authentication, uses legacy CHAP or most other protocol for client
authentication, user is authenticated, not the device. Disadvantages: not industry standard, not
universally supported by all clients.
PEAP: Protected EAP is nearly identical in authentication mechanism to TTLS. Advantages:
see TTLS, IETF standard (soon). Disadvantages: doesn’t support legacy CHAP procedures.
ENCRYPTION
Encryption requires a cipher and a key. The cipher is the algorithm used to modify clear text
based on the key. Two ciphers used in the wireless world are Wired Equivalent Privacy (WEP)
and Advanced Encryption Standard (AES). The security of the cipher is greatly affected by the
size of the key and how often it’s changed. A cipher is either stream based or block based, and
both fall under the category of Electronic Code Book (ECB) encryption. In general, the clear
text is XORed with the key stream to produce the encrypted text. Since it would be extremely
easy to crack an encryption key if it were NEVER changed, the concept of a rolling initialization
vector (IV) was introduced which combines with the key so the same clear text isn’t sent out
with the same encryption every time. The size of the IV is relatively small (24 bits) which
introduces the issue of reuse and only slightly prolongs the network security. An even more
robust method of encryption uses concept of feedback to remember the current encrypted
packet as the next key, thus creating a chain of dependent frames referred to as Cipher Block
Chaining (CBC).
WEP: WEP is based on the RC4 cipher which has been around for quite some time. It uses a
stream cipher with a key length of 64, 128 or 152 bits and a 24 bit IV. Since it doesn’t have a
feedback mechanism like Counter Block Chaining (CBC), it is not computationally intense.
AES: AES is a standard designed to replace the current DES scheme and is minimally 152 bits.
There are two prevailing schemes (of about 20 total) using the AES cipher: Offset Code Book
(OCB) and Cipher Block Chaining with Counter Mode (CCM). Both are extremely secure,
CCM was chosen as the mandatory scheme for 802.11i.
Static Default Key Operation: The Access Point and the device both maintain a table of four
available key slots while using static keys. Each key slot is assigned a number (0-3) and one slot is
selected as the default transmit key slot. Every encrypted packet includes the key slot number
used to encrypt the data so the receiver can decrypt it. This requires each station and the Access
Point to have identical keys configured in identical slots. The default transmit key slot can be
different on the device and the AP allowing the use of a different key in each direction of
transmission. The static session key has a security risk in that the same key is used for all
transmissions, making it more vulnerable to long term attacks. Additional static key security is
available with a unique key.
61