Appendix B Wireless LANs
EMG6726/8726-B10A User’s Guide
292
EAP-MD5 (Message-Digest Algorithm 5)
MD5 authentication is the simplest one-way authentication method. The authentication server sends a
challenge to the wireless client. The wireless client ‘proves’ that it knows the password by encrypting the
password with the challenge and sends back the information. Password is not sent in plain text.
However, MD5 authentication has some weaknesses. Since the authentication server needs to get the
plaintext passwords, the passwords must be stored. Thus someone other than the authentication server
may access the password file. In addition, it is possible to impersonate an authentication server as MD5
authentication method does not perform mutual authentication. Finally, MD5 authentication method
does not support data encryption with dynamic session key.
EAP-TLS (Transport Layer Security)
With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual
authentication. The server presents a certificate to the client. After validating the identity of the server,
the client sends a different certificate to the server. The exchange of certificates is done in the open
before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital
certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-
TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management
overhead.
EAP-TTLS (Tunneled Transport Layer Service)
EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side
authentications to establish a secure connection. Client authentication is then done by sending
username and password through the secure connection, thus client identity is protected. For client
authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP,
MS-CHAP and MS-CHAP v2.
PEAP (Protected EAP)
Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use
simple username and password methods through the secured connection to authenticate the clients,
thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2
and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by
Cisco.
Encryption
AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm
called Rijndael. AES includes a per-packet key mixing function, a Message Integrity Check (MIC) named
Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.
The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy
and management system, using the PMK to dynamically generate unique data encryption keys to
encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This
all happens in the background automatically.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets,
altering them and resending them. The MIC provides a strong mathematical function in which the
receiver and the transmitter each compute and then compare the MIC. If they do not match, it is
assumed that the data has been tampered with and the packet is dropped.