This chapter gives examples of connecting wireless computers to the SISO router using secure communications. The chapter first explains WEP based encryption. It then quickly moves on to more secure methods such as WPA and RSN. It describes how to generate X.509 certificates, and continues with configuration examples for the access point and Linux and Windows/XP wireless hosts.
This chapter is a part of the "Secure Internet Appliance for Small Office / Home Office HOWTO". It relies on the environment variables listed in Section 2.1, “Environment Variables”.
Wireless connections require authentication, confidentiality and integrity. This will use the following definitions:
SUPPLICANT is the daemon running on the wireless host.
AUTHENTICATOR is the daemon running on the wireless access point.
AUTHENTICATION SERVER is the daemon that is responsible for the actual authentication, authorization and accounting.
The initial IEEE 802.11 WiFi standard introduced Wired Equivalent Privacy (WEP) as a scheme used to secure wireless networks. Example F.1, “/etc/sysconfig/network/ath0.conf” shows an example configuration to enables WEP on the SISO router. Cryptographers soon identified several serious weaknesses. Automated tools to eavesdropping on the network can easily reveal the single shared key .
In 2003, WEP was superseded by WiFi Protected Access (WPA), and then by the full IEEE 802.11i standard (also known as RSN or WPA2) in 2004 . The difference between the WPA and RSN can be summarized as:
802.11i Transition Security Network (TSN) = WPA = 802.1x + TKPI
802.11i Robust Secure Network (RSN) = WPA2 = 802.1x + CCMP
The list below shows the connection phases for 802.11i. A more detailed description can be found in "IEEE 802.11i Overview" .
DISCOVERY. The supplicant probes the authenticator, which replies with its station identifier and a list of supported authentication and cipher suites. The supplicant then replies with the authentication and cipher suite of its choosing.
AUTHENTICATION. The supplicant and the authentication server authenticate using any of the mechanism supported by the Extensible Authentication Protocol (EAP) transport. Examples are X.509 certificates and CHAP. The conversation is most often carried over an encrypted tunnel (TLS) over 802.1X.
The authenticator translates between the 802.1X protocol used by the supplicant and the RADIUS protocol used by the authentication server. After a successful authentication the (Layer 2) port is opened for the supplicant.
CONFIDENTIALITY AND INTEGRITY. Two key management methods exist:
Temporary Key Integrity Protocol (TKIP) uses the RC4 cryptographic algorithm. This is a smarter use of the same algorithm as used by WEP and is supported by older WiFi cards. A supplicant supporting 802.1X and TKIP is often available as a firmware upgrade for older WiFi cards.
Counter Mode with CBC-MAC Protocol (CCMP) uses the more CPU-intensive AES cryptographic algorithm. Newer WiFi cards implement this algorithm in hardware. For older cards the device driver may implement it.
DATA PROTECTION. The above steps results in a secure wireless communication channel.