1
00:00:01,040 --> 00:00:04,970
Let's now take a look at why find networks authentication methods.

2
00:00:04,970 --> 00:00:11,630
There are three authentication options access points might perform authentication without verifying

3
00:00:11,630 --> 00:00:13,830
user identity.

4
00:00:14,000 --> 00:00:22,080
If that's the case anybody can connect to the wireless LAN user identity can be verified through checking

5
00:00:22,080 --> 00:00:28,680
if they know a shared secret user usually submitted while the client is trying to connect to the protected

6
00:00:28,680 --> 00:00:30,450
network.

7
00:00:30,460 --> 00:00:34,420
It's crucial that you understand that these two are completely different technologies.

8
00:00:35,660 --> 00:00:37,520
One is used for authentication.

9
00:00:37,640 --> 00:00:39,360
We're talking about that now.

10
00:00:40,080 --> 00:00:44,380
The other ensures the confidentiality of data will cover this in the moment.

11
00:00:46,210 --> 00:00:53,970
The third wireless authentication method involves the use of a radius server and Ato to 11 x protocols.

12
00:00:54,110 --> 00:01:01,170
We've already talked about this set of protocols to quickly remind you in this case an access point

13
00:01:01,170 --> 00:01:08,530
is configured as a radius server client using the EAP protocol the radius server forwards the client

14
00:01:08,530 --> 00:01:10,420
submitted authentication credentials

15
00:01:13,250 --> 00:01:16,320
the server verifies the user's identity.

16
00:01:16,320 --> 00:01:24,010
If you use a radius server and the ATO to that 11 X protocol shared secrets are not used each user has

17
00:01:24,010 --> 00:01:25,150
his own password.

18
00:01:26,760 --> 00:01:29,910
You logs on to his account and his identity is verified.

19
00:01:31,670 --> 00:01:34,860
The solution is both more secure and more functional.

20
00:01:37,640 --> 00:01:42,750
The three authentication methods can be used together with various encryption methods.

21
00:01:42,750 --> 00:01:44,950
Not all combinations will be a good fit.

22
00:01:45,000 --> 00:01:46,440
You can try several of them

23
00:01:49,710 --> 00:01:55,670
we've already mentioned open system networks that don't perform user verification.

24
00:01:55,680 --> 00:01:59,970
This is a part of the ATO to dot 11 standard.

25
00:02:00,030 --> 00:02:03,220
It's enough to submit the name of an open network and connect to it.

26
00:02:04,940 --> 00:02:12,580
A network name field can also be referred to as an SS ID or a network identifier that signify the same

27
00:02:12,580 --> 00:02:15,360
thing.

28
00:02:15,420 --> 00:02:20,530
The legality of connecting to other people's open wireless networks varies depending on the country.

29
00:02:22,210 --> 00:02:27,250
In the Netherlands for example an active intrusion to protect the wireless network is not considered

30
00:02:27,250 --> 00:02:28,080
a crime.

31
00:02:29,310 --> 00:02:33,870
It's similar for Germany while it is a crime there.

32
00:02:34,000 --> 00:02:38,460
It's seen as the fault of the wireless service providers who jeopardize the safety of their customers

33
00:02:38,640 --> 00:02:41,260
by providing them with insufficient protection.

34
00:02:43,040 --> 00:02:47,530
In the majority of countries however it's the attacker who will be held responsible for the acts

35
00:02:51,880 --> 00:02:53,800
in the case of open networks.

36
00:02:53,800 --> 00:02:58,970
The identities of users and computers are verified against the MAC addresses of the network cards.

37
00:03:00,110 --> 00:03:03,900
An open wireless network can also use encryption for transmitted data

38
00:03:07,640 --> 00:03:14,730
what security is used for this purpose open system authentication with web key encryption means the

39
00:03:14,730 --> 00:03:21,460
validity of the web keys will not be verified since frames are encrypted with this key and access point

40
00:03:21,460 --> 00:03:23,780
will reject the frames that can't be decrypted.

41
00:03:27,150 --> 00:03:30,820
Second protection measure is using appreciate key.

42
00:03:30,870 --> 00:03:38,210
It's a hugely popular authentication method and home Rantz before I move on to describe how clients

43
00:03:38,210 --> 00:03:39,800
are authenticated.

44
00:03:39,870 --> 00:03:46,880
We'll talk a bit about the drawbacks of this solution if more than two persons share a secret.

45
00:03:46,880 --> 00:03:53,600
It's no longer a secret or key must be submitted and all computers that want to establish a connection

46
00:03:53,600 --> 00:04:02,570
with a given wireless LAN there's no mechanism for that so we do it manually That's why we will probably

47
00:04:02,570 --> 00:04:04,160
never change a set key.

48
00:04:05,770 --> 00:04:08,800
A shared secret which is not a secret and is never changed.

49
00:04:08,800 --> 00:04:13,230
It doesn't guarantee any security will discover this.

50
00:04:13,240 --> 00:04:20,900
In the second part of our module leaving aside the questions of authentication effectiveness Let's now

51
00:04:20,930 --> 00:04:27,270
see how this process looks.

52
00:04:27,290 --> 00:04:31,190
The technique makes use of the challenge response mechanism we already know.

53
00:04:32,780 --> 00:04:35,580
A client attempts to contact a selected wireless LAN

54
00:04:38,530 --> 00:04:42,750
an access point generates a pseudo random challenge message and sends it to the client.

55
00:04:45,190 --> 00:04:49,050
The client has to then encrypt the received challenge with the pre-shared key.

56
00:04:49,060 --> 00:04:58,910
He S-K and send the encrypted response to the access point.

57
00:04:59,040 --> 00:05:05,030
Next the AP decrypts the ciphertext and compares it against the challenge challenges sent earlier if

58
00:05:05,030 --> 00:05:05,990
the results match.

59
00:05:05,990 --> 00:05:10,580
This means that the same key was used to encrypt and decrypt the message implying that the client was

60
00:05:10,580 --> 00:05:17,590
in possession of the key and was authorized to connect the VLAN.

61
00:05:17,720 --> 00:05:23,680
The system for sending challenge in response messages is not protected in any way.

62
00:05:23,680 --> 00:05:26,880
Note that the key itself is not transmitted over a network.

63
00:05:28,450 --> 00:05:32,140
Only the data encrypted with the key is transmitted.

64
00:05:32,370 --> 00:05:38,280
When you examine threats related to Wi-Fi security it will turn out that the process can be reversed.

65
00:05:39,310 --> 00:05:41,980
Or intercepting the challenge in response messages.

66
00:05:42,100 --> 00:05:43,730
We can extract the P S K

67
00:05:47,080 --> 00:05:48,920
since all users share the key.

68
00:05:49,030 --> 00:05:56,260
All users share also medium access and those vans that use PMK user authentication.

69
00:05:56,270 --> 00:06:00,380
All users have access to the same medium.

70
00:06:00,380 --> 00:06:08,500
This is like being in a local area network connected with hubs packets received by all clients.

71
00:06:08,500 --> 00:06:13,000
It depends on the mode used by the receivers network card to reject the packets that are an address

72
00:06:13,000 --> 00:06:20,970
to it or to choose to intercept and modify them.

73
00:06:20,980 --> 00:06:27,300
The only secure method for verifying wireless network user identity is provided by the use of the ATO

74
00:06:27,300 --> 00:06:31,320
to daddle 11 x standard.

75
00:06:31,430 --> 00:06:38,090
If you configure and access point as a radius server client you will need to submit a shared secret.

76
00:06:38,120 --> 00:06:43,730
In this case the secret will be shared by the access points in the radius server and not by the x network

77
00:06:43,780 --> 00:06:44,580
users.

78
00:06:48,030 --> 00:06:53,290
This will allow the AP to check the identity of users who want to establish a connection.

79
00:06:53,340 --> 00:06:56,130
Each person will have their own identity.

80
00:06:56,130 --> 00:06:58,910
Each person will have their own secret.

81
00:06:58,930 --> 00:07:04,690
For example the passwords stored in the Active Directory.

82
00:07:04,720 --> 00:07:09,840
This means that the radius server will be an active directory server client.

83
00:07:09,980 --> 00:07:16,740
It will forward questions usually according to this pattern first will ask whether the user who claims

84
00:07:16,740 --> 00:07:23,100
to be Bob has already submitted a correct password the next request will ask for proof that a given

85
00:07:23,100 --> 00:07:26,670
user is authorized to connect to an office VLAN using Wi-Fi

86
00:07:32,310 --> 00:07:39,040
a more secure version of this mechanism verifies the identity of users or computers against their certificates.

87
00:07:39,040 --> 00:07:40,930
This does seem very complicated.

88
00:07:48,100 --> 00:07:53,230
Other than an access point you need a computer used as a radius server and also a domain controller

89
00:07:53,230 --> 00:08:00,470
for this as you see the infrastructure is extensive.

90
00:08:00,470 --> 00:08:07,810
This is why this solution is not generally deployed in homeland's Well it does bring a lot more security.

91
00:08:07,820 --> 00:08:12,520
It's excessive if there are only three or four users in a home network.

92
00:08:12,530 --> 00:08:18,090
As for business Flans with 5 or more users however I'd strongly recommend configuring a computer as

93
00:08:18,090 --> 00:08:25,600
the domain controller or as a radius server will see that this solution will secure and network against

94
00:08:25,630 --> 00:08:26,810
all known attacks.