Chapter 8
Review Questions
- A wireless LAN requires that the _____ must be authenticated first.
a. supplicant
b. authenticator
c. authentication server
d. user
- Each of the following make up the AAA elements in network security except
a. determining user need (analyzing)
b. controlling access to network resources (authentication)
c. enforcing security policies (authorization)
d. auditing usage (accounting)
- Each of the following are categories of credentials that are used to verify authentication except
a. something the user knows
b. something the user purchases
c. something the user is
d. something the user has
- Each of the following human characteristics can be used for biometric identification except
a. fingerprint
b. face
c. iris
d. weight
- Asymmetric encryption uses _____ keys.
a. two
b. three
c. four
d. five
- Digital signatures are electronic files that are used to uniquely identify users and resources over networks. True or False?
- Some organizations set up a subordinate server, called a registration authority (RA), to handle some certification authority (CA) tasks such as processing certificate requests and authenticating users. True or False?
- The most common type of server used with IEEE 802.1x is a RADIUS server. True or False?
- A directory service is a database stored on the network itself and contains all the information about users and network devices. True or False?
- A disadvantage of the Lightweight Directory Access Protocol (LDAP) is that is can only be used on Windows-based computers. True or False?
- A(n) _____ uses local authentication with one or more RADIUS servers at each site, yet the authentication database is replicated from one central site to each local site. distributed autonomous site deployment
- The _____ is an “envelope” that can carry many different kinds of exchange data used for authentication, such as a challenge/response, one-time passwords, and digital certificates. Extensible Authentication Protocol (EAP).
13. _____ is considered an acceptable protocol for use in a wired network but not for a WLAN because outsiders can easily determine the identities of wireless devices by sniffing packets and password hashes. Extended Authentication Protocol–MD 5 (EAP-MD5)
- _____ requires that the wireless device and RADIUS server to both prove their identities to each other by using public key cryptography such as digital certificates. EAP with Transport Layer Security (EAP-TLS)
15. Instead of issuing digital certificates to all users, _____ and PEAP use Windows logins and passwords. EAP with Tunneled TLS (EAP-TTLS)
16. Explain how a pairwise master key is created in an access point and wireless device in a WPA2 Enterprise security model network.
The master key (MK), from which all other keys are formed, is done by the authentication server. An MK is sent from the authentication server (usually a RADIUS server) to the authenticator (access point) as part of an acceptance packet. The MK, which is tied to that specific authentication session, is encrypted within an EAP packet. The access point forwards this packet directly to the wireless device without seeing its contents. The device then generates its own PMK. The authentication server creates the PMK for the authenticator and sends it that information.
17. What are the three keys that make up the pairwise transient key (PTK)?
The PTK is itself divided into three keys. The first key is the key confirmation key (KCK). The KCK is used by the EAP key exchanges to provided data origin authenticity. The second key is the key encryption key (KEK). The KEK is used by the EAP key exchanges to provide for confidentiality. The third key is the temporal key, which is used by the data-confidentiality protocols.
- What is the difference between group keys (GK) and master keys (MK)?
The MKs are used for access point to wireless device transmissions, or unicast transmissions. When an AP sends the same packet to all wireless devices, known as a broadcast, MKs are not used. Instead, group keys (GK) are used. The starting point of the group key hierarchy is the group master key (GMK). The GMK is simply a random number. A pseudorandom function uses the GMK, the authenticator's MAC address and a nonce from the authenticator to create a group temporal key (GTK). The GTK is the value that the wireless deivces uses to decrypt broadcast messages from APs
- Describe the four-way handshake.
The exchange of information for the MK is based on a four-way handshake. In the first message, the authenticator sends the supplicant a random value called a nonce (known as the ANonce). The supplicant then creates its nonce (the SNonce). At this point the supplicant can now calculate the PTK (the authenticator has already received its PTK from the RADIUS server). Next, the supplicant sends the SNonce to the authenticator. The authenticator sends the supplicant the security parameters that it is using when sending out in its beacons and probe responses (multicast messages). Finally, an authentication packet is sent.
- How does authorization differ from authentication?
Authorization is the process that determines whether the user has the authority to carry out such tasks. Authorization is often defined as the process of enforcing policies; that is, it determines what types or qualities of activities, resources, or services a user is permitted. Authorization controls access per user after users authenticate. Before users can be given access a computer and its data, they must in some way prove that they are who they claim to be. That is, users must give proof that they are “genuine” or authentic. This process of providing proof is known as authentication.