Chapter 9: Implementing Wireless LAN Security TRUE/FALSE 1.

WEP2 attempted to overcome the limitations of WEP by adding two new security enhancements. ANS: T REF: 293

2. The block cipher used in 802.11i is the Data Encryption Standard (DES). ANS: F REF: 295

3. WPA authentication can be accomplished by using either IEEE 802.1x or pre-shared key (PSK) technology. ANS: T REF: 299

4. Pre-shared key (PSK) authentication uses a passphrase that is automatically generated to generate the encryption key. ANS: F REF: 304

5. A virtual private network (VPN) uses a public, unsecured network as if it were a private, secured network. ANS: T MULTIPLE CHOICE 1. What authentication system did the proposed WEP2 standard use? a Kerberos c dynamic WEP . . b AES-CCMP d key caching . . REF: 312


REF: 293

2. In dynamic WEP, the ____ key is changed every time the user roams to a new AP or logs out and logs back in. a broadcast c passphrase . . b unicast d ticket . .


REF: 294 c . authentication and direction

3. The 802.11i standard addresses both ____. a encryption and confidentiality .

b port security d message passing . How long is the per-packet key used in TKIP? a 40-bits . multiple iterations (called rounds) are performed depending upon the key size: 128-bit key performs 9 rounds. ANS: A REF: 295 5.b integrity and confidentiality . d . a 13 c 17 . and a 256-bit key uses ____ rounds. ANS: C REF: 297 c . a an access control list c port scanning . d . b MRC . ____ replaces CRC in WPA. . . b port security d port blocking . ____ ensures that a device (wired or wireless) that requests access to the network is prevented from receiving any traffic until its identity can be verified. ANS: C REF: 296 c . . CMR CMC 8. .11i allows a device to become authenticated to an AP before moving to it? a key caching c pre-authentication . ANS: B REF: 296 6. .1x standard. . Within Step 2 of Advanced Encryption Standard (AES). encryption and authentication ANS: D REF: 295 4. d . Within the IEEE 802. b 64-bits . a MIC . a 192-bit key performs 11 rounds. . 128-bits 256-bits 7. b 15 d 19 . What feature of IEEE 802.

. b WEP d All of the above . b WPA2 d Dynamic WEP . . . . a Dynamic WEP c WEP2 . ANS: C REF: 303 14. The personal security model is intended for settings in which a(n) ____ is unavailable. a IEEE 802. a wired network c AP . b authentication server d intermediate security model . b port security d MAC address filtering . What is the first step in implementing an interim security model? a shared key authentication c turning off SSID beaconing . ANS: B REF: 300 11. which can be created by entering 16 ____ characters. b ciphered d plaintext . What security technology was most recently introduced? a WPA c WEP2 . . ____ was designed to address WEP vulnerabilities with a minimum of inconvenience. ANS: A REF: 302 13. . most vendors have the option of a 128-bit WEP key.11i c dynamic WEP . . This provides the most secure option. . When implementing an interim security model. b TGi d WPA . . ANS: D REF: 299 10. a ASCII c hexadecimal . ANS: D REF: 300 12. . . The ____ wireless security standard provides a low level of security.ANS: A REF: 298 9.

. . The ____ method of encryption is used in a personal security model. ANS: B REF: 307 19. What is the name of the 128-bit key used in TKIP? a temporal key c XOR . .. ANS: B REF: 304 15. ANS: C REF: 304 16. . a remote-access c peer-to-peer . a TKIP c PSK . . ____ is considered to be the “heart and soul” of WPA security. ____ authentication is used in the enterprise security model using WPA and WPA2. b TKIP d All of the above . a PSK c TKIP .1x . . ANS: D REF: 306 18. b AES d CBC . A ____ VPN is a user-to-LAN connection used by remote users. . ANS: A REF: 305 17. b WEP d MAC . . . . a PSK c MIC . b MIC d PRNG . a AES c IEEE 802. . Encryption under the WPA2 personal security model is accomplished by using the block cipher ____. ANS: C REF: 308 20. b IV d TKIP .

________________________________________ encryption replaces WEP’s small 40-bit encryption key that must be manually entered on wireless APs and devices and does not change. . ANS: personal REF: 304 4. . b VPNs d wireless sensors . a captive portals c firewalls . At the heart of a WIDS are ____. ANS: D COMPLETION REF: 314 1. d . ANS: enterprise REF: 308 . government agencies. In WPA. The ____________________ security model is designed for medium to large-size organizations such as businesses. ANS: Temporal Key Integrity Protocol (TKIP) Temporal Key Integrity Protocol TKIP REF: 297 3. The ____________________ security model is designed for single users or small office home office (SOHO) settings of generally 10 or fewer wireless devices. ____________________ was developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of network users. b site-to-site . which can be either separate hardware devices or a standard access point operating in a special “scan” mode. monitor the airwaves to detect signals from rogue access points. remote-to-LAN ANS: A REF: 312 21. ANS: Kerberos REF: 293 2. .. and universities. these devices.

stores information from a device on the network so if a user roams away from an AP and later returns. she does not need to re-enter all of the credentials 2. ANS: E 3. network address translator. and resending data packets 4. encryption protocol in the 802. solves the weak IV problem by rotating the keys frequently 5. Most consumer access points are in reality wireless ____________________. ANS: A REF: 296 REF: 295 REF: 298 REF: 293 REF: 307 REF: 304 . uses a passphrase that is manually entered to generate the encryption key 7. ANS: gateways REF: 313 MATCHING Match each term with the correct statement below. router. ANS: I 4. ANS: C 6. 1. altering. wireless device that requires secure network access 1. ANS: G 2.11i standard 6.11i . firewall. ANS: B 5. and switch. a pre-shared key f supplicant authentication b dynamic WEP g key caching c AES-CCMP h broadcast d Advanced i Message Integrity Encryption Check Standard e 802. because they combine the functions of an access point.5. designed to prevent an attacker from capturing. traffic sent to all users on the network 8. robust security network 3. performs three steps on every block (128 bits) of plaintext 9.

and the service wants assurance that the user is who he says he is. After accepting a device’s credentials.1x to produce a unique master key for that user session. TKIP distributes the key to the client and AP. The user is provided a ticket that is issued by the Kerberos server. ANS: F SHORT ANSWER 1. setting up an automated key hierarchy and management system. whose only job is to verify the authentication of devices.1x authentication procedure. ANS: D 9. This ticket contains information linking it to the user. REF: 296 3.7. the user is accepted. The per-packet functionality of TKIP means that it dynamically generates a new key for each packet and thus prevents collisions. much as a driver’s license is issued by the DMV. TKIP then dynamically generates unique keys to encrypt every data packet that is wirelessly communicated during a session. Kerberos tickets share some of the same characteristics as a driver’s license: tickets are difficult to copy (because they are encrypted). Step 2—The access point asks the device to verify its identity. The identity information is sent in encrypted form. they contain specific user information. they restrict what a user can do. REF: 293 2. REF: 294 REF: 295 REF: 309 ANS: Kerberos is typically used when someone on a network attempts to use a network service. ANS: TKIP is a longer 128-bit per-packet key. Step 4—The authentication server verifies or rejects the client’s identity and returns the information to the access point. Step 3—The device sends identity information to the access point which passes it on to an authentication server. What should a business do if the best possible security model cannot be implemented? ANS: . ANS: Step 1—The wireless devices requests from the access point permission to join the wireless LAN. If all checks out. Describe the 802. Step 5—An approved client can now join the network and transmit data. Describe the Temporal Key Integrity Protocol used by Wi-Fi Protected Access (WPA). and they expire after a few hours or a day. REF: 297 4. Describe Kerberos. The user presents this ticket to the network for a service. ANS: H 8. The service then examines the ticket to verify the identity of the user. the authentication server can use 802.

A plan for the purchase and installation of new security equipment should be outlined before the transitional security model is implemented to ensure that upgrading is not put off until it is too late. Instead. be recognized that this should only be considered a transitional phase until migration to stronger wireless security is possible. however. The new per-packet key construction. one of the disadvantages with PSK involves initial key management. ANS: . TKIP creates a different key for each packet. substitutes a temporary (temporal) key for the WEP base key and constructs a per-packet key that changes with each packet. ANS: MIC— MIC (Message Integrity Check) protects against forgeries by ensuring that the message has not been tampered with. Both the transmitter and receiver initialize the packet sequence space to zero whenever new TKIP keys are set. IV sequence—TKIP reuses the WEP IV field as a sequence number for each packet. Describe pre-shared key authentication. Identify and describe each one.The answer may be to implement the highest level of security based upon the current equipment in use. called the TKIP key mixing function.1x standard consists of three elements. and the transmitter increments the sequence number with each packet it sends. from 24 bits to 48 bits. it is better than doing nothing at all. A network supporting the 802. it should only be implemented as a temporary solution. REF: 304 6. the PSK is not used for encryption. Also. A key must be created and entered in the wireless access point and also on any wireless device (“shared”) prior to (“pre”) the devices communicating with the AP. Unlike WEP. List and describe them. Although this is not the optimal solution. REF: 301 5. Temporal Key Integrity Protocol (TKIP) has three major components to address vulnerabilities. TKIP key mixing—WEP constructs a per-packet RC4 key by concatenating a key and the packet IV. which CRC under WEP could not do. ANS: Pre-shared key (PSK) authentication uses a passphrase (the PSK) that is manually entered to generate the encryption key. This ensures that an attacker does not record a valid packet and then retransmit it. Temporal keys have a fixed lifetime and are replaced frequently. Sometimes called the transitional security model. It should. the length of the sequence number (IV) has been doubled. it only serves as the starting seed value for mathematically generating the encryption keys themselves. However. The original WEP design used a 24-bit initialization vector (IV) along with a secret key to generate a keystream. REF: 306 7.

each round is iterated 10 times. They have to agree to these before they are granted access to the Internet.11i implementation of AES. Typically a Remote Authentication Dial-In User Service (RADIUS) server is used. router. to the RADIUS server. which in turn grants or denies access to the supplicant. Wireless gateways can also be used to provide enhanced security to access points that are connected to it. Captive portals can advertise to users specific services or products. and other information. REF: 314 . the request is first sent to the authenticator. because they combine the functions of an access point. and switch. Describe Advanced Encryption Standard (AES). For the WPA2/802. With AES. ANS: AES is a block cipher that uses the same key for both encryption and decryption. bits are encrypted in blocks of plaintext that are calculated independently. 12. firewall. Each round is then iterated 10. For the WPA2/802. Most consumer access points are in reality wireless gateways. The authentication server accepts or rejects the supplicant’s request and sends that information back to the authenticator. This minimizes the risk of attack on the authentication server. network address translator. REF: 311-312 9. which relays the information. a 128-bit key length is used. Captive portals can also be used to authenticate users against a RADIUS server before they are granted Internet access. AES has a block size of 128 bits with three possible key lengths: 128.A network supporting the 802.1x configuration stores the list of the names and credentials of authorized users in order to verify their authenticity. One of the strengths of the 802. An authenticator can be an access point on a wireless network or a switch on a wired network. What is a wireless gateway? ANS: Equipping an access point with additional functionality can create a device known as a wireless gateway.1x protocol is that the supplicant never has direct communication with the authentication server. 192. The authentication server in an 802. The authenticator sends the request from the supplicant to the authentication server. and 256 bits as specified in the AES standard. or 14 times depending upon the bit-key size.1x standard consists of three elements. which contains valuable logon data for all users. rather than a keystream acting across a plaintext data input stream. On the enterprise level a wireless gateway may combine the functionality of a VPN and an authentication server. What are the ways in which captive portals are used? ANS: Captive portals are used to notify users of the wireless policies and rules. type of connection. REF: 313 10.11i implementation of AES. When a user wants to connect to the wireless network. The supplicant is the wireless device which requires secure network access. The supplicant sends the request to an authenticator that serves as an intermediary device. REF: 309 8. such as the username and password. AES encryption includes four stages that make up one round.