Introduction to Wireless Security

This topic is to discuss the following lesson:

Hi, I really enjoy the lessons.

I have two related questions, please.

In the lesson, you said

“The wireless client can use this to verify that it’s communicating with a legitimate AP.”

  1. So that’s mean the attacker can’t make a certificate for its rogue AP? or it’s possible but difficult to make?

  2. Who originate these certificates? is it the 802.11 standard or the Manufacture of the AP? In other words, where do these certificates come from?

I appreciate your effort.

Hello Ameen

Certificates are a widely used method for authentication in a very broad area of application. Some examples include:

A certificate, or digital certificate, or more correctly referred to as a public key certificate, is a method used to prove the ownership of a public key. A digital certificate includes information about the key, information about the identity of its owner, as well as the digital signature of the entity that has verified the certificate’s contents. This entity is known as the issuer. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate’s owner.

In this case, the wireless host examines the digital certificate of the AP, and if the signature is valid, it has been proven that the AP is indeed legitimate.

Now it is possible to issue your own certificate. This can be done as shown in the lessons I have linked above. However, the most secure way to validate digital certificates is to use a Certificate Authority (CA) as the issuer. This is an entity that issues digital certificates. The CA acts as a trusted 3rd party that is trusted by both the host and the AP.

Some examples of CAs include Amazon Web Services, Cloudflare, Google Cloud Platform, and others.

So to answer your questions directly, it is not possible for an attacker to make a “fake” certificate, especially if you use a 3rd party as the CA. The certificates can be made by you, or by the manufacturer of the AP, but such certificates can be compromised if the CA is not secure (i.e. an employee from the manufacturer leaked the certificate, or the certificate you created was somehow compromised). It is best to purchase such a service from a publicly trusted CA.

For more examples of how certificates are used, take a look at these NetworkLessons Notes:
https://notes.networklessons.com/notes/Why+do+we+trust+a+website+certificate
https://notes.networklessons.com/notes/Certificate+Authority+Structure

I hope this has been helpful!

Laz

1 Like

Thanks a lot, Mr. Lazaros.

1 Like

Guys, the lesson is great, but I would like to suggest two improvements:

1 - Add the “full wireless handshake”

In this image here, you share the phases “Authentication” and “Association”. But I think you should introduce the “Beacon” and “Probe” phases as well, and quickly introduce them, just like here. I’m following the CCNA 200-301 course and, at this point, beacon and probes were not introduced yet. Adding all the phases will make easier for the student to understand exactly where/when the authentication phase occurs.

2 - Improve wording

What happens when someone steals one of the wireless clients? That’s a problem because of two main reasons:

- The attacker has access to your pre-shared key and can now connect to the wireless network from any device.
- You need to configure a new pre-shared key on the AP and all wireless clients.

There are stronger authentication options where we ask users for a username and password instead. This helps. When a device is stolen, at least you can pinpoint which username was compromised and reset the password for that username. You don’t have to reset the pre-shared key and configure it on all wireless clients.

What about the AP? If you are at a hotel and see a wireless network with the name “guest,” you assume that this is the hotel’s wireless network. Anyone can configure an AP and use the SSID “guest,” though. How do you know that this is a legitimate AP, owned and operated by the hotel?

A wireless client saves a profile for all wireless networks it has connected to. When it sees the “guest” network again, it will attempt to authenticate and associate with it.

Some wireless attacks use a fake AP, called a rogue AP. The rogue AP acts just like a regular AP; it transmits beacons, answers probes, and associates clients. When a client associates with the rogue AP, the attacker sits in between the wireless and wired traffic and can intercept all traffic, just like the real AP.

To prevent this type of man-in-the-middle attack, the client should authenticate the AP before the client authenticates itself to the AP.
  1. In addition to the bullet point “The attacker has access to your pre-shared key and can now connect to the wireless network from any device”, I think you should add a new bullet point “Now it’s possible for the attacker to de-encrypt and then read traffic from other stations connected to the same AP”, just to make clear the limitations of this authentication method.
  2. When you say “To prevent this type of man-in-the-middle attack, the client should authenticate the AP before the client authenticates itself to the AP”, you do not make clear if this is valid for WPA Enterprise mode, WPA Personal mode or both.
    • My understanding is that this is only valid for WPA Enterprise mode. For Personal mode, if the attacker somehow get access to the PSK and configure a fake/rogue AP with the same PSK, there is no much what the client can do. So for WPA Personal mode, it’s really necessary to protect the PSK, and in a hotel, is WPA PSK is used and the PSK is shared with everyone, someone creating a rogue AP is a real possibility/vulnerability to consider.
    • If my understanding is correct, I would suggest you do edit the lesson to make clear that “server certificate validation” only applies to WPA Enterprise mode.

Hello Rarylson

Thanks for your feedback! I’ll let @ReneMolenaar know to take a look and consider your suggestions.

Laz