Personal PSKs (Wi-Fi Masterminds)
This is the second in a series of posts that I am dubbing “Wi-Fi Masterminds” (TM). I will ask questions to a series of panelists and they will answer in round-robin fashion, where they can answer the question as well as respond to others.
If you have ever seen the show “Around the Horn” on ESPN, that is the type of interaction I am looking for.
I am planning on a pool of 6-8 masterminds, bit will limit each question to a panel of three members. I will try to minimize my own involvement in the questions to only provide structure where needed or correct any factual errors.
Here are today’s panelists:
Keith Parsons CWNE#3 : @keithparsons http://wlaniconoclast.blogspot.com A gifted presenter, Keith is known for his wit and broad technical expertise. He holds over 50 technical certifications and has earned an MBA from the Marriott School of Management. He is author (or editor) of a dozen technical publications and has developed seven technical certification programs. He travels throughout North America, Europe, Africa, Asia and Australia in behalf of a wide variety of IT vendors, explaining networking technology to industry professionals.
Bruce Hubbert : Bruce is a veteran of the security industry since 1993, currently functions as the Principal Systems Engineer for AirMagnet. Bruce is the primary pre-sales technical expert for this market leading and award winning wireless analysis and WLAN security systems manufacturer. Bruce has represented AirMagnet to the media and has been featured in the Washington Post, New York Times, Wireless Week, The IEEE, EE Times, Information Week, Techworld Japan (in English Here) and on Television on the History Channel’s “Tactical to Practical” and ABC News “Business Now”. You can read Bruce’s wireless blog, “Freakquency” at http://www.hubbert.org/
Ken Hall, CWSP, RFID+ : As a Senior Technology Solutions Consultant with over 20 years in IT, Ken has designed and/or deployed approximately 100 wireless networks; including the design and initial deployment of the Air Force’s 2nd Generation Wireless LAN. His background includes security, routing, and switching with a smattering of everything else in between. Ken enjoys consulting due to the constant change in architectures and the possibility of helping customers resolve complex networking issues.
Today, the panelists are tackling questions related to the use of Personal Pre-shared Keys (PPSK):
Several WLAN companies have recently developed alternatives to 802.1X networks that include a per-user pre-shared key (PSK). What role do you see this technology playing in the enterprise? What are its advantages? What are the disadvantages?
Keith: Traditionally, we have had in the WiFi industry three common ways to access a WiFi network.
1 – Open Authentication
- Great for Hotspots
- Easy to setup and use
- Hand-held devices and VoIP handsets easy to configure
- All traffic sent in the clear
- No control or QoS
2 – Pre-Shared Key (SoHo)
- Single authentication key for SSID
- Everyone shares the same key
- Encryption keys are based from this key
- Traffic sent encrypted
- Easy to implement
3 – 802.1X or 802.11i with a Radius Server
- Authenticates Users with a variety of methods
- Each user gets unique encryption keys
- Hard to setup and configure
- May be more costly depending…
But now a couple of vendors are entering the fray with an additional access method. One that has the ease of use of Pre-Shared Keys, but with the per-individual ability of 802.1X!
These PPSK systems offer an alternative to an 802.1X implementation. Guests can be given unique credentials that can be easily revoked, or based on time duration. This makes the management of WiFi encryption much much easier. Client devices also can be more easily configured and can roam quicker using the PSK method.
Depending on the size and security policies of your enterprise, this might be a great new service to speed and maintain security for your now-open WiFi network. I look forward to more vendors opting for this easy, simple solution.
Bruce: I remember awhile back that T-Mobile allowed it’s subscribers to utilize 802.1x with EAP-TTLS and PAP via their hotspots (http://www.hubbert.org/2006/12/t-mobile-wpa-without-nasty-client-sw.html) and I used that method all the time. It was fast and secure. I wish more Hotspot providers would do that. It just used you standard login as a T-Mobile subscriber.
There is also the company, DeviceScape who has a method to pre-authenticate you to a hotspot without the nasty splash page, which is handy. Neither of these systems, however can assist you if you rolling out to an Enterprise or SOHO. There you are stuck with 802.1x and WPA/WPA2-PSK
I am not a big fan of Proprietary systems and I think most IT administrators agree. It can lead one down a long road to a possible dead end with a large amount of time and effort wasted. If you are Ruckus or Aerohive or Aruba and your system is a good one, then why not pony it up to the IEEE for consideration. I really do like the idea of per-user PSK’s, however, so I am hoping that these vendors do the right thing and present it as a new task group. Pre-Shared Keys, especially ones with a real world association (think “a real English word or phrase”) have serious issues. With only one key used to authenticate, the hacker need only crack it to get in. per user PSKs would theoretically allow you a much higher degree of control as you might be able to limit access to subnets on a per user basis.
I was at ShmooCon in Washington DC in 2006 when RenderMan release the Church of WiFi Rainbow Tables (http://www.renderlab.net/projects/WPA-tables/) which made it quick and trivial to crack pre-shared keys for both WPA and WPA2. The solution? On his website, RenderMan puts it this way:
‘The fact that we found a way to speed up WPA-PSK cracking does not mean that it is broken. Far from it. The exploit used by coWPAtty and other similar tools is one of dumb passphrases. The minimum number of characters for a WPA-PSK passphrase is 8. The maximum is 63. Very few users actually use more than about 20 characters. As well, they also choose known words and phrases, likely to be in a dictionary. This allows us to leverage a human element in obtaining the key.
To get decent protection from WPA-PSK, you should use a very long, very random, alphanumeric string longer than 20 characters. To protect yourself further, particularly against the WPA-PSK hashtables, you should use a SSID not on the top 1000 list. This will force the attacker to compute their own list, rather than use one of the CoWF tables.
All that said; you should be using WPA2 with a radius server to get more reliable protection.”
I think time will tell, through testing, debate and consensus building which method is best but I am resisting any method not adopted by the industry as a whole.
Ken: Maybe I’m old-fashioned, but I typically keep my employee access limited to PEAPv0 (EAP-MSCHAPv2) and guest access to open authentication/no encryption or a captive portal/walled garden. While a per-user PSK may be beneficial in some solutions, I believe it will prove to be a niche-market. Most organizations want to decrease the amount of management required to implement a solution. With a typical, centrally-managed, overlay WLAN solution, once it’s initially configured, it doesn’t tend to need a great deal of extra management. All of the wireless users are already managed through other resources (i.e. AD, LDAP, etc.); and guest users are severely policy restricted and quite possibly on a physically separate network, so the typical recommendation would be for them to use a layer 3 method (i.e. VPN, etc.) for their encryption. The per-user PSK will increase the amount of “touch” required to manage those unique users/devices, but at the same time will provide a more secure previously unavailable method of authentication/encryption mechanism. So, yes, I believe it is a feasible technology and there is certainly a case for it…but, I also believe that it will see more application specific deployment than wide-spread adoption and use.
What do YOU think? Are Personal PSKs a legitimate form of WLAN security or just marketing fluff? Let our panelist know what you believe by submitting a comment!
- The Importance of WIDS/WIPS (Wi-Fi Masterminds)
- Wi-Fi Masterminds
- Wireless Security – Super Tuesday Poll