Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: [ISN] Cisco develops WLAN security protocol to defeat password attacks
- From: Howell, Paul
- Date: Sat Feb 14 08:16:18 2004
-----Original Message-----
From: owner-isn@attrition.org [mailto:owner-isn@attrition.org] On Behalf Of
InfoSec News
Sent: Friday, February 13, 2004 9:20 AM
To: isn@attrition.org
Subject: [ISN] Cisco develops WLAN security protocol to defeat password
attacks
http://www.computerworld.com/securitytopics/security/story/0,10801,90163,00.
html
By BOB BREWIN
FEBRUARY 12, 2004
Cisco Systems Inc. has developed a new wireless LAN security protocol
designed to defeat brute force dictionary attacks that capture a user's
passwords, and it submitted a draft of the protocol to the Internet
Engineering Task Force (IETF) on Monday.
Cisco developed the new WLAN Extensible Authentication Protocol-Flexible
Authentication via Secure Tunneling (EAP-FAST) to defeat dictionary attacks
against unencrypted passwords in its earlier, proprietary Lightweight
Extensible Authentication Protocol (LEAP). Cisco posted a security bulletin
last August warning users that LEAP is vulnerable to such attacks.
Ron Seide, WLAN product line manager at Cisco, said EAP-FAST protects
against dictionary attacks by sending password authentication between a WLAN
client and wireless LAN access points through a secure, encrypted tunnel.
Seide added that EAP-FAST also eliminates the need for enterprises to
install separate servers to handle the digital certificates used in another
WLAN security system, the Protected Extensible Authentication Protocol
(PEAP).
Seide said that Cisco believes that EAP-FAST complements PEAP as well as
LEAP, "bringing together some of the key advantages of LEAP's convenience
and flexibility with the password protection tunneling of PEAP".
According to Seide, Cisco submitted EAP-FAST to the IETF for inclusion in
the 802.1x wireless LAN security protocol that is under development and
expects to have it available for download for free from its Web site by the
end of March. Seide said Cisco doesn't intend EAP-FAST as a replacement for
LEAP but as an addition to its WLAN security suite of products, which
includes PEAP.
Cisco also intends to make EAP-FAST available to partners in its Cisco
Compatible Extensions (CCX) program, Seide said. Cisco's CCX wireless LAN
chip partners include Intel Corp. and Atheros Communications Inc. Hardware
manufacturers that are part of the CCX program include Dell Inc.,
Hewlett-Packard Co. and Toshiba Corp.
EAP-FAST will be available to CCX partners later this year, Seide said, but
he didn't specify an exact date.
Enterprise users of Cisco WLAN products contacted by Computerworld said they
have had little time to evaluate EAP-FAST since Cisco posted the draft just
this week. Mark Wiesenberg, director of network services at Sharp HealthCare
in San Diego, said his company "continues to study the area of wireless LAN
security and is fully committed to using standards-based solutions. We will
track how this proposal is received by the IETF and evaluate a position
based on industry acceptance."
Joshua Wright, a systems engineer and deputy director of training at the
SANS Institute in Bethesda, Md., called EAP-FAST an "excellent alternative"
to PEAP or the EAP Transport Security Layer also supported by Cisco, without
requiring the use of digital certificates.
"As is the case with many draft standards, the quality of the protocol is
often determined in implementation, which I haven't seen yet," said Wright,
who developed an automated dictionary attack tool against LEAP last year
while working at Johnson & Wales University in Providence, R.I.
He said he is a "little concerned" about accommodations in the protocol to
allow anonymous Diffie-Hellman exchanges that make EAP-FAST vulnerable to
the same dictionary attack flaws that plague LEAP. Diffie-Hellman is an
encryption scheme based on a public-key infrastructure where information
transmitted between users is encrypted with a public key and decrypted with
a private key.
Wright acknowledged that the draft EAP-FAST specification doesn't recommend
the use of Diffie-Hellman in the protocol, but he said if it is used, it
could negate much of the security of EAP-FAST.
Cisco spokeswoman Linda Horiuchi said in a statement, "Anonymous DH is an
option for provisioning the credential to the client machine, not for
authenticating the user. If anonymous DH is used for credential
provisioning, it is likely to be used once, during initial provisioning, not
with every authentication. Further, a dictionary attack on anonymous DH
would have to be an active attack, not an offline attack.
"An organization that is concerned about a vulnerability during initial
credential provisioning should use a mechanism other than unauthenticated DH
for initial credential provisioning. However, many organizations may
consider the exposure window so small that unauthenticated DH is a prudent
choice."
Wright, who last year said he planned to publicly release his LEAP
dictionary attack tool this month, said Cisco asked him to delay that
release "a bit longer." Wright agreed to do so "as long as Cisco continues
to work toward providing a secure alternative to LEAP users."
Chris Kozup, an analyst at Meta Group Inc., said that EAP-FAST is a better
protocol than LEAP and that Cisco is opening it up to the IETF.
Kozup said he expects other vendors to adopt the protocol quickly.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the
BODY of the mail.
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
