5

I would like to know if using a certificate based authentication instead of a WPA2 password in a WiFi network would be secure or insecure in terms of is it breakable or not?

Since WPA2 can be dictionary guessed or brute forced. How does it look like when using certificates?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
Honeypot2k
  • 51
  • 1
  • 2

3 Answers3

5

Certificate is always better solution than username/password or pre-shared key. But if you will use multifactor authentication (i.e. username+password+RSA token/Google Authenticator/SMS/whatever) i would say it secure enough against such types of attacks. Even strong password and following of the recommended password change policies is fine.

Fis
  • 1,200
  • 7
  • 10
  • 1
    Certificate is NOT always better. Certificates require an investment in endpoint protection, in order to secure the certificate. – Jesse K May 31 '17 at 14:20
  • 2
    I have problems with absolute statements like this. In general I would agree in that certificate based authentication is more secure (ephemeral keys, limited lifetime, revocation, selective cut-off, etc.), but this requires some knowledge and experience as operator. Passwords are easy to handle (e.g. everybody should know that they are sensitive), but with certificates and private keys and all of the various file formats, etc., it is much more complicated and people will make configuration and/or usage errors. – Karol Babioch May 31 '17 at 14:21
  • Agree with both of you. Certificates are better from security perspective but some secure infrastructure is required for it and in general, it is more difficult to handle them. Regarding passwords... if you will push people to remember strong passwords and push them to change these passwords in regular intervals, d o you think the error rate will be lower? :) Or do you think they will like you more? :) – Fis May 31 '17 at 14:29
0

A certificate with a public key long 2048 bits is weaker than an a SecurePassword™ long 513 hexadecimal characters.

Note I said 513. And nobody is realistically willing to type 513 strokes on a keyboard.

Worth to note, certificate authentication is stronger when using smart cards, because the private key can't virtually be compromised without physical access to smart card. E.g. a keylogger cannot violate a private key.

Note: SecurePassword™ is not a brand or product, is one of my jokes about the strength of passwords.

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
  • A SecurePassword™ made of 65 truly random characters from the Unicode space (mostly impossible to type at first shot and in less than 2 minutes) is more secure than 2048 bit pubkey – usr-local-ΕΨΗΕΛΩΝ May 31 '17 at 17:34
  • 1
    If you use a PSK and have more than one client then all clients have the same password, formEnterprise-wPA2 or certificate you would have individual pairings. – eckes Jun 02 '17 at 19:08
0

It is more secure if it means you don't use a PSK, and instead use asymmetrical encryption with a private key that never leaves a smartcard. It also means you would have to register a smartcard for every user you want to connect, and they have to be unique.

John Keates
  • 820
  • 4
  • 7