Encrypt WiFi connection per connected user

Question

One of the questions that comes on quite often is about WiFi encryption.

Now imagine that you have multiple users connecting to one AP. With a simple WPA2 protection setup they can still sniff each others traffic.

What technology would allow a different encryption key per user? So that when multiple users are on the same AP they would not be able to see each others plain traffic?

Does RADIUS implement this? How does the initial setup work?

Can this also be done with a simple home AP?

Edit

For the bounty I'd like to see some expansion in regard to EAP protocols.

Answer 1

I'm going to assume your goals are the following:

1. Prevent unauthorized access to the WiFi AP.
2. Maintain the confidentiality of traffic between WiFi clients and the AP.
3. Maintain the integrity of traffic between WiFi clients and the AP.
4. Allow multiple users to authenticate to the AP with different credentials.

RADIUS implements goals #1 and #4, but not in the way that you might expect. In traditional 802.11 authentication, the client sends an authentication key to the AP, which verifies it and, if correct, allows the client to connect. The actual key exchange is more complicated, and varies depending on what security protocol you're using (e.g. WEP, WPA, WPA2), but that's somewhat irrelevant to our scenario.

RADIUS sits on top of these protocols, acting as a credential provider. With RADIUS, the AP sends all authentication requests over to the RADIUS server (usually via wired ethernet) responsible for managing the AP. One of the major benefits of RADIUS is that different users can log in with different credentials, and all attempts can be logged and audited. Some configurations allow for client certificates as an authentication mechanism, which is much stronger than traditional passwords. However, the use of RADIUS does not solve #2 and #3, because the underlying security protocols (WPA / WPA2) are flawed, allowing traffic to be sniffed, decrypted and (in certain scenarios) modified by authenticated clients.

In order to fulfill goals #2 and #3, you need to implement IPsec on your network. IPsec acts as an end-to-end cryptography mechanism at the Internet layer (i.e. IP layer), providing confidentiality, integrity and authenticity. Authentication is part of IPsec, so it partially supercedes RADIUS in this purpose.

In any case, IPsec should act as a strong authentication mechanism, using client certificates. Further security via RADIUS is a good thing, because it allows the following benefits:

• Protection from standard WiFi cracking attempts.
• A credential store for VPNs, remote NAS, etc.
• Full audit / logging for device authentication on the AP.

In terms of your last question, "can I do this on a home AP?", it depends. Almost all will allow for RADIUS, but I'm not sure how many will support IPsec. RADIUS on its own will not prevent sniffing between legitimate clients, but it will provide a barrier to unauthenticated clients. You need IPsec to enforce confidentiality.

Answer 2

WiFi access point usually cannot use several encryption keys simultaneously. So no, they cannot do encryption which locks out connected clients from each other. WiFi protection aims at emulating the physical protection of an ethernet LAN: people who can connect get full access to the LAN (at the ethernet layer). Encryption is meant to prevent unauthorized access (yeah, it is a bit weird to use encryption for an authentication job, but such is WiFi).

If you want encryption for what it is meant (confidentiality of data transfer), then concentrating on the WiFi layer misses the point: the data does not cease to be confidential once it reaches the access point. Confidentiality is best addressed if ensured end-to-end, from sender to receiver. The access point is neither, so it should not be able to see the data. But with WPA2 and similar techniques, the access point performs the decryption and encryption, and has access to the clear data. Also, we call it an "access point" because it "gives access" to a larger network (up to an including the whole Internet), and the encryption services of the AP do not go beyond the AP itself.

Therefore, for confidentiality, you should use data encryption systems which operate at upper levels. That's what happens when you access a HTTPS Web site: encryption from your browser to the distant site, regardless of the access points and networks which are used in between. More comprehensive solutions include various Virtual Private Network technologies, and, ultimately, opportunistic encryption with IPsec (IPsec is often used as a basis for a VPN, but, theoretically, it could be active transparently for every connection over the Internet -- the standards are done, the implementations are widespread, it "just" needs everybody to take a bold step into the future, simultaneously).

Answer 3

Different Encryption Key Per User

It is important to start by clarifying your question since terminology is important when discussing encryption: I think a more pointed question in pursuit of your goal is "What technology would allow a sufficiently different encryption key per user, so that when multiple users are on the same AP it would be very difficult to see each others' plain traffic?"

The WPA2 system (currently the standard-and relatively secure-solution to over the air confidentiality and integrity) uses individual keys for each client (called Pairwise Keys) which are based on either a Preshared Key (where the same simple key is given to each user) or a random initialization (for 802.1x backed authentication).

When using a PSK, there is a four-way handshake (good discussion of 4-way process here: How exactly does 4-way handshake cracking work?) that starts with the PSK on the client and AP, and a zero-knowledge proof is used to verify that the other really knows the right PSK without divulging what it is before proceeding (to prevent giving the key away to a rogue). The end result is a seeded encryption session based on the PSK, but using newly generated information. (Great answer about keying here: WPA2 Enterprise AES encryption key size?) This means that, if starting with just the PSK and observing another user's session already in progress, you will not be able to easily decrypt the data since you don't know the random nonce. You need to have recorded the 4-way handshake to know the nonce, AND posses the PSK, to easily decrypt a WPA2 session in progress.

Does Radius Implement This

The 802.1x protocol is port-based authentication backed by some sort of AAA server (commonly Radius). 802.1x does not form the encryption session, it only sets the stage for it. Upon successful authentication of the username and password (done in an encrypted tunnel) the AP starts a WPA2-encrypted session with a seed sufficiently secret and random that guessing by other users authenticated to the same AP is sufficiently hard (see discussion: https://superuser.com/questions/373453/802-1x-what-exactly-is-it-regarding-wpa-and-eap and real world product: http://freeradius.org/enterprise-wifi.html).

Can this also be done with a simple home AP

As of 2015, off the shelf APs in the very low end (under $50 MSRP) can be found with support for WPA2-Enterprise which implements 802.1x based on a Radius server. Most, however, do not also include the Radius server so it is not a self-contained solution. You will need to have or implement a Radius server on your network (Free and commercial packages are available), or subscribe to a service like AuthenticateMyWifi (http://www.nowiressecurity.com/#!hosted-cloud-radius-8021x-service/c1739). See http://www.ciscopress.com/articles/printerfriendly/1576225 for additional information about the pieces involved in 802.1x implementation.