I recently learned about how WPA-PSK works. If I understand correctly, the 4-way handshake enables the protocol to ensure mutual possession of the PMK (and therefor, the PSK) without sending the PMK/PSK over. This way it's not susceptible to a man-in-the-middle attack.
My question is, how is mutual authentication ensured in case of WPA-Enterprise? I'm running 802.1x with FreeRadius and PEAP at my home network (just as a hobby project) and it works, but I'm not sure if I understand how it works.
I'm using PEAP, so clients are authenticated with usernames and passwords. But do clients make sure that the WiFi network they're talking to is not a man-in-the-middle? The authentication server has a SSL/TLS certificate, but it is self-signed. Shouldn't the root CA certificate used to sign the server certificate be installed at the clients for this to work? This is not the case in my setup, but all my Android clients connect just fine.
If my aforementioned understanding is correct, that would mean WPA-Enterprise with PEAP is less secure than WPA-PSK because a man-in-the-middle attack is possible to intercept the passwords. This seems weird to me. Is there a flaw in my understanding?
EDIT:
I found a partial answer in this article. However, I still have questions unanswered.
- Does this really mean that my WPA2-Enterprise PEAP setup is less secure than plain WPA2-PSK? Seems really counter-intuitive because WPA2-PSK is so much simpler and only requires one shared secret. How is is possible that WPA2-PSK is able to ensure mutual authentication with just a shared secret while WPA2-Enterprise is not?
- Should I be worried about it (and proceed to improve/secure my setup) or is it not likely that this can be exploited?
- How can I make the clients validate the server's certificate? Is the only way to install the certificates manually on all the clients? (In that case, if I need to distribute certificates anyway, I can better switch to EAP-TLS)
- Or is it possible to use a public certificate just like with HTTPS? How would that work? With HTTPS, your certificate is 'anchored' to your domain, which you've proven to the CA that is yours. How does this work with RADIUS servers?
EDIT:
Found more answers.
EAP-MS-CHAP-V2 (Microsoft Challenge-Handshake Authentication Protocol version 2) is a mutual authentication method that supports password-based user or computer authentication. During the EAP-MS-CHAP v2 authentication process, both the client and the RADIUS server must prove that they have knowledge of the user's password for authentication to succeed. Mutual authentication is provided by including an authenticator packet returned to the client after a successful server authentication.
(I can't post more than 2 links, so I won't be able to provide a source for this quote)
Here is explained that the second stage / inner authentication protocol, MS-CHAPv2, is a mutual authentication protocol too. It makes sense now.
However, this article suggest that MS-CHAPv2 isn't safe anymore. Since I rely on MS-CHAPv2's mutual authentication properties in my WPA2-Enterprise setup, are there any alternatives to MS-CHAPv2 that are more secure?
EDIT:
I just found out about EAP-PWD, a new single-stage EAP authentication protocol which is supposed to be stronger than PEAPv0/EAP-MSCHAPv2, provides mutual authentication, and doesn't need SSL/TLS certificates at all.
EAP-PWD is highly secure (the password is never transmitted, even in encrypted form), and does not require PKI certificates, and also requires only 3 authentication round-trips. So it is considered efficient to roll out in eg Eduroam and other environments. Requires that the Radiator user database has access to the correct plaintext password.
The only problem seems to be that it isn't widely adopted yet. Android (> 4.0) does support it however, which is nice. But I still couldn't find much information about it and by the looks of it, Windows doesn't support it.
