Aruba Networks FIPS 140-2 manual WPA2-PSK

Page 25

Authentication

Mechanism Strength

Mechanism

 

 

 

Wireless Client

For WPA2-PSK there are at least 95^16 (=4.4 x 10^31) possible

WPA2-PSK

combinations. In order to test a guessed key, the attacker must complete the

(Wireless Client

4-way handshake with the AP. Prior to completing the 4-way handshake, the

Role)

attacker must complete the 802.11 association process. That process involves

 

 

the following packet exchange:

 

∙ Attacker sends Authentication request (at least 34 bytes)

 

∙ AP sends Authentication response (at least 34 bytes)

 

∙ Attacker sends Associate Request (at least 36 bytes)

 

∙ AP sends Associate Response (at least 36 bytes)

 

Total bytes sent: at least 140. Note that since we do not include the actual 4-

 

way handshake, this is less than half the bytes that would actually be sent, so

 

the numbers we derive will absolutely bound the answer.

 

The theoretical bandwidth limit for IEEE 802.11n is 300Mbit, which is

 

37,500,000 bytes/sec. In the real world, actual throughput is significantly less

 

than this, but we will use this idealized number to ensure that our estimate is

 

very conservative.

 

This means that the maximum number of associations (assume no delays, no

 

inter-frame gaps) that could be completed is less than 37,500,000/214 =

 

267,857 per second, or 16,071,429 associations per minute. This means that

 

an attacker could certainly not try more than this many keys per second (it

 

would actually be MUCH less, due to the added overhead of the 4-way

 

handshake in each case), and the probability of a successful attack in any 60

 

second interval MUST be less than 16,071,429/(4.4 x 10^31), or roughly 1 in

 

10^25, which is much less than 1 in 10^5.

 

 

Mesh AP WPA2

Same as Wireless Client WPA2-PSK above

PSK (User role)

 

 

 

Certificate based

The module supports RSA 2048-bit keys, which has at least 112-bits of

authentication –RSA

equivalent strength. The probability of a successful random attempt is

key pair (CO role)

1/(2^112), which is less than 1/1,000,000. The probability of a success with

 

multiple consecutive attempts in a one-minute period is 5.6e7/(2^112), which

 

is less than 1/100,000.

 

 

25

Image 25
Contents Fips 140-2 Non-Proprietary Security Policy Page Aruba Dell Relationship Acronyms and Abbreviations ServicesAruba AP-120 Series Security Levels Physical SecurityPage Aruba Dell Relationship IntroductionAcronyms and Abbreviations GHzLAN Aruba AP-120 Series Product OverviewPhysical Description Aruba Part Number Dell Corresponding Part NumberPWR Indicator LEDs Label Function Action StatusEnet Label Function Action Status Security Levels Module ObjectivesPhysical Security Applying TELsAP-124 Front view Aruba AP-124 TEL PlacementAP-124 Back view AP-124 Bottom view Aruba AP-125 TEL PlacementAP-125 Front view AP-125 Right view AP-125 Bottom view Inspection/Testing of Physical Security MechanismsModes of Operation Configuring Remote AP Fips ModeEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Operational Environment Verify that the module is in Fips modeFips 140-2 Logical Interfaces Module Physical Interface Logical InterfacesCrypto Officer Authentication Roles, Authentication and ServicesRoles Wireless Client Authentication User AuthenticationStrength of Authentication Mechanisms Authentication Mechanism StrengthWPA2-PSK Crypto Officer Services ServicesService Description CSPs Accessed see section WPA2 PSKService Description CSPs User ServicesService Wireless Client Services ∙ FTP ∙ Tftp ∙ NTP Unauthenticated ServicesNon-FIPS Approved Algorithms Cryptographic AlgorithmsHmac Critical Security ParametersRNG PTK PSKAES-CCM GTK GMKSelf Tests For an AES Cavium hardware Post failure