ZyWALL 5/35/70 Series User’s Guide

Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.

Table 269 Comparison of EAP Authentication Types

 

EAP-MD5

EAP-TLS

EAP-TTLS

PEAP

LEAP

 

 

 

 

 

 

Mutual Authentication

No

Yes

Yes

Yes

Yes

 

 

 

 

 

 

Certificate – Client

No

Yes

Optional

Optional

No

 

 

 

 

 

 

Certificate – Server

No

Yes

Yes

Yes

No

 

 

 

 

 

 

Dynamic Key Exchange

No

Yes

Yes

Yes

Yes

 

 

 

 

 

 

Credential Integrity

None

Strong

Strong

Strong

Moderate

 

 

 

 

 

 

Deployment Difficulty

Easy

Hard

Moderate

Moderate

Moderate

 

 

 

 

 

 

Client Identity Protection

No

No

Yes

Yes

No

 

 

 

 

 

 

WPA

User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless stations using an external RADIUS database.

Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x.

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless stations. This all happens in the background automatically.

AES (Advanced Encryption Standard) also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data.

Appendix H Wireless LANs

714