T 2.119 Inappropriate selection of WLAN authentication methods

The selection of the authentication methods to be used must be based on the protection requirements of the data to be transported in the WLAN. Note that WEP must be considered insecure and offers a number of possibilities for attack, for example the ability to extract the keys from the data packets. These could then be used to successfully gain access to the WLAN.

If the key material used for authentication or encryption in the WLAN is not distributed with care or stored securely enough, then any method based on these keys which is used to attain a certain security level may be completely worthless. Passwords which are too simple and inadequately protected certificates can provide any attacker with valid access to a WLAN. In a WLAN secured using WPA, the pre-shared keys represent a security gap if they are selected inappropriately, i.e. when they are not complicated enough.

There are also EAP methods, though, that pose a threat due to a number of vulnerabilities. For example, CHAP which requires both sides to know the unencrypted password, among other things, is used as the authentication method in EAP-MD5. Furthermore, EAP-MD5 does not support the generation of keys and therefore cannot be used directly in conjunction with IEEE 802.11i. Moreover, cryptographic weaknesses have been discovered recently in the MD5 hash method, and so this hash method can no longer be considered secure.

The problem with EAP-PEAP from a cryptographic point of view is that PEAP only checks the identity of the server but not of the client to secure the outside tunnel.

Some implementations of the EAP method also contain vulnerabilities. For example, the proprietary EAP-LEAP from Cisco is susceptible to dictionary attacks, and there are already tools available that utilise precisely this vulnerability and make even strong passwords ineffective.

Likewise, another disadvantage of EAP-LEAP is that it must be supported explicitly by all WLAN components and that there is no interoperability between EAP-LEAP and other EAP methods available, contrary to the requirements in IEEE 802.1X.