A security administrator must implement a network authentication solution which will ensure encryption
of user credentials when users enter their username and password to authenticate to the network.Which of the following should the administrator implement?
A.
WPA2 over EAP-TTLS
B.
WPA-PSK
C.
WPA2 with WPS
D.
WEP over EAP-PEAP
Explanation:
D: Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network.
WEP has vulnerabilities and isn’t considered highly secure. Extensible Authentication Protocol (EAP)
provides a framework for authentication that is often used with wireless networks. Among the five EAP
types adopted by the WPA/ WPA2 standard are EAP-TLS, EAP-PSK, EAP-MD5, as well as LEAP and PEAP.
PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS
tunnel to protect user authentication, and uses server-side public key certificates to authenticate the
server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most
configurations, the keys for this encryption are transported using the server’s public key. The ensuing
exchange of authentication information inside the tunnel to authenticate the client is then encrypted and
user credentials are safe from eavesdropping.
Incorrect Answers:
A: WPA2 is a more recent version of WEP. Although many consider PEAP and EAP-TTLS to be similar
options, PEAP is more secure because it establishes an encrypted channel between the server and the
client. EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. With EAP
TTLS the client can, but does not have to be authenticated via a CA-signed PKI certificate to the server.
B: WPA is basically a version of WEP. EAP-PSK, defined in RFC 4764, is an EAP method for mutual
authentication and session key derivation using a Pre-Shared Key (PSK). EAP-PSK is documented in an
experimental RFC that provides a lightweight and extensible EAP method that does not require any
public-key cryptography. The EAP method protocol exchange is done in a minimum of four messages.
C: WPA2 is a more recent version of WEP but does not ensure encryption of user credentials when they
enter their usernames and passwords to authenticate to the network.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 171, 181