The LEAP (Lightweight Extensible Authentication Protocol) is a communications protocol that was developed by Cisco for use in point-to-point connections and wireless networks. However, its security flaws became obvious and people quickly came to prefer alternatives.
In this article, we take a look at how this protocol works, the commonly-known issues with it, how it contrasts with other authentication protocols, and what you must consider for the security of your organization’s authentication protocols.
Wireless Security and Network Management
Today’s advancements in technology have led to a decrease in electronic device sizes. These smaller devices are now portable and need to remain connected online for users on the move. This has introduced the need for secure authentication protocols that can enable employees to sign into their workplaces remotely and securely.
Today’s wireless security protocols are quite secure. However, there are some ancient ones that have long been known to be vulnerable yet are still in use. In this section, we’ll discuss network management, access controls, and some commonly-used protocols.
What Is Wireless Network Management?
Wireless network management allows your organization to continue running as it scales upwards without choking the information technology infrastructure. In fact, there are already various discussions on what the next generation of wireless security will likely look like. Third parties have even come up with solutions that assist in managing your network by providing the following:
Cisco has developed a solution that can offer you this kind of service, known as Cisco Prime Infrastructure. More about it can be found here.
What Is Network Access Control?
Network access control allows you to have network visibility of your organization as well as define policies that determine how you can perform access management of users and devices accessing your network.
A Background on Some Wireless Protocols
Over the years, there have been various protocols implemented for wireless communication security. Even though a number of them have been phased out due to their security issues, there is still a huge chance that some organizations still have one or two implementations of these. Some of the well-known protocols include:
Password Authentication Protocol (PAP)
PAP operates by the client repeatedly sending an authentication packet (which is the username and password) to the server until it receives an acknowledgment. The main problem with this is that the authentication packet is completely sent in cleartext and can thus be intercepted by a man-in-the-middle (or sniffing) attack.
Challenge-Handshake Authentication Protocol (CHAP)
CHAP operates by letting the server initiate the authentication request. The server sends the client a random string, which the client then uses together with the password as parameters for an MD5 hash function. The result is sent to the server along with the username in plaintext. The server uses the username and same string it initially sent the client to compute its hash, then compares the two hashes in order to determine a successful or unsuccessful authentication.
Lightweight Extensible Authentication Protocol (LEAP)
LEAP was introduced by Cisco Systems back in the year 2000. The aim of this was to counter some of the earlier vulnerabilities suffered by previous authentication technologies (CHAP and PAP). Even though attacks against the LEAP protocol were previously known, Cisco maintained for a long time that the protocol was secure if users could implement complex passwords. However, much safer protocols were introduced that included EAP-TLS, EAP-TTLS, and PEAP.
Extensible Authentication Protocol (EAP)
This is an authentication framework that is widely used in point-to-point and wireless networks. EAP defines message formats that protocols use. In Wi-Fi networks, for instance, the WPA and WPA2 standards have implemented about one hundred EAP types as being the official authentication mechanisms.
Security-wise, basic EAP was built with the assumption that the communication channel implementing it would be secure — an assumption that time proved wrong. Since there were no facilities in place to safeguard EAP conversations, the Protected Extensible Authentication Protocol (PEAP) was developed.
There are three subtypes of EAP that are more secure than basic EAP. They are:
EAP-TLS (Transport Layer Security) works in such a way that it does not rely on user passwords and is thus entirely password-cracking-resistant. Instead, EAP-TLS works by having digital certificates on BOTH the server and client for secure key exchange and authentication.
EAP-TTLS (Tunneled Transport Layer Security) works in a similar way as EAP-TLS, except that it does away with requiring the installation of digital certificates on the client’s end.
Protected Extensible Authentication Protocol (PEAP)
PEAP was developed jointly by Cisco, Microsoft, and RSA Security, and works mainly by encapsulating EAP within a Transport Layer Security (TLS) tunnel. It is very similar to EAP-TTLS and also only requires the addition of a server-side PKI certificate for use during authentication and server-side public key certificates for server authentication. There are two subtypes of PEAP:
PEAPv0 and PEAPv1 handle outer authentication (used during the creation process of the secure TLS) and EAP-MSCHAPv2 and EAP-GTC handle inner authentication (used for user and device authentication).
Understanding How LEAP Works and Its Importance
How does LEAP work?
LEAP works by implementing security techniques such as dynamic WEP keys. This allows the client to authenticate multiple times to a RADIUS server. This is done to prevent an attacker from cracking the security key and using it long-term. The authentication (challenge/response) is done in a modified version of MS-CHAPv2, but this transaction transmits the username in cleartext, and an attacker is able to obtain it. Some third parties used to be able to support LEAP via what was known as the Cisco Compatible Extensions Program.
Why should you use LEAP?
One of the best reasons that organizations resorted to using LEAP was that there was no need to install or set up digital certificates. Since LEAP uses mutual authentication, man-in-the-middle attacks were mitigated against. A major shortcoming of LEAP, though, was that it implemented MS-CHAPv2; that means that it inherited the security issues that MS-CHAPv2 had, including the major issue of transmission of data in cleartext.
What was LEAP made for?
LEAP was made by Cisco as a proprietary solution to be implemented in Access Points. At that time, it was Cisco’s intention to dominate much of the access point market share, so they worked on EAP and closed it down, naming it Cisco EAP or LEAP. LEAP’s mutual authentication capabilities also meant that it was a more secure alternative to previous security protocols.
How does LEAP compare to PEAP?
Remember, LEAP allowed its mutual authentication transactions to be sent out in the clear and not in any encrypted form. PEAP was supposed to address this issue. Basically, PEAP encapsulates its EAP communication within a TLS tunnel and requires a certificate to only be installed on the authentication server for encryption.
Strengthening Your Authentication Protocols
Wireless technologies have gone through massive security changes over the years in the quest for both the most efficient security algorithms and the most secure transmission channels. You need to make sure that your organization’s authentication protocols are properly secured in order to keep away unauthorized individuals.
What are authentication protocols?
Basically, authentication protocols are communication or cryptographic protocols whose main work is to focus on data authentication transfer between two entities. This is the most important layer when it comes to network communication, as it requires authentication to the network. Authentication protocols allow the proper syntax and information to be exchanged between the two parties.
Why should you strengthen your authentication protocols?
Stealing someone’s identity on the Internet today is unimaginably easy. Authentication protocols need to be strengthened in order to secure how users authenticate to your organization and prevent unauthorized individuals from gaining unauthorized access to data and information. Authentication servers should also be considered while settling on the protocol to use.
What is the best authentication protocol for enterprise use?
Deciding on the best authentication protocol for enterprise use can be a very tricky affair. There are a number of things that should be considered. First of all, as has been seen above, insecure protocols such as LEAP and EAP-MD5 must be avoided due to their vulnerabilities. How, then, do we decide what to implement from the remaining protocols? It comes down to the following two major points:
Client compatibility: Some operating systems might not be able to make use of certain protocols, so you need to make sure that no challenges will be encountered once you decide to go with an authentication protocol
Authentication server compatibility: The same is true here. For instance, PEAPv0 only authenticates users with MS-CHAPv2, while EAP/TLS entirely depends on client-side digital certificates for authentication