Login Authentication - Password article

Login Authentication

User Authentication

The task of user authentication is performed by your server. In a typical network login, a user will identify herself to the Elektron server by providing a username nd password. Elektron will then verify that the username exists, and if so, that the password provided matches the password associated with the username in Elektron's database. If both conditions are met, the user is granted access to the network

A risk in using password-based authentication is that during the login process the user must send to the server their username and password before the secure wireless channel has been established. This would leave the login prone to passive eavesdropping by an attacker. Secure Wi-Fi logins avoid this problem by establishing a encrypted channel that is used only for the login process prior to sending usernames and passwords. Once the user's identity has been established and access to the Wi-Fi network has been granted, the encrypted login channel is torn down and all wireless communications between the access point and the client are encrypted using a dynamic encryption key separate from that used during the login

Server Authentication

While server is responsible for verifying the identity of users attempting to login to your network, users have the responsibility to verify the identity of the Elektron server. This is an important and sometimes overlooked aspect of network security. It is arguably the more difficult of the two authentications performed for Wi-Fi network access, as it requires configuration of each client machine that will be accessing the network

Unlike users, which typically identify themselves using a username and password, server proves its identity using a digital certificate. Validating the server's digital certificate can appen automatically within the user's wireless networking client software, provided the client software has been pre-configured to recognize the certificate authority that issued the server's certificate. server makes it easy to configure client certificate verification, creating double-clickable installers for both the Mac OS X and Windows XP platforms

In order to verify the server's identity, users must perform digital certificate chain validation. If the digital certificate validation fails, then the server's identity could not be verified and the Wi-Fi network access attempt should be terminated by the user. Such a failure can be indicative of a attacker attempting to lure a legitimate user into logging into fake network, thus fooling the user into giving up their username and password. Once armed with the user's credentials, the attacker can then use them to login to the legitimate corporate network.