Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Virginia Tech Wifi

122 bytes removed, 21:49, 2 February 2015
Move the MSCHAPv2 stuff into the Cert Pinning section
====Certificate pinning====
 
Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Unfortunately, VT is in the process of deprecating a much stronger authentication method, [[EAP-TLS]], and as such, network certificates will no longer be an option.
Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.
For general tips on improving your security while using the network, consider reading reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].
 
==A word of caution on MSCHAPv2==
Warning: Use of PEAP-MSCHAPv2 to connect to the Virginia Tech network is strongly discouraged by the Linux and Unix Users Group due to attacks that can allow all traffic to be decrypted with a 100% success rate. Unfortunately, VT has deprecated its use so users will soon lose the choice to use certificates.
 
At DefCon 20 in July 2012, an attack was announced for MSCHAPv2 that allows the protocol to be cracked quickly with a 100% success rate.<ref>[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref> '''Use of MSCHAPv2 is strongly discouraged.'''
 
==Set your remote access (network) passphrase==
Anonymous user