Legacy Authentication

The CWSP exam is based on 802.11-2012. There are some legacy security authentication and encryption that we should never use those days. Some of those legacy mechanisms are deprecated in 802.11-2016 that came out mid 2017.

Legacy authentication

Open System Authentication
Open System Authentication (OSA) is not deprecated. Though it is not deprecated, it is still considered a legacy authentication mechanism. OSA is not considered secure since it doesn’t use any authentication. OSA is mostly used in combination with authentication methods WPA or WPA2. OSA uses two frames for authentication. The client transmits a request to authenticate and the access point replies with a success or deny frame. After authentication, there will be two association frames as well. WEP is a possibility for encryption, but WEP is also legacy (we will talk about this later). WEP is optional within OSA, but WEP is mandatory in Shared Key Authentication (SKA).

Shared Key Authentication
As mentioned above, Shared Key Authentication (SKA) uses WEP for authentication. Since OSA doesn’t use any authentication security, SKA looks more secure, since some security (even if it is deprecated) is better than none. That is true, but OSA makes use of WPA or WPA2 as authentication mechanism and that makes OSA more secure than SKA with WEP. About WEP, I will go in to more details later in another blog. SKA uses four frames for authentication, and after that association frames will follow. OSA used two frames for authentication and two frames for association. The client sends an authentication request, the access point replies, in clear text, a challenge. With the WEP key, that needs to be the same at the client and the access point, the client encrypts the clear text challenge. The client sends the encrypted challenge back to the access point. The access point decrypts the challenge with his WEP key and compares the received challenge with the challenge that the access point transmitted. After this, the access points reply with a success or deny frame. If the challenges are the same, it will be success. When there is a mismatch in the challenge or the access point cannot decrypt the text, it will reply with a failure.