Wireless Authentication and Key Generation

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
okay in this video we're going to discuss how a wireless client accesses the wireless network we're going to start out with open system authentication and discuss the four frames there and we'll move on to WPA and wpa2 pre shared key authentication and from there we'll take a look at 802 dot 1x authentication and we're also going to compare the pairwise master key that is derived in both appreciated key and 802 dot 1x authentication and compare the security in both of them we'll also take a look at the 4way handshake and how our encryption keys are derived so we're going to start out with open system authentication in open system authentication if you will think about if you walk into a restaurant and you see a sign on the door that says free Wi-Fi here you pull out your device and you see this list of networks that you can access that is the SSID being broadcasted from the access point and you can click on that and it begins the open system authentication in open system authentication the first thing that takes place is your client device will send an authentication request frame over to the access point the access point will then send an authentication response back to the X back to the client device your client device will then request an association with an association request frame and the AP will respond back to that request with an association response frame at this point in time open system authentication has completed and is pretty much that simple in an unsecured Network that's pretty much all it takes to get on the network and I will give you a scenario in a wired network to help explain it if you have a desktop computer with a network interface card on the back of it and you plug an Ethernet cable into that port and the other end of that cable you plug into a switch port on the network and you see a green light come on that is basically telling you you have good connectivity between the two devices that's exactly what's happening with open system authentication and if there's no security on either the wired or the wireless network you have access to start using the network now at this point in time after these four frames take place you basically can be surfing the web with the exception there is one possibility I'll mention here there might be a captive portal to where the people who own the hotspot wants to post a disclaimer and get you to agree to certain terms or rules for using their network but now I want to talk about how we get secure data exchange and that starts out in the way we authenticate to the network but we have to bring keys into the picture and our security is in the keys so when we start taking a look at WPA and wpa2 we first need to understand the keys so if you are the type of person you have email online banking you do cloud computing you've got some sort of access credentials to a network you do web browsing secure your personal files what-have-you you understand that your digital world is vulnerable when it comes to accessing your data and the last thing you want to do is be hacked that's never a pretty picture every part of our daily lives and data processing emailing texting etc has the potential to be hacked and our information compromised thus the need for keys so what are keys if you can imagine again let's put you in a scenario you went off to the movies and when you come back home you approach your front door it's locked and secured just the way you left it and you pull out your keyring and on that keyring there is one unique key that fits the slot in that door lock that will turn that bolt and gain access to getting you back into the house that's not really what we're talking about here but it is the idea because here's what we're really talking about when we talk about keys to the network this numbers letters stringed alone characters what have you there sometimes longer but that's that's what we're talking about when we talk about keys for our network and if we want secure data exchange we have to understand which keys are best for us to use so the key again allows a disallows connections data access it does encryption decryption and if you're going to think about a key I'd like for you to try to think of it like this first in order to understand it so I've strung out the key very variable across the top of the physical key so you can understand that that string of characters is what locks and unlocks or encrypts or decrypt so we're going to take a look at WPA and wpa2 pre shared key and this is actually what the scenario would look like so every client I'm going to introduce the pairwise master key and every client in WPA and wpa2 pre shared key gets the same pmk and here's how that happens in WPA and wpa2 pre shared key there is a pre shared key value and an SSID value configured in that network every client that logs onto that SSID uses this same pre-shared key now you have a pre shared key value and you have your SSID value these two values are hashed together to get your pairwise master key now that pairwise master key is used later on during a four-way handshake to create our encryption keys for passing secure data in this scenario with pre shared key every station every client that logs on to this network gets the same pairwise master key that does pose kind of a security risk and so we if we are really concerned about our data we may want to look into a more secure way of getting our pairwise master key and having a more secure way of securing our data and that's where we get to 802 dot 1x authentication I'm going to take you back for a minute to the first frames we had where those four frames were passing between the client and the access point and we need to realize that we need open system authentication here to take place to put an Authenticator into play open system authentication is required to get this access point here to become an Authenticator and 802 dot One X has three elements to supplicant the Authenticator and the radius server so our supplicant software is on our client device and it's important to understand if you are using autonomous access points they have the potential to be both the Authenticator and the radius server our Wireless LAN controller if you're using lightweight access points that controller also has the capability of being both Authenticator and radius server so let's explore 802 dot 1x authentication you have your supplicant your Authenticator and your radius server and I'm going to bring in one more piece of the puzzle you have authorized users in your corporate environment and somewhere there's a database that keeps track of all those authorized users and that is your active directory now in 802 dot 1x authentication most environments the the corporate environment this is exactly what you're going to see and I want to reiterate right here one more time 802 dot 1x authentication those hand-in-hand with open system authentication because that open system authentication process has to take place first to put our Authenticator into play with that being done we are ready to begin the 802 dot 1x process so if you look here on the upper left-hand corner we're assuming open system authentication has taken place you see your access points your Authenticator and this big red stop sign here with the words controlled and uncontrolled ports are blocked those are virtual ports on the access point that are used to protect the network from unauthorized traffic now we're going to put those ports in play and explain explaining those ports here in just a minute but we're going to start out first with our very first frame and that is an e post art frame now this is an optional frame you don't always see it but it's basically a frame that comes from the client device telling the Authenticator I would like to start the 802 dot 1x authentication process the Authenticator then request an identity from the client the client sends that identity over to the access point and at this point the access point will open up it's uncontrolled port and allow EEP traffic only to pass through it that's important to know the uncontrolled port only allows eat traffic for authentication it don't allow anything else so when it opens that port it sends a radius access request over to the radius server the radius server then checks the database to make sure that's a legitimate authorized identity and the database will validate that identity the radius server will then send an access challenge now for sake of understanding this particular video we're going to call this access challenge a password there's lots of flavors of EEP out there that has tokens certificates things like that pacts we're going to call this a password just to understand what we're looking for right now so our Authenticator fords that each challenge requests asking is there a password that goes along with this identity our client device will send that response back to the access point and the access point will forward it through its own control port radius access request the database will be queried again with that response if it matches up the radius server will then send a radius access except frame over to our Authenticator and it will in turn forward that success frame in an each success frame over to our client device and 802 dot 1x authentication has been successful now it's important to layout right here we are going to introduce a new key and it's called a master session key once this authentication process has been successful a master session key is generated on both the client device and the radius server it's important to know that it's generated on both sides it is not passed across the airwaves this master key is shared only between this client and this server very different from WPA and wpa2 pre shared key now this master session key is used to derive a pairwise master key we saw the pairwise master key earlier on the pre shared key explanation but now this master session key is used to derive a pairwise master key and this pairwise master key is derived only client device and the radius server and the radius server will move its master key its pairwise master key over to the access point now this pairwise master key is not shared between all other clients on the network it is only shared between this client and this access point for this client session alone that's very unique between what you saw earlier on pre shared key so we're not done yet we're going to look now on the 4 way handshake and how these pairwise master keys are used so introducing the 4 way handshake we're going to think back again that our open system authentication has completed our eep authentication has completed and we have generated this pairwise master key now we introduce something called Ipoh keyframes there are four of these key frame exchanges and the first one comes from our access point to the client device our access point will send an a nonce over to the client device our supplicant and the supplicant will check the replay counter to make sure no replay attacks have been performed against us nonce and it will use this nonce and its pairwise master key to generate what is called a pairwise Transit key now this pairwise Transit key is used to encrypt and decrypt unicast traffic for this session only when I say this session is between this one particular client and the access point that it's not shared anywhere else once this pairwise Transit key is generated on the client the client sends the frame frame number two over to the access point and it's also a nonce but it's called the s nonce this nonce is protected by a message integrity check so that the integrity is not messed with over the airwaves and when this nonce gets to the access point that very same pairwise Transit key that is over on the client device is now calculated and generated over on our access point now the two devices share the same pairwise transit key to encrypt and decrypt unicast traffic between the two and it never passed across the airwaves and this is very important to understand this key was not sent through the airwaves to be tampered with it was generated on both sides now frame number three is basically a verification of the robust secure network information element and it's also protected with a Mik but before we go any further I'd like to bring you and what is called a group master key and the group master key is generated on the access point this group master key is important because it generates a key called the group temporal key now this group temporal key is needed when there is broadcast or multicast traffic going out from this access point to multiple clients if this gtk is needed it is sent over to the client on the third frame in the four way handshake so that's important to know as well once the supplicant receives this frame and is verified it's talking with a trusted ap no replay attacks have taken place and it shares the keys the same keys on both sides it will send frame number four and that's basically just an acknowledgement of just that we share the same keys no attacks have been performed this process has been secure and we can close this process now that is a lot of information to take in and it can make your head hurt but the point that we're at right now to remember is the controlled port on the access point the Authenticator has now opened and we are ready to start sending and receiving secure data packets now just to make sure we got all that correct we're going to review back over it and we start out with open system authentication in open system authentication we have these four frames that take place authentication request authentication response Association request Association response and then we are ready to see the optional frame the e PO start frame it is an optional frame we don't always see it but it basically starts this process you see the e p-- request identity from the access point the e f-- response the radius access request forwarded through the uncontrolled port the active directory checks for the credentials to make sure they're there it validates the credentials radius server will send an access challenge it the access point will forward that challenge to the client the client will respond the radius access request is then queried over to the database again to make sure it's the correct response the radius server will then send an Access except frame over to the access point our access point will then send an each success frame to our client at this point in time our master session key is generated on a radius server and our client device our supplicant that master session key is unique for this session only it's not shared with any other client each client creates its own unique session key this master session key is used to derive a pairwise master key on both the client and the radius server and then the radius server moves that pairwise master key over to the Authenticator the access point and we're ready to start the four-way handshake the four-way handshake starts at the access point by an a nonce being sent to the client the client gets it checks for replay attacks uses the pairwise master key and the nonce it it generates a pairwise transit key for unicast traffic it then - sends a nonce over to the Authenticator and the Authenticator generates that it that same exact pairwise transit key to encrypt and decrypt that unicast traffic in this unique session between this client and itself it then sends a validation frame for the robust secure network information element and sins that generated group temporal key on frame 3 if needed over to the access point or over to the client device the client device then verifies that everything's been safely transmitted they have both the same keys and it sends an acknowledgment frame in the process closes and our control port then opens that's a lot of information take place during an authentication but it is definitely needed when secure data access and secure data transmissions are needed so we're going to take another look here at 802 dot 1x authentication to verify reiterate that each session gets a new unique master session key to use to create in place a pairwise master key only Authenticator and supplicant so that master session key is unique per client that pairwise master key is unique per client if another supplicant logs own a new master session key is created that master session key is used to derive a new pair wise master key that is moved over to the Authenticator and the client and that is unique for that supplicant only so the difference here between WPA and wpa2 pre-shared key and 802 dot 1x authentication is that pairwise master key per session no matter who logs on they all get a unique pairwise master key whereas WPA and wpa2 pre shared key shares the same pairwise master key with everybody that logs on to the network in this scenario our uniqueness starts out with the session key this unique master session key that does not exist over on pre shared key authentication once 802 dot 1x authentication has been completed a unique master session key and the key word here is session is generated to generate a unique pairwise master key per session that is the big difference between the wpa wpa2 pre shared key authentication and this one 802 dot 1x authentication from those keys we derive our encryption keys the pairwise transit key for unicast and that creates our secure connections for each individual session so going back and looking 802 dot 1x authentication the key to having secure connections so we found out that our security is not just in the key because we we can have open system authentication which has no keys we can have WEP which is a very dated method and very unsecure can be hacked in any waveform and fashion nowadays but we also have the pre shared key that we looked at that is not near as secure as 802 dot 1x authentication so the key to having a secure connection is not just in the key we've we've explained that and proving that it's actually in how you get the key that is important so 802 dot 1x authentication should be your your chosen method that you should choose for your enterprise in order to secure your network and your network data and that concludes our video I hope you've enjoyed it hope you've got something out of it share it with your friends and play it over and over I've enjoyed creating it
Info
Channel: Brett Hill
Views: 66,760
Rating: 4.9084668 out of 5
Keywords: Wireless Authentication, 802.1X explained, Wireless Security, learn 802.1X
Id: ntGA6V5EciE
Channel Id: undefined
Length: 23min 37sec (1417 seconds)
Published: Sat Jul 19 2014
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.