5. Wifi Protected Access (WPA and WPA2) Flashcards
What does unicast transmission mean?
Unicast data transfer or transmission is data transfer between the access point and ONE TRUSTED client.
What type of authentication does WPA use?
WPA uses PSK Authentication (Pre-shared key) which was a 256 bit key.
Encryption was RC4 with TKIP
What encryption and authentication does WPA2 use?
WPA2 also uses WPA uses PSK Authentication (Pre-shared key) which was a 256 bit key.
Encryption is Advanced Encryption Standard. AES encryption (which replaced RC4)
What authentication and encryption does WPA Enterprise have?
Encryption is TKIP
Authentication is 802.1x / EAP
What authentication and encryption does WPA2 Enterprise have?
Encryption is AES and CCMP
Authentication is Enterprise authentication protocol 801x and EAP / PEAP
means each user have individual log in and password to access the LAN.
In the authentication process what is the mobile device trying to connect known as?
The supplicant (which is actually part of the devices software that helps it connect)
In authentication processes what is the route / access point reffered to as?
The authenticater
In WPA / WPA2 PERSONAL How does WPA authentication occur?
Use Extensible Authentication Protol Over LAn (EAPOL)
Four-Way Handshake between the device and the access point (before data is sent). described below.
Initially both the device and the router will generate a Master Key using the Password & Network Identity (SSID)
Each device (access point and the connecting dvice) generates a Pairwise Master Key (PMK) and also Randomly generated Number (Nonce). PMK is 256 bits long. They send these to each other.
The access point sends the ANonce to the connecting device.
The connecting device sends the SNonce back, also with a PTK (Pairwise Transient Key) (Pand MIC (Message Integrity Code) to the access point.
4 EAPOL packets are sent as part of the authentication process (reffered to as the 4 way handshake.) This handshake process is used to generate the encryption keys.
Session Key Generated
Client Creates Checksum based on the session key and sends a group session key
Checksum Confirmed by Access Point
Session Key Installed
Describe the PMK (Pairwise Master Key Process)
the Pairwisse Master Key (PMK)
- created using a password that is 8 to 63 characters long along with the SSID.
- The PMK is known by both the supplicant and the authenticator.
- PMK is never sent over the network
- PMK is not used to encrypt packets
- It is used to generate the PTK (Pairwise Transient Key).
- it is verified by the PBKDF2 (Password Based Key Derivation Function2)
What is the PTK (Pairwise Transient Key)?
is a unique encryption key generated for each wireless client device (supplicant) connected to the network. It is used to encrypt and decrypt data between a specific client device and the wireless access point (router).
How is the PTK (Pairwise Transient Key) generated?
The PTK is derived from four components2:
Pairwise Master Key (PMK): A shared secret key preconfigured on both the wireless access point and the client devices. It serves as the initial key for generating the PTK.
ANonce (Access Point Nonce): A random number generated by the access point to ensure each PTK is unique.
SNonce (Supplicant Nonce): A random number generated by the client device, also used to ensure uniqueness.
MAC Addresses: The MAC addresses of both the access point and the client device are used as additional inputs in the key generation process.
By combining these components and running them through a cryptographic algorithm, the PTK is generated.
What are some of the issues in generating a hash values for passwords?
You can generate a simple hash value by taking the input, running it through a simple hash algorithm (e.g SHA256) to create a unique stream.
BUT is vulnerable to dictionary attacks.
To overcome this vulnerability we can add a SALT to this password.
The SALT can be a random number of bytes. The SALT is then run through a hash algorithm and enter the password and add yet another SALT. STill vulnerable to dictionary and brute force attacks because the SHA256 hash algorithm is widely known. Can make it more secure by using HMAC to enhance the security of it by using HMAC to iterate the SALT and hash process thousands of times. HOWEVER modern day proc essers are so quick it is still not secure. So needed a better method for hashing. PBKD2. See next.
What is the PBKDF2 (Password Based Key Derivation Function2)?
An algorithm used to generate a binery key on a WPA network. It is used to make passwords more secure by making them less vulnerable to brute force attacks by adding computational work to the password hashing process.
Defined by RFC 2898
Here’s how it works:
Password and SSID (primary input)
Salt: A unique, random value added to the password before hashing to ensure uniqueness
Hash Function: A cryptographic hash function (e.g., SHA-256) is used in the process.
Iteration Count: A specified number of iterations to perform, adding computational complexity. In WPA this is 4096 iterations
Output Length: The desired length of the derived key. In WPA this is 256 bits
Process:
1. Combine Password and Salt: The password is combined with the salt.
- Hashing with Iterations: The combined value is hashed repeatedly for the specified number of iterations.
Derive Key: The final hashed value is derived after the specified iterations, producing a secure key.
What 5 inputs are required for the 4 way handshake in WPA authentication?
- Pairwise Master Key (PMK). Used to generate the PTK
- Authenticator Nonce (ANonce)
- Supplicant Nonce (SNonce)
- Authenticator Address (AA). MAC address of access point
- Supplicant Address (SA). MAC address of client.
At the start of the 4 way handshake, the supplicant (client) has the PMK, the SNonce and both MAC addresses. Once the Authenticator (access point) has sent the ANonce to the supplicant, the supplicant has all the required info to create the encryption keys (the PTK).
Summarise what are the PTKs (The Pairwise Transient Key) and how do they work?
The PTK is a set of encryption keys used for different functions. A differnt PTK is used for each session and device.
The PTK either contains 3 x CCMP or 4 x TKIP 128 bit keys used for encryption and authentication in the 4 way handshake, and also data transfer.
It is generated by the supplicant.
The KCK (Key Confirmation Key) is used to generate MIC (Message Integrity Codes) as part of the handshake.
The KEK (Key Encryption Key) is used to ensure data confidentiality during the handshake process, by encrypting the only key sent from the authenticator to the supplicant.
The remaining keys are used for unicast data transfer known as the TEK (Temporal Encryption Key)
The Temprary MIC Key (TMK). Is only used for data authentication with TKIP. Not used for CCMP.
What is the GTK (Group Temporal Key)?
- GTK is actually the ONLY Key Transmitted between applicator and supplicant during handshake
- GTK = Random Number Generated by Authenticator
- GTK encrypts Broadcast/Multicast Data between Authenticator & Supplicant
- Often Derived from Group Master Key (GMK) on a multicast system
Describe the detailed steps of the 4 way handshake between supplicant & applicator
At the start of the 4 way handshake, the supplicant (client) has the PMK, the SNonce and both MAC addresses. It needs the ANonce.
1, ANonce sent to supplicant from authenticator
- the Supplicant now has what it needs to generate the PTK.
- With the PTK the supplicant can therefore protect the SNonce with an MIC which is sends to the authenticator (sends SNonce + MIC)
- The authenticator can then determine the PTK AND check whether the message has been tampered with during transit.
- The authenticator responds by sending the GTK (Group tempral Key) to the client with the frame protected with an MIC (sends GTK + MIC)
- The supplicant now has the PMK, the PTK and the GTK so it sends an acknowledgement to the authenticator to confirm it has the PMK and GTK frames have been recieved and installed and they can now send data (sends Acknowledgement + MIC)
Other general points about the 4 way handshake
Some or all steps in the 4 way handshake may need repeating if the communication fails or drops during the process.
IN WPA and WPA2 personal The 4 way handshake happens RIGHT AFTER the system authentication
In Enterprise networks with 802.11x, EAP AFTER thefull 802.11 EAP authentication.
If you want to view the 4 way handshake in Wireshark, what filter do you use?
eapol
WPA / WPA2 Personal wifi can also be known as what?
WPA and WPA2 PERSONAl can also be known as PSK mode or Personal Shared Key Mode.
There are other means of communication & authentication on WIFI networks. Name some.
- WPS (WiFi Protected Setup)
Also known as WiFi simple config. A protocol released in 2006 by wifi alliance. Allows quick and easy setup of a wifi connection for home users - paticularly helpful for non tech savvy users. However many vulnerabilities. - WPA/WPA2 Enterprise. Multi cast wireless networks (multi user networks) who have individual Logins & Passwords
Users are authenticated by a RADIUS (Remote Authentication Dial In User Service) Server.
Does not use regular key exchange because each user is authenticated by their unique username and password. A master key is then exchanged.
Allows administrator to have control over access.
Found in large organisations where many users connect to a wireless network.
Describe the authentication process for WPA ENTERPRISE
Authentication Process in WPA Enterprise:
1.Client Association: The client (supplicant) sends association request to the authenticator.
- Authentication Request: The Authenticator responds by requesting that the supplicant supplies their credentials.
The supplicant’s credentials are supplied to the authenticator (by the supplicant) - EAP Exchange: The Extensible Authentication Protocol (EAP) is used to facilitate the exchange of authentication information. Different EAP types (e.g., EAP-TLS, PEAP) can be used based on the network setup.
- Identity Verification: The authenticator relays the suppliment’s credentials to the RADIUS SERVER for verificationThe RADIUS server verifies the client’s identity using the provided credentials (e.g., username and password, digital certificates).
- Access Approval: If the RADIUS server approves the client’s authentication, it sends an access approval message to the access point. If successful there may be additional messages sent between the supplicant and RADIUS server for further authenticator.
- Four-Way Handshake: The access point and client complete a four-way handshake to ensure the secure exchange of the Pairwise Transient Key (PTK) and Group Temporal Key (GTK). This handshake ensures mutual authentication and key agreement. There are numerous authentication protols that can be used. EAP or Extensible Authentication Protocol.
What are the benefits of Benefits of WPA Enterprise?
Benefits of WPA Enterprise:
Centralized Authentication: The use of a RADIUS server allows for centralized control and management of user credentials.
Enhanced Security: Dynamic key generation and mutual authentication provide a higher level of security.
Scalability: Suitable for larger networks with multiple users and access points.
Some helpful summaries of the key terms learnt in this lecture
TKIP – designed as a software patch to upgrade WEP in already deployed equipment
WEP – the original 802.11i security protocol
PMK – Pairwise Master Key = session authorization token
KCK – Key Confirmation Key = session “authentication” key
KEK – Key Encryption Key = session key for encrypting keys
TK – Temporal Key = session “encryption” key
4-Way Handshake – 802.11i key management protocol
WPA2 Summary.
WPA2:
Introduced in 2004
Designed to Replace WEP & WPA
AES Standard
CCMP Replaced TKIP
Mandates SUPPORT of protected management frames