https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075908#M140346 <HTML><HEAD></HEAD><BODY><P>thanks</P><P></P><P>with&nbsp; WPA2 PSK how is the authentication part encrypted?</P></BODY></HTML> Wed, 07 Nov 2012 15:23:11 GMT Jacob Berger 2012-11-07T15:23:11Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075904#M140342 <P style="text-align: left; unicode-bidi: embed; direction: ltr;">If I understand correctly</P><P style="text-align: left; unicode-bidi: embed; direction: ltr;">WPA2 has two parts</P><P style="text-align: left; unicode-bidi: embed; direction: ltr;">Authentication and encryption</P><P style="text-align: left; unicode-bidi: embed; direction: ltr;">If I use WPA2 enterprise with RADIUS server and certificates</P><P style="text-align: left; unicode-bidi: embed; direction: ltr;">The authentication part would take place within an encrypted (TLS or other) session</P><P style="text-align: left; unicode-bidi: embed; direction: ltr;">And data session will be encrypted with say AES.</P><P style="text-align: left; unicode-bidi: embed; direction: ltr;"></P><P style="text-align: left; unicode-bidi: embed; direction: ltr;">Questions</P><P style="text-align: left; unicode-bidi: embed; direction: ltr;"></P><UL><LI>•1. Is the above correct?<BR /></LI><LI>•2. Is the whole session between wireless device and AP encrypted and unhackable?<BR /></LI><LI>•3. When using WPA2 personal (PSK), is the session also encrypted with AES?<BR /></LI></UL> Sun, 04 Jul 2021 05:59:43 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075904#M140342 Jacob Berger 2021-07-04T05:59:43Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075905#M140343 <HTML><HEAD></HEAD><BODY><P>Jacob,</P><P></P><P>Great questions! Always nice to see people deep dive this subject. I like you had all those questions as well. </P><P></P><P>Yes, Yes and Yes.. </P><P></P><P></P><P>There are 2 very distinct authentications 802.1X and PSK. Both are part of the 802.11-2007 Standard. If you use radius &lt;802.1X&gt; a EAP type is used for authentication. Each EAP type has its own way of authenticating. Some are a dual authentication like PEAP, while others are not like LEAP. </P><P></P><P>PEAP for example uses MSCHAP V2 and TLS to send the login in a secure manner. Again, picking on LEAP uses MSCHAPV2 only, which is breakable and less secure. </P><P></P><P>After authentication. Then encryption is negoisated during the 4 WAY handshake. ONLY EAPs thats have dual authentication can do AES and TKIP due to the need for dyamic seeding material. </P><P></P><P>I blogged about a lot of this at my site </P><P><A class="jive-link-external-small" href="http://www.my80211.com/8021x/">http://www.my80211.com/8021x/</A></P><P></P><P>Hope this helps </P><P></P><P></P><P></P><P></P><P></P><P>__________________________________________________________________________________________ <BR />"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin <BR />__________________________________________________________________________________________ <BR />‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."</P></BODY></HTML> Wed, 07 Nov 2012 14:29:02 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075905#M140343 George Stefanick 2012-11-07T14:29:02Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075906#M140344 <HTML><HEAD></HEAD><BODY><P>&nbsp; Thanks</P><P></P><P>Just to clarify</P><P>a plain old home user laptop session on a home wirless router with WPA2 PSK setup, is encrypted for whole length of session?</P><P>no option of wireshark or anything to sniff around?</P></BODY></HTML> Wed, 07 Nov 2012 14:58:23 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075906#M140344 Jacob Berger 2012-11-07T14:58:23Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075907#M140345 <HTML><HEAD></HEAD><BODY><P>Correct. And each time you logon you will create new seeding material as well <NEW keys="">. You dont get the same KEY each time. </NEW></P><P></P><P>__________________________________________________________________________________________ <BR />"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin <BR />__________________________________________________________________________________________ <BR />‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."</P></BODY></HTML> Wed, 07 Nov 2012 15:09:53 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075907#M140345 George Stefanick 2012-11-07T15:09:53Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075908#M140346 <HTML><HEAD></HEAD><BODY><P>thanks</P><P></P><P>with&nbsp; WPA2 PSK how is the authentication part encrypted?</P></BODY></HTML> Wed, 07 Nov 2012 15:23:11 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075908#M140346 Jacob Berger 2012-11-07T15:23:11Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075909#M140347 <HTML><HEAD></HEAD><BODY><P>Good question .. </P><P></P><P>The PSK authentication is open to a hack if you capture 2 parts of the 4 way handshake. But this will not expose your traffic, rather it will expose your PSK key. Look up cow-patty hack. </P><P></P><P>As for the key encryption. During this process KEK,KCK keys are used to protect the keying process. </P><P></P><P>Read this ..</P><P></P><P></P><P><A class="jive-link-external-small" href="http://www.my80211.com/8021x/2010/10/3/george-stefanick-cwsp-journey-chapter-5-4-way-handshake-post.html" rel="nofollow">http://www.my80211.com/8021x/2010/10/3/george-stefanick-cwsp-journey-chapter-5-4-way-handshake-post.html</A></P><P></P><P></P><P>__________________________________________________________________________________________ <BR />"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin <BR />__________________________________________________________________________________________ <BR />‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."</P></BODY></HTML> Wed, 07 Nov 2012 15:56:33 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075909#M140347 George Stefanick 2012-11-07T15:56:33Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075910#M140348 <HTML><HEAD></HEAD><BODY><P> Thanks </P><P>Ur the King</P></BODY></HTML> Thu, 08 Nov 2012 15:32:54 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075910#M140348 Jacob Berger 2012-11-08T15:32:54Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075911#M140349 <HTML><HEAD></HEAD><BODY><P>No worries. I hope this helps. Stop back if you have issues. </P><P></P><P></P><P>__________________________________________________________________________________________ <BR />"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin <BR />__________________________________________________________________________________________ <BR />‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."</P></BODY></HTML> Thu, 08 Nov 2012 15:55:24 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075911#M140349 George Stefanick 2012-11-08T15:55:24Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075912#M140350 <HTML><HEAD></HEAD><BODY><P>George </P><P></P><P>Sorry for opening this thread again</P><P></P><P></P><P>above you state</P><P></P><P>"The PSK authentication is open to a hack if you capture 2 parts of the 4 way handshake. But this will not expose your traffic, rather it will expose your PSK key. Look up cow-patty hack."</P><P></P><P></P><P></P><P>here:</P><P></P><P><A href="http://serverfault.com/questions/149888/wep-wpa-wpa2-and-wifi-sniffing">http://serverfault.com/questions/149888/wep-wpa-wpa2-and-wifi-sniffing</A></P><P></P><P>i understand that if my PSK or CERT is compromised , the traffic encryption is very much in danger.</P><P></P><P>(also authorized users who know the PSK can sniff other users packets)</P></BODY></HTML> Mon, 17 Dec 2012 14:59:59 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075912#M140350 Jacob Berger 2012-12-17T14:59:59Z https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075913#M140351 <HTML><HEAD></HEAD><BODY><P>Jacob<BR /><BR />No worries<BR /><BR />The 2 part hack is to get the key. At that point you can't see the traffic.<BR /><BR />After you have a valid key and you capture a users authentication you could in theory see that users traffic. Your sniffer would have to allow you to decrypt the packets captured. I've never tried it personally with psk. I have with wep.<BR /><BR />As for the cert I've never heard anyone actually breaking wireless in that manner. Not to say it can't happen. But that could take forever to do. You might have a better chance hitting the lottery.<BR /><BR /><BR /><BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Mon, 17 Dec 2012 16:00:17 GMT https://community.cisco.com/t5/wireless/question-about-authentication-and-encryption/m-p/2075913#M140351 George Stefanick 2012-12-17T16:00:17Z