cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
942
Views
5
Helpful
9
Replies

Question About Authentication And Encryption

Jacob Berger
Level 2
Level 2

If I understand correctly

WPA2 has two parts

Authentication and encryption

If I use WPA2 enterprise with RADIUS server and certificates

The authentication part would take place within an encrypted (TLS or other) session

And data session will be encrypted with say AES.

Questions

  • •1. Is the above correct?
  • •2. Is the whole session between wireless device and AP encrypted and unhackable?
  • •3. When using WPA2 personal (PSK), is the session also encrypted with AES?
2 Accepted Solutions

Accepted Solutions

George Stefanick
VIP Alumni
VIP Alumni

Jacob,

Great questions! Always nice to see people deep dive this subject. I like you had all those questions as well.

Yes, Yes and Yes..

There are 2 very distinct authentications 802.1X and PSK. Both are part of the 802.11-2007 Standard. If you use radius <802.1X> a EAP type is used for authentication. Each EAP type has its own way of authenticating. Some are a dual authentication like PEAP, while others are not like LEAP.

PEAP for example uses MSCHAP V2 and TLS to send the login in a secure manner. Again, picking on LEAP uses MSCHAPV2 only, which is breakable and less secure.

After authentication. Then encryption is negoisated during the 4 WAY handshake. ONLY EAPs thats have dual authentication can do AES and TKIP due to the need for dyamic seeding material.

I blogged about a lot of this at my site

http://www.my80211.com/8021x/

Hope this helps

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Jacob

No worries

The 2 part hack is to get the key. At that point you can't see the traffic.

After you have a valid key and you capture a users authentication you could in theory see that users traffic. Your sniffer would have to allow you to decrypt the packets captured. I've never tried it personally with psk. I have with wep.

As for the cert I've never heard anyone actually breaking wireless in that manner. Not to say it can't happen. But that could take forever to do. You might have a better chance hitting the lottery.




Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

9 Replies 9

George Stefanick
VIP Alumni
VIP Alumni

Jacob,

Great questions! Always nice to see people deep dive this subject. I like you had all those questions as well.

Yes, Yes and Yes..

There are 2 very distinct authentications 802.1X and PSK. Both are part of the 802.11-2007 Standard. If you use radius <802.1X> a EAP type is used for authentication. Each EAP type has its own way of authenticating. Some are a dual authentication like PEAP, while others are not like LEAP.

PEAP for example uses MSCHAP V2 and TLS to send the login in a secure manner. Again, picking on LEAP uses MSCHAPV2 only, which is breakable and less secure.

After authentication. Then encryption is negoisated during the 4 WAY handshake. ONLY EAPs thats have dual authentication can do AES and TKIP due to the need for dyamic seeding material.

I blogged about a lot of this at my site

http://www.my80211.com/8021x/

Hope this helps

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

  Thanks

Just to clarify

a plain old home user laptop session on a home wirless router with WPA2 PSK setup, is encrypted for whole length of session?

no option of wireshark or anything to sniff around?

Correct. And each time you logon you will create new seeding material as well . You dont get the same KEY each time.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

thanks

with  WPA2 PSK how is the authentication part encrypted?

Good question ..

The PSK authentication is open to a hack if you capture 2 parts of the 4 way handshake. But this will not expose your traffic, rather it will expose your PSK key. Look up cow-patty hack.

As for the key encryption. During this process KEK,KCK keys are used to protect the keying process.

Read this ..

http://www.my80211.com/8021x/2010/10/3/george-stefanick-cwsp-journey-chapter-5-4-way-handshake-post.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Thanks

Ur the King

No worries. I hope this helps. Stop back if you have issues.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George

Sorry for opening this thread again

above you state

"The PSK authentication is open to a hack if you capture 2 parts of the 4 way handshake. But this will not expose your traffic, rather it will expose your PSK key. Look up cow-patty hack."

here:

http://serverfault.com/questions/149888/wep-wpa-wpa2-and-wifi-sniffing

i understand that if my PSK or CERT is compromised , the traffic encryption is very much in danger.

(also authorized users who know the PSK can sniff other users packets)

Jacob

No worries

The 2 part hack is to get the key. At that point you can't see the traffic.

After you have a valid key and you capture a users authentication you could in theory see that users traffic. Your sniffer would have to allow you to decrypt the packets captured. I've never tried it personally with psk. I have with wep.

As for the cert I've never heard anyone actually breaking wireless in that manner. Not to say it can't happen. But that could take forever to do. You might have a better chance hitting the lottery.




Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: