cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

492
Views
5
Helpful
9
Replies
Beginner

Question About Authentication And Encryption

If I understand correctly

WPA2 has two parts

Authentication and encryption

If I use WPA2 enterprise with RADIUS server and certificates

The authentication part would take place within an encrypted (TLS or other) session

And data session will be encrypted with say AES.

Questions

  • •1. Is the above correct?
  • •2. Is the whole session between wireless device and AP encrypted and unhackable?
  • •3. When using WPA2 personal (PSK), is the session also encrypted with AES?
Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Question About Authentication And Encryption

Jacob,

Great questions! Always nice to see people deep dive this subject. I like you had all those questions as well.

Yes, Yes and Yes..

There are 2 very distinct authentications 802.1X and PSK. Both are part of the 802.11-2007 Standard. If you use radius <802.1X> a EAP type is used for authentication. Each EAP type has its own way of authenticating. Some are a dual authentication like PEAP, while others are not like LEAP.

PEAP for example uses MSCHAP V2 and TLS to send the login in a secure manner. Again, picking on LEAP uses MSCHAPV2 only, which is breakable and less secure.

After authentication. Then encryption is negoisated during the 4 WAY handshake. ONLY EAPs thats have dual authentication can do AES and TKIP due to the need for dyamic seeding material.

I blogged about a lot of this at my site

http://www.my80211.com/8021x/

Hope this helps

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Highlighted

Re: Question About Authentication And Encryption

Jacob

No worries

The 2 part hack is to get the key. At that point you can't see the traffic.

After you have a valid key and you capture a users authentication you could in theory see that users traffic. Your sniffer would have to allow you to decrypt the packets captured. I've never tried it personally with psk. I have with wep.

As for the cert I've never heard anyone actually breaking wireless in that manner. Not to say it can't happen. But that could take forever to do. You might have a better chance hitting the lottery.




Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

9 REPLIES 9

Question About Authentication And Encryption

Jacob,

Great questions! Always nice to see people deep dive this subject. I like you had all those questions as well.

Yes, Yes and Yes..

There are 2 very distinct authentications 802.1X and PSK. Both are part of the 802.11-2007 Standard. If you use radius <802.1X> a EAP type is used for authentication. Each EAP type has its own way of authenticating. Some are a dual authentication like PEAP, while others are not like LEAP.

PEAP for example uses MSCHAP V2 and TLS to send the login in a secure manner. Again, picking on LEAP uses MSCHAPV2 only, which is breakable and less secure.

After authentication. Then encryption is negoisated during the 4 WAY handshake. ONLY EAPs thats have dual authentication can do AES and TKIP due to the need for dyamic seeding material.

I blogged about a lot of this at my site

http://www.my80211.com/8021x/

Hope this helps

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Beginner

Question About Authentication And Encryption

  Thanks

Just to clarify

a plain old home user laptop session on a home wirless router with WPA2 PSK setup, is encrypted for whole length of session?

no option of wireshark or anything to sniff around?

Question About Authentication And Encryption

Correct. And each time you logon you will create new seeding material as well . You dont get the same KEY each time.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Beginner

Question About Authentication And Encryption

thanks

with  WPA2 PSK how is the authentication part encrypted?

Re: Question About Authentication And Encryption

Good question ..

The PSK authentication is open to a hack if you capture 2 parts of the 4 way handshake. But this will not expose your traffic, rather it will expose your PSK key. Look up cow-patty hack.

As for the key encryption. During this process KEK,KCK keys are used to protect the keying process.

Read this ..

http://www.my80211.com/8021x/2010/10/3/george-stefanick-cwsp-journey-chapter-5-4-way-handshake-post.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Beginner

Question About Authentication And Encryption

Thanks

Ur the King

Question About Authentication And Encryption

No worries. I hope this helps. Stop back if you have issues.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Beginner

Question About Authentication And Encryption

George

Sorry for opening this thread again

above you state

"The PSK authentication is open to a hack if you capture 2 parts of the 4 way handshake. But this will not expose your traffic, rather it will expose your PSK key. Look up cow-patty hack."

here:

http://serverfault.com/questions/149888/wep-wpa-wpa2-and-wifi-sniffing

i understand that if my PSK or CERT is compromised , the traffic encryption is very much in danger.

(also authorized users who know the PSK can sniff other users packets)

Highlighted

Re: Question About Authentication And Encryption

Jacob

No worries

The 2 part hack is to get the key. At that point you can't see the traffic.

After you have a valid key and you capture a users authentication you could in theory see that users traffic. Your sniffer would have to allow you to decrypt the packets captured. I've never tried it personally with psk. I have with wep.

As for the cert I've never heard anyone actually breaking wireless in that manner. Not to say it can't happen. But that could take forever to do. You might have a better chance hitting the lottery.




Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

CreatePlease to create content
Content for Community-Ad

August's Community Spotlight Awards