Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1309
Views
5
Helpful
9
Replies

Question About Authentication And Encryption

Go to solution
Jacob Berger
Level 2
Level 2

‎11-07-2012 05:39 AM - edited ‎07-03-2021 10:59 PM

If I understand correctly

WPA2 has two parts

Authentication and encryption

If I use WPA2 enterprise with RADIUS server and certificates

The authentication part would take place within an encrypted (TLS or other) session

And data session will be encrypted with say AES.

Questions

  • •1. Is the above correct?
  • •2. Is the whole session between wireless device and AP encrypted and unhackable?
  • •3. When using WPA2 personal (PSK), is the session also encrypted with AES?
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎11-07-2012 06:29 AM

Jacob,

Great questions! Always nice to see people deep dive this subject. I like you had all those questions as well.

Yes, Yes and Yes..

There are 2 very distinct authentications 802.1X and PSK. Both are part of the 802.11-2007 Standard. If you use radius <802.1X> a EAP type is used for authentication. Each EAP type has its own way of authenticating. Some are a dual authentication like PEAP, while others are not like LEAP.

PEAP for example uses MSCHAP V2 and TLS to send the login in a secure manner. Again, picking on LEAP uses MSCHAPV2 only, which is breakable and less secure.

After authentication. Then encryption is negoisated during the 4 WAY handshake. ONLY EAPs thats have dual authentication can do AES and TKIP due to the need for dyamic seeding material.

I blogged about a lot of this at my site

http://www.my80211.com/8021x/

Hope this helps

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎12-17-2012 08:00 AM

Jacob

No worries

The 2 part hack is to get the key. At that point you can't see the traffic.

After you have a valid key and you capture a users authentication you could in theory see that users traffic. Your sniffer would have to allow you to decrypt the packets captured. I've never tried it personally with psk. I have with wep.

As for the cert I've never heard anyone actually breaking wireless in that manner. Not to say it can't happen. But that could take forever to do. You might have a better chance hitting the lottery.




Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful
9 Replies 9

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎11-07-2012 06:29 AM

Jacob,

Great questions! Always nice to see people deep dive this subject. I like you had all those questions as well.

Yes, Yes and Yes..

There are 2 very distinct authentications 802.1X and PSK. Both are part of the 802.11-2007 Standard. If you use radius <802.1X> a EAP type is used for authentication. Each EAP type has its own way of authenticating. Some are a dual authentication like PEAP, while others are not like LEAP.

PEAP for example uses MSCHAP V2 and TLS to send the login in a secure manner. Again, picking on LEAP uses MSCHAPV2 only, which is breakable and less secure.

After authentication. Then encryption is negoisated during the 4 WAY handshake. ONLY EAPs thats have dual authentication can do AES and TKIP due to the need for dyamic seeding material.

I blogged about a lot of this at my site

http://www.my80211.com/8021x/

Hope this helps

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Jacob Berger
Level 2
Level 2
In response to George Stefanick

‎11-07-2012 06:58 AM

  Thanks

Just to clarify

a plain old home user laptop session on a home wirless router with WPA2 PSK setup, is encrypted for whole length of session?

no option of wireshark or anything to sniff around?

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎11-07-2012 07:09 AM

Correct. And each time you logon you will create new seeding material as well . You dont get the same KEY each time.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
Jacob Berger
Level 2
Level 2
In response to George Stefanick

‎11-07-2012 07:23 AM

thanks

with  WPA2 PSK how is the authentication part encrypted?

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎11-07-2012 07:56 AM

Good question ..

The PSK authentication is open to a hack if you capture 2 parts of the 4 way handshake. But this will not expose your traffic, rather it will expose your PSK key. Look up cow-patty hack.

As for the key encryption. During this process KEK,KCK keys are used to protect the keying process.

Read this ..

http://www.my80211.com/8021x/2010/10/3/george-stefanick-cwsp-journey-chapter-5-4-way-handshake-post.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Jacob Berger
Level 2
Level 2
In response to George Stefanick

‎11-08-2012 07:32 AM

Thanks

Ur the King

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎11-08-2012 07:55 AM

No worries. I hope this helps. Stop back if you have issues.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Jacob Berger
Level 2
Level 2
In response to Jacob Berger

‎12-17-2012 06:59 AM

George

Sorry for opening this thread again

above you state

"The PSK authentication is open to a hack if you capture 2 parts of the 4 way handshake. But this will not expose your traffic, rather it will expose your PSK key. Look up cow-patty hack."

here:

http://serverfault.com/questions/149888/wep-wpa-wpa2-and-wifi-sniffing

i understand that if my PSK or CERT is compromised , the traffic encryption is very much in danger.

(also authorized users who know the PSK can sniff other users packets)

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎12-17-2012 08:00 AM

Jacob

No worries

The 2 part hack is to get the key. At that point you can't see the traffic.

After you have a valid key and you capture a users authentication you could in theory see that users traffic. Your sniffer would have to allow you to decrypt the packets captured. I've never tried it personally with psk. I have with wep.

As for the cert I've never heard anyone actually breaking wireless in that manner. Not to say it can't happen. But that could take forever to do. You might have a better chance hitting the lottery.




Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card