When the network is part of the air itself, it can be challenging to provide the right type of security. In this video, you’ll learn about WPA2, WPA3, SAE, and how to configure these settings on an access point.
One of the challenges we have with wireless networks is maintaining the confidentiality of the data that’s sent over the air. We have to make sure the people joining this wireless network are the ones authorized to see any of this data. This means before someone can connect to the wireless network, they need to authenticate and this would probably involve a username, a password, and perhaps multi-factor authentication.
Once we start sending information across the wireless network, we also have to encrypt everything because someone could listen in to the packets going over the air and begin gathering information without properly authenticating. And we need to make sure that the information we’ve received on the wireless network is exactly the same information that was originally sent. Our wireless network communication commonly includes a message integrity check, or MIC, to ensure that all of the data is sent across the network without any changes.
The root challenge, of course, is that anything we send over this wireless network is going into the air and anyone nearby is able to listen in on the signal and potentially grab information that we’re sending between stations. The obvious solution then is to encrypt all of this data that’s being sent over the wireless network so that if someone does grab these packets they wouldn’t recognize any of the data that’s inside.
On today’s wireless networks, we tend to use one of two different types of wireless encryption either WPA2 or WPA3. We introduced Wi-Fi Protected Access version 2 in 2004. We often abbreviate this as WPA2. WPA2 uses what’s known as a block cipher mode, which means it takes a block of data and encrypts all of that data and it sends the entire block across the network to the other side. WPA2 uses a block cipher mode called CCMP.
The full name of this is actually counter mode with Cipher Block Chaining message authentication code protocol or counter CBC Mac protocol. All you really need to remember is that this is the CCMP block cipher mode it provides data confidentiality using APIs for encryption and it adds a message integrity check that uses CBC-MAC to provide that verification.
As time went on and technology improved, we realized we needed an even stronger type of encryption on our wireless networks. So we introduced the new version of WPA2 called WPA3. This was introduced in 2018 and it introduced a new type of block cipher mode called GCMP. This is called Galois/Counter Mode Protocol and it’s a stronger and more powerful encryption than WPA2.
Similar to WPA2, we are still using AES for the encryption and the message integrity check is now using the Galois message authentication code or GMAC. If you’re using wireless networks at work, you’re probably not all sharing the same pre-shared key or PSK. Instead, you’re using a separate username and password to log in with 802.1X authentication. But at home, we often use shared pass phrases and there may be times in your office where shared pass phrases makes more sense than having 802.1X.
However with WPA2, there’s a significant security issue associated with pre-shared keys. That’s because there’s a four way handshake that takes place when you’re connecting to a WPA2 network. And if someone is listening in to this conversation, they can capture the hash that is used during this handshake process. Once the attacker has the hash, they can take that hash offline and begin performing brute force attacks to try to determine what that pre-shared key happens to be.
Once they’ve completed this brute force and they’ve discovered your pre-shared key, they can now return and now gain access to your wireless network. This was difficult and time consuming in 2002. But as our technology has improved, it’s become faster and faster to be able to perform this brute force attack. With the advent of the speeds that we can get from our graphics cards or the cloud based password cracking that we have, you can determine a pre-shared key on WPA2 in just a few days.
We knew that we would need to change this process to remove any possibility of an attacker gaining access to the hash and performing a brute force attack. To provide this additional security, WPA3 uses a completely different method for authenticating with pre-shared keys. This uses a mutual authentication method. So not only does the access point know that you’re the proper user for this network with a pre-shared key, but you know that you’re talking to the correct access point.
We’re now able to create session keys for our wireless networks without actually sending any of the key information across the network. This means we don’t have any four way handshakes, there’s no hash going across the network. Therefore, nobody can capture the hash and there’s no brute force attacks. This new method of authenticating with pre-shared keys is called SAE or the Simultaneous Authentication of Equals.
If you’ve done any work with the security certification or you’ve studied up on the key exchange process, you’ve probably run across the Diffie-Hellman method of key exchange. This allows two devices to derive a shared key without actually sending that key across the network. We use the same type of method to be able to create a session key on a WPA3 network. Using this method, everyone is using a different session key for their conversations, even though they’re all using the same pre-shared key.
This key exchange method was built into the WPA3 standard, and you’ll sometimes hear it referred to as the dragonfly handshake. When you’re setting up your access point, you want to be sure to choose the right method for authentication on your wireless network. You’ll have a number of options available. One of them is an open system where there’s no authentication required.
If you go to a coffee shop or you’re at an open public area, you’re probably using an open system. You might also see the option for WPA2- or WPA3-Personal. This could also be written as WPA2 or WPA3-PSK, or pre-shared key. This is where you would provide one single key and anyone who wants to connect to the wireless network would use that key to connect. And as we mentioned earlier, if you’re connecting to a wireless network at work you’re probably not using a pre-shared key that everyone uses.
You’re simply logging in with your normal username and password and you gain access to the wireless network. We refer to that as the enterprise or 802.1X connectivity, and it uses a back end authentication server such as a RADIUS server to centralize all of the logins and authentication for everyone in your organization.