There are many different aspects to encryption over a wireless network. In this video, you’ll learn about WPA2, WPA3, pre-shared keys, SAE, and more.
If you’re using a wireless network in your company, then you’re probably sending sensitive information over that network all the time. This means that we need to limit the people who might have access to that wireless network to provide the confidentiality we need to secure all of our data. This means that we’ll need to authenticate users before granting them access to the wireless network.
This usually involves assigning a username, a password, and there’s very often even multifactor authentication we might add to that. And you have to provide all of that information before you get access to the wireless network. This ensures that everything sent across the network is only sent to people who are authorized to be on the wireless network. And it ensures that everything we’re sending over that wireless network is encrypted and protected.
And there’s also a mechanism within the wireless network that ensures the data that was sent is what is being properly received on the other side. This is commonly referred to as a Message Integrity Check, or an MIC.
One type of encryption you might find on a legacy wireless device is WPA. This is WPA without a number after it. This was the original version of Wi-Fi Protected Access. And it was introduced in 2002 as a replacement for WEB, or Wired Equivalent Privacy. We found significant cryptographic vulnerabilities in the WEB. We immediately removed it from our networks. And we replaced it with WPA.
But we knew that WPA would not be the final version of a protected protocol on our wireless networks. But we needed something in the short term that would be able to use the same hardware that we were using with the Wired Equivalent Privacy encryption. This means that we created WPA using an encryption cipher of RC4, along with a Temporal Key Integrity Protocol, or TKIP. This included a larger Initialization Vector, or IV. And it encrypted the hash communication being sent across the wireless network. Every packet sent across the wireless network had its own encryption key, which resolved some of the problems we had with the older WEB protocol.
The problem with wireless networks, of course, is that this is information that’s going over the air. If you happen to know what frequencies are in use and you have the proper equipment, you can grab that information from the air and look at it.
This means that if you want to send something that’s private or personal over this wireless network, you need to encrypt the data so that if someone does intercept that information going over the air, they wouldn’t be able to read anything that they’ve received. You have to have the right encryption key to be able to send and receive information over this wireless network. And we commonly see this implemented on today’s wireless networks using WPA2 and WPA3.
WPA2 is Wi-Fi Protected Access version II. The certification for this began in 2004. And it uses a block mode of encryption called CCMP. CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. You might also see this referred to as Counter/CBC-MAC Protocol.
This isn’t just one technology that’s used to protect the data. It’s a combination of technologies. And CCMP uses the AES encryption mechanism for data confidentiality. And it uses CBC-MAC as the Message Integrity Check, or MIC.
In 2018, an updated version of WPA was introduced. This is Wi-FI Protected Access 3, or WPA3. Instead of using CCMP, WPA3 uses GCMP. This is the Galois/Counter Mode Protocol, which is considered to be a stronger encryption method than the older WPA2. This allows us to encrypt data using AES. It includes a message integrity check. But it includes this with a Galois Message Authentication Code, or GMAC.
To date, we have not had any significant cryptographic vulnerabilities associated with WPA2. But there are some shortcomings with WPA2 that could allow someone to perform a brute force attack on a hashed password.
There’s a handshake method that occurs between the client and the access point when connecting to a WPA2 network. If you’re using a pre-shared key or shared password that’s used for the entire wireless network, there are ways to derive the hash that is sent across that wireless network.
Now, with the hash itself, you’re not able to gain access to the network. But if you’re able to take that hash and perform a brute force, you could eventually determine what that pre-shared key happens to be.
One constant challenge as we’re trying to protect against brute force is keeping up with the technology and the changes in speed that we have with our systems. If you’re using a short pre-shared key or you’re using a name that’s very common from the dictionary, those would be very easy to brute force. But we’ve also been able to increase the speed of our brute force attacks by including graphics processing units or cloud-based password cracking. If someone is able to capture the hash, brute force the hash, and ultimately determine the pre-shared key, then they would, effectively, have access to the rest of the wireless network data.
If you’re using pre-shared keys with WPA3, then the handshaking process has changed to prevent this from occurring. This uses something called mutual authentication, where you are not only authenticating to the access point, the access point is also authenticating to you.
With WPA3, both devices can create a shared session key without having to send that session key across the network. This means that we don’t have to perform a handshake. We’re not sending a hash across the network. So there’s no opportunity for someone to grab that hash and perform a brute force attack.
This also incorporates perfect forward secrecy. That means even if the key was somehow acquired by a hacker, they still couldn’t gain access to the information transferred in the wireless communication because each communication is using its own separate session key.
This method of creating a shared session key without ever sending that key across the network is called a Simultaneous Authentication of Equals, or SAE. If you know anything about key exchange, then you may have heard the term Diffie-Hellman. And this method of key exchange is very similar to the Diffie-Hellman method. It’s simply adding on an authentication component between the two devices. Every user is going to have a different session key, even if everybody is using exactly the same pre-shared key.
This Simultaneous Authentication of Equals is built into the IEEE standard. And you may see it referred to as the “dragonfly handshake.”
So now we need to configure our access point with the appropriate security for our network. If you go to your access point, you may find there are a number of options available for configuring an access point or a wireless router with the appropriate security levels.
One configuration may be to configure it as an open system. There’s no encryption on the wireless network. There’s no authentication required. You simply connect to that particular wireless access point, and you’re able to communicate over the wireless network.
In our homes, we commonly use a pre-shared key. And we use that same shared key across all of our devices. This is sometimes called a WPA2 or WPA3 personal connection. You might also see it referred to as a WPA2 or WPA3 PSK, which refers to the pre-shared key.
If you configure this setting in your access point, then everyone on the network would use the same key. And anyone who’s new to the network would have to be given that pre-shared key to gain access.
On an enterprise or corporate network, however, we don’t want to use pre-shared keys that can be easily lost or given to someone else. Instead, we would use individual usernames and passwords for every single user.
If you look at the configurations on your access point, this is probably called WPA2 or WPA3 Enterprise. You might also see it referred to as WPA2 or WPA3 802.1X.
This usually takes advantage of an authentication server that’s on the back end so that all of your users would use their normal username and password. And those authentication details are checked against an Active Directory server, a RADIUS server, or some other type of authentication service.