Wireless Cryptography – SY0-601 CompTIA Security+ : 3.4

Wireless networks wouldn’t be a very useful networking medium without cryptography. In this video, you’ll learn about wireless encryption, WPA2, WPA3, SAE, and more.

When we’re using our wired networks, we don’t have to worry so much about other people listening in to what we’re doing. But on wireless networks, anyone nearby is able to pull our traffic right out of the air and listen in to whatever it happens to be going across the network. That means we need additional security controls whenever we’re using these wireless networks. For example, before anyone can gain access to the wireless network they need to properly authenticate, and that authentication can take a number of different forms. That might be a username, a password, there might be multifactor authentication, you might be using 802.1X, or smartcards, or some other method to help authenticate a user on to that wireless network.

We also want to be sure that all of the traffic that we’re sending across this wireless network is encrypted. If someone was to grab this information out of the air and look into the data of the packets, they would have no idea the information that was being sent because everything is sent over an encrypted channel. And it would be useful if there was integrity built into the communication as well. That way we can be assured the information we’re receiving from a third party is the information that was originally sent, and we can be assured that nothing was changed along the way. You’ll sometimes see this integrity check referred to as a Message Integrity Check, or an MIC. We’ve relied on wireless encryption since the advent of 802.11 wireless networking. That’s because anyone who’s around can effectively hear all of the conversations occurring over the network, and if we were sending this information without any encryption, it would be very, very easy for an attacker to gather these packets and see exactly what was being sent back and forth.

This means if you’re on a wireless network and you want that information to remain private, then you need to enable encryption on that wireless access point. This means that everyone using the network will have an encryption key that’s used to send and receive all of the data sent across this wireless network. If you don’t have the encryption key, then you won’t be able to understand any of the information that’s being sent between the stations on this wireless network. So if you’re using WPA2 or WPA3 encryption, then all of this information is protected over the wireless network.

WPA2 is a security type on our wireless networks that’s been around for a very long time. This is called Wi-Fi Protected Access 2, or WPA2 and this began certification in 2004. This uses an encryption called CCMP block cipher mode. This stands for Counter mode with Cipher block chaining Message authentication code Protocol, or Counter/CBC-MAC protocol. That’s a very long name that effectively means you’re using CCMP over WPA2. CCMP uses a number of different protocols to provide the security we need for our wireless networks. For example, the confidentiality of the data is encrypting with the AES protocol and the integrity that we’re using on the network, for the message integrity check or the MIC, uses CBC-MAC.

The update to WPA2 security is WPA3. This is version 3 of the WPA protocol that was introduced in 2018. It changes the encryption just a bit. It uses a different block cipher mode called GCMP. This is your Galois Counter Mode Protocol and it is an update to the encryption method used with WPA2 in an effort to make this just a bit stronger encryption than the older WPA2 protocol. The methods used for encryption and integrity are similar in many ways to WPA2, the confidentiality of the data still uses AES, but the message integrity check has changed to Galois message authentication code or GMAC. One of the significant security updates to WPA3 addressed a number of challenges with keeping WPA2 secure.

One of these is the pre-shared key issue associated with WPA2. Although the WPA2 protocol is not insecure, it still is subject to brute force attacks if somebody has the hash that is used for the pre-shared key. Obtaining the hash then, is an important first step for an attacker if they’d like to perform a brute force attack to find that key. Obtaining the hash can be done with WPA2 by listening in on the four way handshake that occurs initially when someone is connecting to the WPA2 network. And there are a number of methods where an attacker could get their hands on this hash without actually listening to the handshake. Once attackers have captured that hash information, they can begin the brute force process to try to determine what that pre-shared key might be.

As security professionals, we know that as time goes on, it becomes easier and easier to perform a brute force on these keys. Part of the reason for that is that our graphical processing units, our GPUs, are primarily used for decryption and brute force functionality and those particular processes are becoming faster and faster. We’ve also found ways to use the cloud in order to perform this password cracking, and we can use many hundreds or thousands of systems to be able to work on this brute force simultaneously. With all of that computing power behind you, it becomes easier and easier to perform the brute force. And once you have found that pre-shared key, you now effectively have access to all of the data that was sent over that wireless communication.

With WPA3, we’ve changed the authentication process to avoid this hashing problem. Instead, we’ve added additional security features such as mutual authentication so that not only are you authenticating to the access point, the access point could also authenticate with you. We’re also changing the way that the key exchange operates. Instead of sending a hash over the network, we create a shared session key without having to send that key across the network. There’s no more handshaking, there’s no more hashes that are sent, and no one is able to gain access to the hash and then perform some type of brute force attack.

We also have the advantage of perfect forward secrecy in WPA3, which means that the session key that we’re using can change often, and everyone is using a different session key. WPA3 also includes perfect forward secrecy, which means that the session keys are created whenever we’re performing the sessions, and once the session is over, the key is thrown away. We use a completely different key if we start a new session. This means that WPA3 no longer has those problems associated with WPA2. We no longer have a hash, therefore we no longer have to worry about brute forces associated with these pre-shared keys.

So how do we create a session key that’s used on both sides of the conversation without actually sending that session key across the network? To be able to do this, we use a method called Simultaneous Authentication of Equals, or SAE. If you’re familiar with Diffie-Hellman key exchange, you may find that SAE sounds a little familiar, that’s because it is derived from that Diffie-Hellman process. We add some additional capabilities though, that go a little bit farther than Diffie-Hellman so that we can add some authentication components to the conversation. And of course, everyone on the network is generating a different session key even if everybody is using exactly the same pre-shared key to connect to the wireless network. This was added to the IEEE 802.11 standard, and you’ll sometimes hear this key exchange process referred to as the dragonfly handshake.