1 00:00:04,160 --> 00:00:09,080 Hello and welcome to this video called the EAP framework. 2 00:00:09,080 --> 00:00:12,180 Now you might be wondering what is EAP? 3 00:00:12,180 --> 00:00:14,540 Has that like a sound a little frightened mouse makes? 4 00:00:14,540 --> 00:00:16,100 Is it's running away from the cheese? 5 00:00:16,100 --> 00:00:18,380 No, that's not what we're talking about with EAP. 6 00:00:18,380 --> 00:00:22,720 So EAP stands for the extensible authentication protocol. 7 00:00:22,720 --> 00:00:27,860 Now EAP was not created expressly for wireless networks. 8 00:00:27,860 --> 00:00:34,620 EAP is actually sort of the idea behind EAP was that this is another framework. 9 00:00:34,620 --> 00:00:36,860 So remember when we're talking about frameworks, we're talking about sort 10 00:00:36,860 --> 00:00:40,700 of like a blueprint or scaffolding for how to make, how to meet a general 11 00:00:40,700 --> 00:00:46,900 objective. And the general objective of the EAP framework was how do we 12 00:00:46,900 --> 00:00:53,380 create like a blueprint of how people can securely authenticate people 13 00:00:53,380 --> 00:00:56,920 and devices connecting to networks. 14 00:00:56,920 --> 00:00:58,720 That's sort of the general framework. 15 00:00:58,720 --> 00:01:00,980 And there's a variety of ways that we can do that. 16 00:01:00,980 --> 00:01:04,820 Now when you think about authenticating something, there's a variety of 17 00:01:04,820 --> 00:01:05,820 ways you can do that, right? 18 00:01:05,820 --> 00:01:09,360 Something could be authenticated purely based on the MAC address it has. 19 00:01:09,360 --> 00:01:12,260 A person could be authenticated based on their credentials like their 20 00:01:12,260 --> 00:01:13,820 username or password. 21 00:01:13,820 --> 00:01:16,780 Maybe somebody could use some sort of facial recognition or a digital 22 00:01:16,780 --> 00:01:19,460 certificate to do some authentication. 23 00:01:19,460 --> 00:01:20,260 There's all sorts of ways. 24 00:01:20,260 --> 00:01:24,480 So the reason why EAP is called the extensible authentication protocol 25 00:01:24,480 --> 00:01:29,200 is because when EAP was first developed, it said, well, we're going to 26 00:01:29,200 --> 00:01:33,180 find things like, you know, how are the authentication messages passed 27 00:01:33,180 --> 00:01:38,320 back and forth between the person or devices authenticating and who they're 28 00:01:38,320 --> 00:01:39,240 authenticating against. 29 00:01:39,240 --> 00:01:41,760 What's the structure of that going to look like? 30 00:01:41,760 --> 00:01:46,500 You know, what's the role of each device and the network going to be that 31 00:01:46,500 --> 00:01:48,360 plays part in this? 32 00:01:48,360 --> 00:01:52,520 They also said, let's develop these things called EAP methods. 33 00:01:52,520 --> 00:01:56,760 And each EAP method defines how exactly is something going to authenticate 34 00:01:56,760 --> 00:02:00,880 itself. For example, an EAP method might say, hey, just provide your username 35 00:02:00,880 --> 00:02:04,620 and password. And then if you provide it correctly, you're good. 36 00:02:04,620 --> 00:02:08,300 Another EAP method might be, well, we need to exchange digital certificates 37 00:02:08,300 --> 00:02:11,740 in order to provide authentication. 38 00:02:11,740 --> 00:02:16,680 So EAP methods, each EAP method specifically defines the mechanisms to 39 00:02:16,680 --> 00:02:20,940 authenticate between the end user and whoever they're authenticating against. 40 00:02:20,940 --> 00:02:24,700 And the reason why they called extensible is because EAP was developed 41 00:02:24,700 --> 00:02:29,100 in such a way that it wasn't really rigid so that in the future, people 42 00:02:29,100 --> 00:02:32,440 could come up with other additional EAP methods. 43 00:02:32,440 --> 00:02:36,080 So if you want to come up with your own EAP method, go for it. 44 00:02:36,080 --> 00:02:37,060 You could do that. 45 00:02:37,060 --> 00:02:43,780 Okay, so within the framework of EAP, the framework says, well, we can 46 00:02:43,780 --> 00:02:50,760 have three different roles participating this whole authentication thing. 47 00:02:50,760 --> 00:02:55,060 So the EAP framework defined the three roles of supplicant, authenticator 48 00:02:55,060 --> 00:02:57,280 and authentication server. 49 00:02:57,280 --> 00:03:02,640 So supplicant is the end device, like your laptop, your tablet, your smartphone, 50 00:03:02,640 --> 00:03:05,420 the thing that's trying to gain access to the network. 51 00:03:05,420 --> 00:03:07,180 That's called the supplicant. 52 00:03:07,180 --> 00:03:12,000 The authenticator is the device that says, hold on a second. 53 00:03:12,000 --> 00:03:15,900 Before I give you network access, you have to prove yourself to me. 54 00:03:15,900 --> 00:03:19,200 So in the context of wireless, the authenticator would be your access 55 00:03:19,200 --> 00:03:21,520 point. That would be the authenticator. 56 00:03:21,520 --> 00:03:23,860 EAP can also be used in wired networks. 57 00:03:23,860 --> 00:03:26,660 So the authenticator might be the network switch that you're connecting 58 00:03:26,660 --> 00:03:30,020 to. If you're connecting directly to a router, the router could be the 59 00:03:30,020 --> 00:03:35,840 supplicant. And then the third device, or the third role is who is actually 60 00:03:35,840 --> 00:03:41,920 storing those network credentials and validating what the supplicant is 61 00:03:41,920 --> 00:03:45,500 providing and maybe challenging the supplicant by saying, well, thank 62 00:03:45,500 --> 00:03:47,240 you for that. But I need a little bit more. 63 00:03:47,240 --> 00:03:48,820 I need a little bit more information from you. 64 00:03:48,820 --> 00:03:52,500 And this is what I'm looking for that device, which a lot of times is 65 00:03:52,500 --> 00:03:56,800 a back end server is called an authentication server. 66 00:03:56,800 --> 00:04:03,940 So when EAP is involved, the layer two frame, whether it be a Wi-Fi frame 67 00:04:03,940 --> 00:04:09,600 is defined by an 802.11 frame type or a wired frame like a regular Ethernet 68 00:04:09,600 --> 00:04:15,860 frame. The type value like the ether type will be specific to zero X, 69 00:04:15,860 --> 00:04:16,960 eight, eight, eight, eight. 70 00:04:16,960 --> 00:04:21,300 So if you ever see a wireless frame or a wired Ethernet frame and the 71 00:04:21,300 --> 00:04:24,360 ether type or the type values of zero X, eight, eight, eight, that means 72 00:04:24,360 --> 00:04:28,760 that is carrying EAP in the payload of that frame. 73 00:04:28,760 --> 00:04:32,200 And there's authentication taking place right then and there. 74 00:04:32,200 --> 00:04:37,860 Okay, so within the ether type value of zero X, eight, eight, eight, eight, 75 00:04:37,860 --> 00:04:40,600 eight, which is sort of generic for EAP over land. 76 00:04:40,600 --> 00:04:44,660 EAP OL, that's EAP over land, the extensible authentication protocol over 77 00:04:44,660 --> 00:04:49,480 land. There are different types of EAP packets, depending on what your 78 00:04:49,480 --> 00:04:50,780 cop trying to do. 79 00:04:50,780 --> 00:04:54,960 For example, a supplicant, like your smartphone, your tablet, the very 80 00:04:54,960 --> 00:04:58,900 first one they might send might be an EAP over land start message, meaning, 81 00:04:58,900 --> 00:05:03,280 okay, I would like to start the whole process of doing authentication. 82 00:05:03,280 --> 00:05:07,440 The, there might be what's called EAP over land packet frames, which has 83 00:05:07,440 --> 00:05:10,940 the methods inside them like here's my username and password. 84 00:05:10,940 --> 00:05:12,620 Here's my digital certificate. 85 00:05:12,620 --> 00:05:15,580 Maybe the authentication server saying, I need more from you. 86 00:05:15,580 --> 00:05:16,660 Give me some additional data. 87 00:05:16,660 --> 00:05:20,460 That would also be contained within an EAP over land packet frame. 88 00:05:20,460 --> 00:05:24,360 And there's also EAP over land key frames and there's others as well. 89 00:05:24,360 --> 00:05:29,740 But all of those are carried at layer two with a frame type of zero X, 90 00:05:29,740 --> 00:05:31,980 eight, eight, eight, eight. 91 00:05:31,980 --> 00:05:37,880 Now, in Wi-Fi. The robust security network. 92 00:05:37,880 --> 00:05:41,220 Said we're going to use this thing called EAP that somebody's already 93 00:05:41,220 --> 00:05:42,580 developed. We like it. 94 00:05:42,580 --> 00:05:43,780 It works for us. 95 00:05:43,780 --> 00:05:45,460 Let's go ahead and use it. 96 00:05:45,460 --> 00:05:47,480 And so in the world of Wi-Fi. 97 00:05:47,480 --> 00:05:53,660 So, um, the, eight, oh, two, eleven, I Wi-Fi, they said, well, first of 98 00:05:53,660 --> 00:06:07,680 all, we're going to divide. 99 00:06:07,680 --> 00:06:17,980 So, you're going to have your application in the right. 100 00:06:17,980 --> 00:06:23,480 And we say this uses 802 .1 X to do all of this. 101 00:06:23,480 --> 00:06:29,280 Now, 802.1 X is another protocol, but 802.1 X also uses EAP. 102 00:06:29,280 --> 00:06:30,580 So if you're looking at the, you're going to have your authentication 103 00:06:30,580 --> 00:06:31,660 server on the right. 104 00:06:31,660 --> 00:06:35,040 So, we're going to use it as a way of using EAP to do our authentication 105 00:06:35,040 --> 00:06:36,180 methods. All right. 106 00:06:36,180 --> 00:06:40,240 So it all comes back to the extensible authentication protocol. 107 00:06:40,240 --> 00:06:46,580 Now in WPA enterprise, you've got these three device roles and everything 108 00:06:46,580 --> 00:06:51,620 that EAP does from the EAP over land start message to the EAP over land 109 00:06:51,620 --> 00:06:57,500 packet exchanges to the EAP over land key messages, all takes place. 110 00:06:57,500 --> 00:07:01,920 But we also know that in Wi-Fi, we have WPA personal, right? 111 00:07:01,920 --> 00:07:06,400 In WPA to personal, which means you're not using the backend server. 112 00:07:06,400 --> 00:07:09,680 All you've got is the access point and the client. 113 00:07:09,680 --> 00:07:14,700 So in that case, the client and the access point already know, already 114 00:07:14,700 --> 00:07:18,620 has some shared set of authentication credentials, usually just like a 115 00:07:18,620 --> 00:07:23,560 pre shared key, like the key for this wireless land is coffee 123 or I 116 00:07:23,560 --> 00:07:26,320 and E 5567, something like that. 117 00:07:26,320 --> 00:07:31,620 So when we start out at the very beginning with the assumption that the 118 00:07:31,620 --> 00:07:36,060 client and the access point already have some shared credentials and the 119 00:07:36,060 --> 00:07:38,640 goal is, let's just make sure that's true. 120 00:07:38,640 --> 00:07:41,320 Let's make sure that you and I have the exact same set of credentials. 121 00:07:41,320 --> 00:07:47,200 If that's true, you're in and we can move on and we can be done with authentication. 122 00:07:47,200 --> 00:07:48,520 That's WPA personal. 123 00:07:48,520 --> 00:07:53,060 And that particular case, the EAP over land start message, you won't see 124 00:07:53,060 --> 00:07:57,540 that. And the EAP over land packet exchanges, you won't see that as well. 125 00:07:57,540 --> 00:08:00,420 That's why the slide says the EAP over land start and EAP over land packet 126 00:08:00,420 --> 00:08:04,380 is only required for WPA enterprise. 127 00:08:04,380 --> 00:08:08,260 But what you will see are the EAP over land key messages and there's always 128 00:08:08,260 --> 00:08:13,000 four of them. A lot of times this is called the EAP over land four way 129 00:08:13,000 --> 00:08:15,800 handshake because there's four messages that go back and forth. 130 00:08:15,800 --> 00:08:20,440 So the main take away from this is that whether you're doing WPA enterprise 131 00:08:20,440 --> 00:08:27,560 or WPA personal, you will always see the EAP over land four way handshake 132 00:08:27,560 --> 00:08:29,340 the EAP over land key frames. 133 00:08:29,340 --> 00:08:34,660 This other stuff, you will only see if you're doing a full 802.1x implementation 134 00:08:34,660 --> 00:08:37,720 of WPA enterprise. 135 00:08:37,720 --> 00:08:41,760 Now let's talk just a little bit more about that four way handshake. 136 00:08:41,760 --> 00:08:47,840 So the 802.11i standard mandates that you have to use that four way handshake 137 00:08:47,840 --> 00:08:52,980 after notice this after the pairwise master key has been established. 138 00:08:52,980 --> 00:08:56,940 Now, I'm not sure where you're watching this videos or in the scheme of 139 00:08:56,940 --> 00:08:58,200 the course of which it was created. 140 00:08:58,200 --> 00:09:00,200 Maybe you're watching it just by itself. 141 00:09:00,200 --> 00:09:03,100 So maybe you don't know what a pairwise master key is. 142 00:09:03,100 --> 00:09:07,360 That's fine. I will just say without going too far down the road that 143 00:09:07,360 --> 00:09:12,520 with Wi-Fi, a variety of keys have to be derived and it typically goes 144 00:09:12,520 --> 00:09:16,320 in a particular order where one key is derived first and then other keys 145 00:09:16,320 --> 00:09:20,580 are derived from that key using a variety of algorithms and formulas and 146 00:09:20,580 --> 00:09:26,560 things. So the first key that is typically developed is this PMK the pairwise 147 00:09:26,560 --> 00:09:30,620 master key. So what this is saying here is that according to the 802.11i, 148 00:09:30,620 --> 00:09:32,680 there's a couple of different ways. 149 00:09:32,680 --> 00:09:36,120 The pairwise master key can be derived. 150 00:09:36,120 --> 00:09:38,240 And I'll talk about that in subsequent videos. 151 00:09:38,240 --> 00:09:42,660 But the point is once that pairwise master key has been derived, then 152 00:09:42,660 --> 00:09:44,740 we do the four way Epos. 153 00:09:44,740 --> 00:09:51,140 So that Epos. Is used for a variety of reasons. 154 00:09:51,140 --> 00:09:56,640 Number one to confirm that you access point and me client both have the 155 00:09:56,640 --> 00:09:58,540 same shared pairwise master key. 156 00:09:58,540 --> 00:09:59,760 Remember, that's for us. 157 00:09:59,760 --> 00:10:02,240 It's a pair of people that's you and me access point client. 158 00:10:02,240 --> 00:10:03,920 That's a single pair. 159 00:10:03,920 --> 00:10:07,540 You and I are going to have a pairwise master key that's different than 160 00:10:07,540 --> 00:10:09,620 you and Sally or you and Bob. 161 00:10:09,620 --> 00:10:14,400 So we have to confirm that the PMK that I have and you have is the same. 162 00:10:14,400 --> 00:10:17,500 That's going to be part of the purpose of the four way Epos over land 163 00:10:17,500 --> 00:10:22,220 handshake. And then we're going to derive other keys. 164 00:10:22,220 --> 00:10:26,140 One of which will eventually be used to actually encrypt the data. 165 00:10:26,140 --> 00:10:28,580 So eventually we're going to get to the point after the four way handshake 166 00:10:28,580 --> 00:10:33,000 is done. Where I'm going to start sending you like HTTP frames for I and 167 00:10:33,000 --> 00:10:34,940 E's website or telnet frames. 168 00:10:34,940 --> 00:10:37,540 I'm trying to tell that into a server over there or something like that. 169 00:10:37,540 --> 00:10:40,140 And all of that is going to have to be encrypted. 170 00:10:40,140 --> 00:10:43,640 So we're going to derive a particular key to do that. 171 00:10:43,640 --> 00:10:47,580 And the four way handshake is going to help us to derive that key. 172 00:10:47,580 --> 00:10:52,480 And also to transmit broadcast and multicast encryption keys from the 173 00:10:52,480 --> 00:10:54,200 access point to the client. 174 00:10:54,200 --> 00:10:57,660 So it's the Epos over land key frames that are used in this process. 175 00:10:57,660 --> 00:11:00,320 So we just saw that just a moment ago. 176 00:11:00,320 --> 00:11:04,500 And I'll show you that one more time. 177 00:11:04,500 --> 00:11:08,260 So once again, just serve as a recap here. 178 00:11:08,260 --> 00:11:12,340 Epos over land packet frames may or may not be there just depending on 179 00:11:12,340 --> 00:11:15,200 whether you're doing WPA enterprise or not. 180 00:11:15,200 --> 00:11:19,820 If you're not doing WPA enterprise, if you're doing WPA personal, you're 181 00:11:19,820 --> 00:11:21,500 not going to see these. 182 00:11:21,500 --> 00:11:25,460 Either way, once the Epos over land, if whether you got Epos, if you, 183 00:11:25,460 --> 00:11:30,580 if you're doing Epos over land packet frames, then the end result of that 184 00:11:30,580 --> 00:11:34,420 is that a key called the master session key will be derived. 185 00:11:34,420 --> 00:11:41,220 So it's actually in WPA enterprise that requires an authentication server. 186 00:11:41,220 --> 00:11:44,880 It's actually the authentication server that creates this. 187 00:11:44,880 --> 00:11:47,660 So the authentication server will say, you're good. 188 00:11:47,660 --> 00:11:49,260 You've proven yourself to me. 189 00:11:49,260 --> 00:11:51,740 I have a, I'm officially authenticating you. 190 00:11:51,740 --> 00:11:53,940 And as a result, I'm going to give you a gift. 191 00:11:53,940 --> 00:11:56,880 I'm going to give you a master session key. 192 00:11:56,880 --> 00:11:59,100 So that will be derived. 193 00:11:59,100 --> 00:12:03,740 And then in WPA enterprise, the master session key is then used to derive 194 00:12:03,740 --> 00:12:05,900 the pairwise master key. 195 00:12:05,900 --> 00:12:08,700 So this is actually mathematically derived from this. 196 00:12:08,700 --> 00:12:11,480 And you'll see when we get into that, that it's actually pretty simple 197 00:12:11,480 --> 00:12:20,360 how that works. Now, in WPA personal, we skip the Epos over land packet 198 00:12:20,360 --> 00:12:23,100 frames. We don't have a master session key. 199 00:12:23,100 --> 00:12:27,820 And instead, we just use that pre shared key like coffee, one, two, three, 200 00:12:27,820 --> 00:12:32,920 or best Wi-Fi ever, whatever the pre shared key is for the wireless land. 201 00:12:32,920 --> 00:12:38,060 And we use that as a component of a formula to come up with the pairwise 202 00:12:38,060 --> 00:12:41,240 master key. So you always have a pairwise master key. 203 00:12:41,240 --> 00:12:43,160 The only question is where did it come from? 204 00:12:43,160 --> 00:12:48,240 Did it come from the master session key or was it derived from the passphrase, 205 00:12:48,240 --> 00:12:49,560 the pre shared key? 206 00:12:49,560 --> 00:12:51,940 Either way, you've got the pairwise master key. 207 00:12:51,940 --> 00:12:56,700 Now, once you've got this, then the four way handshake has to happen. 208 00:12:56,700 --> 00:12:59,340 The Epos over land key frames have to be exchanged. 209 00:12:59,340 --> 00:13:04,340 And that's what's used to derive these other keys down here. 210 00:13:04,340 --> 00:13:09,000 And if you're doing a wireless sniffer capture, unlike wire shark or something, 211 00:13:09,000 --> 00:13:10,300 this is what you'll see. 212 00:13:10,300 --> 00:13:15,900 So this, for example, is a sniffer trace taken from a WPA personal association 213 00:13:15,900 --> 00:13:20,100 because notice we don't see any Epos over land packet frames here. 214 00:13:20,100 --> 00:13:23,600 We go directly from authentication to association. 215 00:13:23,600 --> 00:13:26,400 And then we have the four way Epos over land handshake. 216 00:13:26,400 --> 00:13:28,340 And notice how it says key. 217 00:13:28,340 --> 00:13:31,280 So these are Epos over land key messages. 218 00:13:31,280 --> 00:13:33,900 And there's four of the message one, two, three and four. 219 00:13:33,900 --> 00:13:37,720 And subsequent videos will talk about specifically what information is 220 00:13:37,720 --> 00:13:41,960 carried in each one of these messages. 221 00:13:41,960 --> 00:13:46,280 But that concludes this introduction to the Epos over land framework. 222 00:13:46,280 --> 00:13:47,620 Thank you so much for watching. 223 00:13:47,620 --> 00:13:49,320 And I really hope it was helpful for you.