1 00:00:04,100 --> 00:00:10,820 Hello and welcome to this video titled, Breaking Down the RSN Key Derivation. 2 00:00:10,820 --> 00:00:16,320 So in case you've forgotten, RSN stands for the robust security network, 3 00:00:16,320 --> 00:00:21,820 which was first defined in the 802.11i standard by the IEEE, which sort 4 00:00:21,820 --> 00:00:26,600 of defined all of how Wi -Fi security takes place. 5 00:00:26,600 --> 00:00:31,120 And within that robust security network, there is a series of keys. 6 00:00:31,120 --> 00:00:33,260 And here we see a review of that. 7 00:00:33,260 --> 00:00:39,700 And most keys are derived from other keys that were created beforehand. 8 00:00:39,700 --> 00:00:43,320 So we'll talk about each of these in this particular video, starting with 9 00:00:43,320 --> 00:00:46,660 the master session key, working our way down through the pairwise master 10 00:00:46,660 --> 00:00:48,520 key, and so on and so forth. 11 00:00:48,520 --> 00:00:51,400 And we'll also take a look at some of these keys on the right here, used 12 00:00:51,400 --> 00:00:53,880 for broadcast and multicast. 13 00:00:53,880 --> 00:01:00,620 So before we talk about what the master session key is and how it's used, 14 00:01:00,620 --> 00:01:05,340 let's just real quickly look at where it comes from and how you get it. 15 00:01:05,340 --> 00:01:11,820 So the master session key is only applicable when you're doing WPA enterprise. 16 00:01:11,820 --> 00:01:17,100 So we're talking about a full 802.1x implementation with an authentication 17 00:01:17,100 --> 00:01:20,760 server, typically doing radius on the back end. 18 00:01:20,760 --> 00:01:27,240 So if that's true, then the Wi-Fi supplicant, which is your laptop, your 19 00:01:27,240 --> 00:01:31,340 smartphone, whatever, will typically start the whole process with an EPU 20 00:01:31,340 --> 00:01:33,200 over land dash start message. 21 00:01:33,200 --> 00:01:36,680 Very simple message just basically saying, hey, I wanna gain access to 22 00:01:36,680 --> 00:01:41,780 the network. Then we'll have several back and forth exchanges of EPU over 23 00:01:41,780 --> 00:01:43,740 land dash packet messages. 24 00:01:43,740 --> 00:01:50,660 Now these are all carried with a layer two ether type value of 0x888E. 25 00:01:50,660 --> 00:01:53,420 So if you wanted to capture those in wire shark or something, that's what 26 00:01:53,420 --> 00:01:57,880 you'd wanna filter on, is that ether type value of 0x888E. 27 00:01:57,880 --> 00:02:00,380 But inside they have different EPU types. 28 00:02:00,380 --> 00:02:06,380 So how many EPU over land dash packet exchanges there are really is dependent 29 00:02:06,380 --> 00:02:09,360 on what EPU method you're using. 30 00:02:09,360 --> 00:02:14,340 Some EPU methods like EPU MD5, which is simply just an exchange of a username 31 00:02:14,340 --> 00:02:18,420 and password, don't have a whole lot of messages that go back and forth. 32 00:02:18,420 --> 00:02:21,980 Other EPU methods, which are much more complex, which use like digital 33 00:02:21,980 --> 00:02:26,280 certificates and things like EPU TLS, will have a lot more EPU over land 34 00:02:26,280 --> 00:02:27,540 packet messages. 35 00:02:27,540 --> 00:02:31,740 But the really thing we gotta focus on here is, are you going to authenticate 36 00:02:31,740 --> 00:02:35,280 or not? If you don't authenticate, then you're done and you don't get 37 00:02:35,280 --> 00:02:36,680 your network access. 38 00:02:36,680 --> 00:02:41,500 If you do authenticate, then the very last EPU over land dash packet message 39 00:02:41,500 --> 00:02:44,740 coming from that authentication server. 40 00:02:44,740 --> 00:02:49,040 So he'll say, great, you're authenticated, you've passed my tests, you've 41 00:02:49,040 --> 00:02:52,680 given me the credentials I need, so the very last EPU over land packet 42 00:02:52,680 --> 00:02:56,820 that he will send down to the access point, which will then be translated 43 00:02:56,820 --> 00:03:01,560 into a wired frame into a wireless frame and then sent to you wirelessly, 44 00:03:01,560 --> 00:03:07,000 will contain a special key that that radius server created called the 45 00:03:07,000 --> 00:03:08,600 master session key. 46 00:03:08,600 --> 00:03:11,940 Now I'm just giving a random example here, it's gonna be much, much longer 47 00:03:11,940 --> 00:03:16,120 than this, as we'll see in just a second, but there's really two main 48 00:03:16,120 --> 00:03:18,840 points here. Number one, actually three main points. 49 00:03:18,840 --> 00:03:23,360 Number one, this key, this master session key, only is created after a 50 00:03:23,360 --> 00:03:27,340 successful 802.1x authentication. 51 00:03:27,340 --> 00:03:29,560 So we're talking WPA enterprise here. 52 00:03:29,560 --> 00:03:34,980 All right, number two, it's created by the radius server and sent down 53 00:03:34,980 --> 00:03:39,660 to you in the very last EPU over land packet message and then number three, 54 00:03:39,660 --> 00:03:44,740 both your supplicant and the access point will need to have that. 55 00:03:44,740 --> 00:03:48,580 So in this case, most of these EPU over land packet messages that have 56 00:03:48,580 --> 00:03:52,880 gone back and forth, the authenticator, which is the access point, has 57 00:03:52,880 --> 00:03:55,040 just kind of transparently passed them back and forth. 58 00:03:55,040 --> 00:04:00,000 It's received them in as wireless frames, convert them into wired ethernet 59 00:04:00,000 --> 00:04:03,640 frames and then folded them on to the authentication server, putting them 60 00:04:03,640 --> 00:04:05,440 inside of radius packets. 61 00:04:05,440 --> 00:04:08,340 But other than that, it hasn't really paid much attention to the back 62 00:04:08,340 --> 00:04:11,340 and forth exchange between the two endpoints. 63 00:04:11,340 --> 00:04:16,160 Now with this very last message here, the actual message type will have 64 00:04:16,160 --> 00:04:20,600 a radius code, the radius is the protocol on the wired side and it will 65 00:04:20,600 --> 00:04:23,120 say access except. 66 00:04:23,120 --> 00:04:27,280 So he can now access the network, access except. 67 00:04:27,280 --> 00:04:30,780 When the authenticator, whether it be a wired switch or in this case an 68 00:04:30,780 --> 00:04:35,500 access point, when it sees that, it will pay attention to that message. 69 00:04:35,500 --> 00:04:39,540 Number one, it'll say, okay, now I know I can open up network access to 70 00:04:39,540 --> 00:04:44,940 this client. He's passed all the rules, all the requirements. 71 00:04:44,940 --> 00:04:48,120 The authenticator will also say, okay, let me look into that access except 72 00:04:48,120 --> 00:04:50,560 message and see if there's any instructions for me. 73 00:04:50,560 --> 00:04:53,440 Because maybe that access except message will also tell me to do things 74 00:04:53,440 --> 00:04:57,940 like, dynamically put this person into a VLAN, apply some dynamic QoS 75 00:04:57,940 --> 00:05:01,620 policies, there's a whole bunch of things that that authentication server 76 00:05:01,620 --> 00:05:05,520 could tell that authenticator to do. 77 00:05:05,520 --> 00:05:09,620 But if we're just thinking about things for real simply, the main thing 78 00:05:09,620 --> 00:05:13,440 that the access point that authenticator is gonna be looking for is that 79 00:05:13,440 --> 00:05:14,760 master session key. 80 00:05:14,760 --> 00:05:17,340 Now he's not gonna keep it from, he is gonna keep it for himself, but 81 00:05:17,340 --> 00:05:20,680 he's also gonna pass his whole message on to the supplicant. 82 00:05:20,680 --> 00:05:24,620 So both the supplicant and the authenticator need that master session 83 00:05:24,620 --> 00:05:27,200 key. Now, why do they need it? 84 00:05:27,200 --> 00:05:32,320 That takes us to our next message, our next slide here. 85 00:05:32,320 --> 00:05:37,280 So RC 5247, which defines all of these EAP processes, because remember 86 00:05:37,280 --> 00:05:42,800 EAP, the EAP framework was developed before Wi-Fi. 87 00:05:42,800 --> 00:05:46,920 So it was not developed for Wi-Fi, to sort of commandeered it and said, 88 00:05:46,920 --> 00:05:49,200 we can use that, but it's a standalone thing. 89 00:05:49,200 --> 00:05:51,820 There's a lot of other things that can use EAP as well, and it's defined 90 00:05:51,820 --> 00:05:55,540 in that particular RFC, if you ever wish to look at that. 91 00:05:55,540 --> 00:06:00,300 So RFC 5247 says, hey, look, if you're using the full 802.1x framework, 92 00:06:00,300 --> 00:06:03,700 with these devices and everything, then the end result of a successful 93 00:06:03,700 --> 00:06:09,400 EAP-Packet exchange, will be the creation of a master session key. 94 00:06:09,400 --> 00:06:12,240 It says it'll be created by the radius server, otherwise known as the 95 00:06:12,240 --> 00:06:13,800 EAP authentication server. 96 00:06:13,800 --> 00:06:17,740 It's gonna be pretty big, 512 bits in length. 97 00:06:17,740 --> 00:06:21,560 So 64 bytes, that's in length, and that's gonna be important here in just 98 00:06:21,560 --> 00:06:26,680 a second, when we look at the next key that's created, and it's sent to 99 00:06:26,680 --> 00:06:29,460 the sub-locate and the wireless LAN controller. 100 00:06:29,460 --> 00:06:33,060 Now, in this particular case, now I said how I mentioned wireless LAN 101 00:06:33,060 --> 00:06:34,120 controller here. 102 00:06:34,120 --> 00:06:38,320 So in the previous picture, we were kind of looking at an autonomous access 103 00:06:38,320 --> 00:06:40,700 point. There was no controller in that image. 104 00:06:40,700 --> 00:06:45,300 The access point absolutely has to have that master session key. 105 00:06:45,300 --> 00:06:48,020 So it's even though it's not mentioned here in this bullet point, the 106 00:06:48,020 --> 00:06:52,860 end user, tablet smartphone, and the access point have to have that master 107 00:06:52,860 --> 00:06:57,500 session key. Now, if there is a wireless LAN controller involved, if this 108 00:06:57,500 --> 00:07:01,640 is a managed wireless situation, the wireless LAN controller will also 109 00:07:01,640 --> 00:07:04,740 get a copy of that master session key. 110 00:07:04,740 --> 00:07:10,440 He will actually be the first one to get that access accept message in 111 00:07:10,440 --> 00:07:14,940 the EAP-PACKET message, because he's even before the access point on the 112 00:07:14,940 --> 00:07:19,020 wired side. So he will get directly from the radius server, he'll copy 113 00:07:19,020 --> 00:07:22,540 the master session key out of it, he'll forward to the access point, the 114 00:07:22,540 --> 00:07:26,160 access point will copy the master session key, he will then convert into 115 00:07:26,160 --> 00:07:30,400 a wifi frame, send it wirelessly to the sub-locate, and the sub-locate 116 00:07:30,400 --> 00:07:33,800 will capture the master session key. 117 00:07:33,800 --> 00:07:39,480 Okay, so when you're doing 802.1x, that is the very first key, right? 118 00:07:39,480 --> 00:07:41,920 That's the very first key, and you're only gonna get that if you successfully 119 00:07:41,920 --> 00:07:50,360 authenticate. Now, if you're doing WPA Personal, like WPA2 or WPA3, there 120 00:07:50,360 --> 00:07:53,940 is no master session key, and I talked about that in a previous video, 121 00:07:53,940 --> 00:07:59,760 how if we go back to this picture right here, when you're doing WPA Personal, 122 00:07:59,760 --> 00:08:04,300 these messages don't exist, there is no EAP-over-LAN start, there is no 123 00:08:04,300 --> 00:08:09,140 EAP-over-LAN packet exchanges, we just completely bypass that, we skip 124 00:08:09,140 --> 00:08:13,580 the whole master session key, and we go right to creating the next key 125 00:08:13,580 --> 00:08:18,080 in the chain, which is the pairwise master key. 126 00:08:18,080 --> 00:08:23,680 So, master session key, only gonna be there if there's 802.1x and WPA 127 00:08:23,680 --> 00:08:28,000 Enterprise, but the pairwise master key will always be there, whether 128 00:08:28,000 --> 00:08:32,580 you're an enterprise or personal, you have to have a pairwise master key. 129 00:08:32,580 --> 00:08:37,500 So, this was defined in the 802.11i specification, so the pairwise master 130 00:08:37,500 --> 00:08:43,020 key, how it can come into being, how it can be derived is three particular 131 00:08:43,020 --> 00:08:51,380 places. So, if you are doing WPA Enterprise, then it's actually very simply 132 00:08:51,380 --> 00:08:54,720 just the first half of that master session key. 133 00:08:54,720 --> 00:08:59,700 So, we take those 64 bytes of the master session key, cut it in half, 134 00:08:59,700 --> 00:09:04,460 and the first 32 bytes on the front end, we just repurpose that as the 135 00:09:04,460 --> 00:09:05,860 pairwise master key. 136 00:09:05,860 --> 00:09:08,200 Well, what if you're not doing WPA Enterprise? 137 00:09:08,200 --> 00:09:13,480 Well, if you're doing WPA2 personal or WPA3-SAE, which is another way 138 00:09:13,480 --> 00:09:17,920 of saying WPA3 personal, then how do we get those 32 bytes? 139 00:09:17,920 --> 00:09:24,140 Well, in that case, if it's WPA2 personal, WPA2, we take that pre-shared 140 00:09:24,140 --> 00:09:29,020 key like INE is great, or Cisco 123, or whatever your passphrase is for 141 00:09:29,020 --> 00:09:32,740 your wireless LAN, we run that through a very sort of simple formula, 142 00:09:32,740 --> 00:09:37,200 which I'll show you in a subsequent video, and then voila, we end up creating 143 00:09:37,200 --> 00:09:41,120 the pairwise master key as a result of that formula. 144 00:09:41,120 --> 00:09:46,040 If you're talking about WPA3, then there's a whole different process, 145 00:09:46,040 --> 00:09:50,300 a whole different much more complicated process, which is called the SAE 146 00:09:50,300 --> 00:09:54,240 handshake. We'll talk about that in a subsequent video, but the end result 147 00:09:54,240 --> 00:10:00,520 of the SAE handshake is that we now have our pairwise master key. 148 00:10:00,520 --> 00:10:04,300 So, you can come from three different places as you can see right there. 149 00:10:04,300 --> 00:10:09,220 So, just like the master session key was used if it existed between the 150 00:10:09,220 --> 00:10:12,380 access point and the client, and how is it used? 151 00:10:12,380 --> 00:10:15,900 Well, it's basically just used to take the first half of it and turn into 152 00:10:15,900 --> 00:10:17,200 the pairwise master key. 153 00:10:17,200 --> 00:10:18,820 That was pretty much all we did with it. 154 00:10:18,820 --> 00:10:21,560 That was the only purpose of the master session key. 155 00:10:21,560 --> 00:10:27,440 But once the pairwise master key is used, it is created, it is also used 156 00:10:27,440 --> 00:10:32,040 by the same two devices, the client and the access point, and guess what? 157 00:10:32,040 --> 00:10:36,840 If there's a wireless LAN controller involved, it will also create the 158 00:10:36,840 --> 00:10:38,500 same pairwise master key. 159 00:10:38,500 --> 00:10:42,560 And the reason why the wireless LAN controller needs to have that is for 160 00:10:42,560 --> 00:10:43,880 roaming purposes. 161 00:10:43,880 --> 00:10:47,240 Now, this whole course here does not deal with roaming. 162 00:10:47,240 --> 00:10:50,400 If you're interested in roaming, I'd check out the course I created before 163 00:10:50,400 --> 00:10:53,660 this, which is called getting there with wireless roaming, and I go into 164 00:10:53,660 --> 00:10:56,620 all the great details about how roaming works. 165 00:10:56,620 --> 00:11:01,120 But just as a little preview of that, if you roam from one access point 166 00:11:01,120 --> 00:11:05,900 to the other, you want that roaming to be as quick and seamless as possible. 167 00:11:05,900 --> 00:11:12,280 Now, if you're using 802.1x WPA Enterprise, normally that would mean when 168 00:11:12,280 --> 00:11:15,800 I move from one access point to the other and I roam, when I go to the 169 00:11:15,800 --> 00:11:20,160 new access point, I have to do that whole 802.1x exchange again, all those 170 00:11:20,160 --> 00:11:24,020 EAP Overland packet messages, which there could be a lot, depending on 171 00:11:24,020 --> 00:11:27,220 my EAP method, I have to do all that again with the backend server, get 172 00:11:27,220 --> 00:11:31,560 a whole new master session key and then derive a pairwise master key. 173 00:11:31,560 --> 00:11:36,440 Wouldn't it be nice if I could take the first pairwise master key that 174 00:11:36,440 --> 00:11:40,440 I derive from my first master session key and just sort of like carry 175 00:11:40,440 --> 00:11:43,920 that with me when I move on to the next access point? 176 00:11:43,920 --> 00:11:47,460 Well, the only way that can happen is if all the access points that you 177 00:11:47,460 --> 00:11:52,280 could associate to somehow learn or know about that pairwise master key 178 00:11:52,280 --> 00:11:55,860 that was developed the first time you connected that wireless LAN. 179 00:11:55,860 --> 00:11:59,600 And if the wireless LAN controller who's controlling all those access 180 00:11:59,600 --> 00:12:04,480 points has that pairwise master key, he can hand it off to other access 181 00:12:04,480 --> 00:12:09,040 points that you roam to, making the roaming process a lot faster. 182 00:12:09,040 --> 00:12:11,200 That's all I'm gonna say about that. 183 00:12:11,200 --> 00:12:15,240 Okay, so the pairwise master key, you might say, oh great, now that I've 184 00:12:15,240 --> 00:12:19,780 got that, that 32 byte key, I can start encrypting and decrypting things, 185 00:12:19,780 --> 00:12:22,280 right? No, it's not used for that. 186 00:12:22,280 --> 00:12:26,040 This is just another key that we're gonna run into another formula, we're 187 00:12:26,040 --> 00:12:28,840 gonna run it through another algorithm and we're gonna end up creating 188 00:12:28,840 --> 00:12:30,460 some other keys. 189 00:12:30,460 --> 00:12:34,000 So it's a root for the session key creation. 190 00:12:34,000 --> 00:12:37,840 So the pairwise master key and the master session key as it says here 191 00:12:37,840 --> 00:12:42,780 are very secret and thus they're kept hidden from any show commands. 192 00:12:42,780 --> 00:12:45,400 When I was first learning about this stuff, one of the first questions 193 00:12:45,400 --> 00:12:49,900 that came to my mind was, is there a way I can dig into my MacBook and 194 00:12:49,900 --> 00:12:55,620 actually see the pairwise master key or if I did 802.1x, the master session 195 00:12:55,620 --> 00:12:59,620 key stored in there somewhere from my wireless LAN that I'm connected 196 00:12:59,620 --> 00:13:03,860 to? Or could I get into the backend of my 9800 wireless LAN controller 197 00:13:03,860 --> 00:13:08,180 somehow and see the pairwise master key it has for all the wireless LAN 198 00:13:08,180 --> 00:13:09,640 clients are associated? 199 00:13:09,640 --> 00:13:14,020 Well, they are in there somewhere, but you can't get to them, you can't 200 00:13:14,020 --> 00:13:17,100 see them. There's no show commands or anything where you can see that 201 00:13:17,100 --> 00:13:21,340 stuff. They are really down, down deep and they're very hidden because 202 00:13:21,340 --> 00:13:25,900 of that. So before we move on here, one takeaway I want you to have from 203 00:13:25,900 --> 00:13:31,880 this is that the robust security network defined in 802.11i says that 204 00:13:31,880 --> 00:13:36,980 there's keys which will then derive other keys which will then derive 205 00:13:36,980 --> 00:13:41,720 other keys. So it's a multi-step process of deriving keys. 206 00:13:41,720 --> 00:13:45,160 And I talked in a previous video that the whole purpose of that is to 207 00:13:45,160 --> 00:13:48,800 make the keys as complex as possible so that malicious actors can't figure 208 00:13:48,800 --> 00:13:52,200 out what they are, hack them and replicate them. 209 00:13:52,200 --> 00:13:53,880 That's why we go through this. 210 00:13:53,880 --> 00:13:56,300 So we can think of it this way. 211 00:13:56,300 --> 00:14:01,660 There's really sort of in an 802.1x environment, the steps you would look 212 00:14:01,660 --> 00:14:05,120 at are, number one, get your master session key. 213 00:14:05,120 --> 00:14:06,320 That's step number one. 214 00:14:06,320 --> 00:14:10,480 Number two, cut it in half and take the first half and sort of rename 215 00:14:10,480 --> 00:14:12,760 that as the pairwise master key. 216 00:14:12,760 --> 00:14:14,380 That's step number two. 217 00:14:14,380 --> 00:14:18,800 And step number three is we have to then take that pairwise master key 218 00:14:18,800 --> 00:14:23,260 and divide it. And then actually we're gonna take the pairwise master 219 00:14:23,260 --> 00:14:29,700 key and convert it into another key called the pairwise transient key. 220 00:14:29,700 --> 00:14:31,180 We're gonna look at that in the next slide. 221 00:14:31,180 --> 00:14:36,680 So we got master session key only if we're doing 802.1x, pairwise master 222 00:14:36,680 --> 00:14:40,660 key in all implementations of WPA. 223 00:14:40,660 --> 00:14:45,620 Pairwise master key then derives the pairwise transient key. 224 00:14:45,620 --> 00:14:48,920 And then when we got the pairwise transient key, then we take that and 225 00:14:48,920 --> 00:14:50,500 we split it into three pieces. 226 00:14:50,500 --> 00:14:56,260 And those are three final keys that we can use to do our encryption, our 227 00:14:56,260 --> 00:14:58,240 data integrity and all of that. 228 00:14:58,240 --> 00:15:00,460 So it's that multi-step process. 229 00:15:00,460 --> 00:15:04,100 Okay, so now we've got the pairwise master key. 230 00:15:04,100 --> 00:15:10,140 And one other thing I'll talk about about this is that in WPA2, personal, 231 00:15:10,140 --> 00:15:13,680 WPA2, personal, where everybody's connecting to the wireless LAN with 232 00:15:13,680 --> 00:15:19,020 the exact same passphrase like coffee is good or INE123, right? 233 00:15:19,020 --> 00:15:21,000 Everybody's using the same passphrase. 234 00:15:21,000 --> 00:15:26,180 In WPA2, personal, everybody will end up having the exact same pairwise 235 00:15:26,180 --> 00:15:30,060 master key. And that's one of the reasons why we don't want to use that 236 00:15:30,060 --> 00:15:32,020 to encrypt and decrypt data. 237 00:15:32,020 --> 00:15:35,140 Otherwise, everybody in the wireless LAN could see everybody else's stuff. 238 00:15:35,140 --> 00:15:36,820 And we don't want that. 239 00:15:36,820 --> 00:15:41,440 So remember, the whole goal of the robust security network is that every 240 00:15:41,440 --> 00:15:45,280 person connected to the access point should have their own unique set 241 00:15:45,280 --> 00:15:49,240 of pairwise keys that's just for them. 242 00:15:49,240 --> 00:15:56,620 So in WPA2, we absolutely need to take the next step of converting this 243 00:15:56,620 --> 00:16:02,180 into another key that's unique just for that person and their access point. 244 00:16:02,180 --> 00:16:06,680 Now, in WPA3, when I get into the details of that, we will actually see 245 00:16:06,680 --> 00:16:10,940 that the pairwise master key itself is unique. 246 00:16:10,940 --> 00:16:16,740 So even in a WPA3 wireless LAN, yes, you and Bob and Sally who are sitting 247 00:16:16,740 --> 00:16:19,700 next to you, you might all be joining that wireless LAN with the exact 248 00:16:19,700 --> 00:16:25,420 same passphrase like coffee123, but the formula, the algorithm that converts 249 00:16:25,420 --> 00:16:32,960 that into your pairwise master key has a unique way of making sure that 250 00:16:32,960 --> 00:16:37,200 the pairwise master key that's derived for you is unique than the one 251 00:16:37,200 --> 00:16:39,000 for Bob and for Sally. 252 00:16:39,000 --> 00:16:44,300 That's one thing that makes WPA3 so much stronger and more secure than 253 00:16:44,300 --> 00:16:50,140 WPA2. Okay, but now we have our pairwise master key, it's been derived. 254 00:16:50,140 --> 00:16:53,880 And so now the next thing is we need to derive the pairwise transient 255 00:16:53,880 --> 00:17:01,140 key. Okay, so once the access point in the wireless LAN client obtained 256 00:17:01,140 --> 00:17:04,440 their pairwise master key, then they're gonna go through the four way 257 00:17:04,440 --> 00:17:07,820 EAP over LAN dash key handshake. 258 00:17:07,820 --> 00:17:13,640 So if you recall from the picture I had previously that the robust security 259 00:17:13,640 --> 00:17:18,340 network dictates that regardless of what form of wireless LAN you're doing, 260 00:17:18,340 --> 00:17:22,960 whether it's enterprise or personal, you always have to do a four way 261 00:17:22,960 --> 00:17:26,260 handshake at the very end of your authentication, which is called the 262 00:17:26,260 --> 00:17:27,560 EAP over LAN four way handshake. 263 00:17:27,560 --> 00:17:32,640 And the EAP over LAN frame type is called EAP over LAN key messages. 264 00:17:32,640 --> 00:17:40,120 So during that handshake as those four messages are exchanged, the pairwise 265 00:17:40,120 --> 00:17:43,200 transient key will be derived. 266 00:17:43,200 --> 00:17:47,220 So there's gonna be information exchanged between you and the access point 267 00:17:47,220 --> 00:17:52,160 that's unique just for this session that's gonna help a unique pairwise 268 00:17:52,160 --> 00:17:57,560 transient key to be derived as a result of that handshake. 269 00:17:57,560 --> 00:18:00,200 Now, technically speaking, although I don't think you'd ever be tested 270 00:18:00,200 --> 00:18:05,460 on this, the pairwise transient key is called a derived key vector. 271 00:18:05,460 --> 00:18:06,480 Why do we call that? 272 00:18:06,480 --> 00:18:11,200 Well, number one is derived because we had to exchange some material, 273 00:18:11,200 --> 00:18:14,960 some key material during that EAP over LAN handshake in order to derive 274 00:18:14,960 --> 00:18:17,280 this pairwise transient key. 275 00:18:17,280 --> 00:18:21,720 So the pairwise transient key, part of it was derived from the pairwise 276 00:18:21,720 --> 00:18:25,920 master key. That's why we had to have the PMK to begin with, but there 277 00:18:25,920 --> 00:18:31,280 was other pieces of stuff that was fed into the formula in addition to 278 00:18:31,280 --> 00:18:36,600 the PMK, which resulted in a unique PTK that's used for this particular 279 00:18:36,600 --> 00:18:39,080 session. So it's derived. 280 00:18:39,080 --> 00:18:42,820 And we call it a key vector because the pairwise transient key once it's 281 00:18:42,820 --> 00:18:47,440 developed, we basically just split it into three pieces and that gives 282 00:18:47,440 --> 00:18:51,040 us three different subkeys. 283 00:18:51,040 --> 00:18:55,140 Just like an analogy, it's just like in 802.1x when you got the master 284 00:18:55,140 --> 00:18:59,860 session key and we divided it into two and the first half was considered 285 00:18:59,860 --> 00:19:01,420 the pairwise master key. 286 00:19:01,420 --> 00:19:03,260 Same type of things happening here. 287 00:19:03,260 --> 00:19:06,600 Once the pairwise transient key is developed, we're gonna split it into 288 00:19:06,600 --> 00:19:10,880 thirds and like the sort of picture here shows you and each one of those 289 00:19:10,880 --> 00:19:12,720 thirds is gonna be used for something. 290 00:19:12,720 --> 00:19:17,620 So once again, just like the pairwise master key was not used to actually 291 00:19:17,620 --> 00:19:23,180 encrypt or decrypt data, similarly, the pairwise transient key is also 292 00:19:23,180 --> 00:19:26,640 not used to encrypt or decrypt data. 293 00:19:26,640 --> 00:19:30,860 It's just one final key that was derived so then we can finally derive 294 00:19:30,860 --> 00:19:35,740 our last keys. And that's what we're gonna talk about right here. 295 00:19:35,740 --> 00:19:40,620 So once your PTK is derived, real simple, all your complex formulas are 296 00:19:40,620 --> 00:19:44,460 done, all your complex algorithms are finished, all you gotta do is split 297 00:19:44,460 --> 00:19:46,220 it into three pieces. 298 00:19:46,220 --> 00:19:50,740 So the first piece is gonna be called the key confirmation key, the K 299 00:19:50,740 --> 00:19:55,360 -C-K. So this is not used to encrypt anything, this is used to provide 300 00:19:55,360 --> 00:19:57,260 your message integrity. 301 00:19:57,260 --> 00:20:03,440 So for example, if I'm a tablet and I am uploading to my access point, 302 00:20:03,440 --> 00:20:08,340 a wireless frame that contains some very important data like maybe some 303 00:20:08,340 --> 00:20:12,500 bank account I'm depositing into or something, I wanna make sure there's 304 00:20:12,500 --> 00:20:16,360 no possible way that somebody could intercept that frame before it gets 305 00:20:16,360 --> 00:20:20,280 to the access point, change some of the bits and then forward it onto 306 00:20:20,280 --> 00:20:25,280 the access point as like an invisible interloper in the middle. 307 00:20:25,280 --> 00:20:28,900 I wanna prevent those bits from being modified or changed in transit, 308 00:20:28,900 --> 00:20:30,100 how do I do that? 309 00:20:30,100 --> 00:20:35,100 Well, I take those bits and I run them through the key confirmation key. 310 00:20:35,100 --> 00:20:38,740 And the key confirmation key adds to my wireless frame something called 311 00:20:38,740 --> 00:20:42,800 a message integrity code, a MIC message integrity code. 312 00:20:42,800 --> 00:20:46,080 If you're familiar with Ethernet, you know that the end of the Ethernet 313 00:20:46,080 --> 00:20:47,020 frame, what do we have? 314 00:20:47,020 --> 00:20:48,320 We have the FCS, right? 315 00:20:48,320 --> 00:20:51,380 The frame checksum, sometimes called the frame check sequence. 316 00:20:51,380 --> 00:20:55,620 The purpose of the FCS is to provide error detection, right? 317 00:20:55,620 --> 00:21:00,000 The FCS can help you detect if any of the bits in the Ethernet frame were 318 00:21:00,000 --> 00:21:01,700 changed in transit. 319 00:21:01,700 --> 00:21:04,940 Now, it can't help you figure out what was changed, you can't fix the 320 00:21:04,940 --> 00:21:09,120 frame, but you can detect if the frame was messed up in some way. 321 00:21:09,120 --> 00:21:10,760 That's the same purpose of a MIC. 322 00:21:10,760 --> 00:21:12,880 A MIC serves the exact same purpose. 323 00:21:12,880 --> 00:21:17,480 In this particular case, the key confirmation key is used in conjunction 324 00:21:17,480 --> 00:21:22,600 with a formula and your data to create this MIC. 325 00:21:22,600 --> 00:21:25,940 So that's one of the pieces of the PTK. 326 00:21:25,940 --> 00:21:31,320 Then we have the key encryption key, which wraps keys at the access point 327 00:21:31,320 --> 00:21:36,700 send. So we're gonna see here in just a little bit that the access point 328 00:21:36,700 --> 00:21:41,240 itself is gonna create a special key that it generates itself and sends 329 00:21:41,240 --> 00:21:42,860 to all the clients. 330 00:21:42,860 --> 00:21:44,780 And we're gonna talk about what that is. 331 00:21:44,780 --> 00:21:48,560 But when the access point sends that key to you and Sally and Bob and 332 00:21:48,560 --> 00:21:51,940 all these other tablets and smartphones are connected, we wanna protect 333 00:21:51,940 --> 00:21:56,000 that key. We wanna encrypt the key that it's sending. 334 00:21:56,000 --> 00:22:00,200 So the key encryption key is used for that. 335 00:22:00,200 --> 00:22:04,940 And then lastly, probably the one we're most interested in is the TK, 336 00:22:04,940 --> 00:22:06,220 the temporal key. 337 00:22:06,220 --> 00:22:11,500 This is actually the one that encrypts and decrypts unicast data frames. 338 00:22:11,500 --> 00:22:17,720 So just sort of as a recap here, notice we've got three stations, right? 339 00:22:17,720 --> 00:22:20,200 Three wireless client station, one, two and three. 340 00:22:20,200 --> 00:22:23,900 And each one, this case has a unique temporal key. 341 00:22:23,900 --> 00:22:31,260 So we got temporal key key of XX, YY and ZZ for the respective three stations. 342 00:22:31,260 --> 00:22:35,560 And remember, each one of these temporal keys uses one third of the pairwise 343 00:22:35,560 --> 00:22:39,200 transient key that these stations developed. 344 00:22:39,200 --> 00:22:42,620 And those also that their access point has a database here where it's 345 00:22:42,620 --> 00:22:46,780 keeping track of all the stations are connected as well as what the individual 346 00:22:46,780 --> 00:22:51,040 temporal keys are for each one of those stations. 347 00:22:51,040 --> 00:22:55,880 So whenever those stations send anything to the access point, so this 348 00:22:55,880 --> 00:23:00,840 is upstream now from station to access point, all that data will be encrypted 349 00:23:00,840 --> 00:23:03,520 by the temporal key. 350 00:23:03,520 --> 00:23:07,380 And then the access point will decrypt it using the temporal key before 351 00:23:07,380 --> 00:23:11,200 it either forwards it on to the wireless LAN controller or forwards it 352 00:23:11,200 --> 00:23:13,780 directly onto the distribution system. 353 00:23:13,780 --> 00:23:21,660 All right, and whenever the access point used to send unicast data downstream 354 00:23:21,660 --> 00:23:27,680 to the clients, that will also be encrypted via the temporal key. 355 00:23:27,680 --> 00:23:31,720 Now, notice I'm highlighting here unicast data. 356 00:23:31,720 --> 00:23:37,060 Why is this? Well, because there are certain times when the access point 357 00:23:37,060 --> 00:23:42,660 may need to sort of flood the wireless LAN with broadcast and multicast 358 00:23:42,660 --> 00:23:48,680 information. For example, what if the access point needs to ARP for somebody 359 00:23:48,680 --> 00:23:50,260 on the wireless LAN? 360 00:23:50,260 --> 00:23:55,000 Or maybe there's a switch, a wired switch behind the access point that 361 00:23:55,000 --> 00:23:57,380 needs to ARP for one of the wireless LAN clients? 362 00:23:57,380 --> 00:23:59,220 Well, that's gonna go out as a broadcast. 363 00:23:59,220 --> 00:24:03,900 We also have other things like multicast DNS and multicast audio and video 364 00:24:03,900 --> 00:24:07,560 that have to be flooded to all the clients on the wireless LAN. 365 00:24:07,560 --> 00:24:10,960 Well, we also want that to be encrypted. 366 00:24:10,960 --> 00:24:13,200 We wanna protect that traffic. 367 00:24:13,200 --> 00:24:16,880 You can't use the temporal key to do that because the temporal key is 368 00:24:16,880 --> 00:24:20,580 a pairwise key. It's only good for one particular client. 369 00:24:20,580 --> 00:24:26,460 So if you're gonna take one frame and send it out as a broadcast, how 370 00:24:26,460 --> 00:24:28,220 are you going to encrypt that? 371 00:24:28,220 --> 00:24:31,900 Well, you're going to encrypt that by using a different key that the access 372 00:24:31,900 --> 00:24:34,380 point himself creates. 373 00:24:34,380 --> 00:24:39,240 So the access point, when it very first boots up, is gonna create something 374 00:24:39,240 --> 00:24:44,400 called a group master key, derived only by the access point. 375 00:24:44,400 --> 00:24:47,140 And it's 256 bits, that's how long it is. 376 00:24:47,140 --> 00:24:50,800 It's typically created once when the access point boots up. 377 00:24:50,800 --> 00:24:56,580 But some access points have a way, can possibly change this up over time. 378 00:24:56,580 --> 00:24:58,480 But typically it's just derived once. 379 00:24:58,480 --> 00:25:04,820 Now the group master key will then be used inside of a pseudo random function. 380 00:25:04,820 --> 00:25:05,980 You're gonna see that a lot. 381 00:25:05,980 --> 00:25:07,640 PRF pseudo random function. 382 00:25:07,640 --> 00:25:12,520 So this basically just means I'm taking some input, some numbers input, 383 00:25:12,520 --> 00:25:16,740 and my pseudo random function will create some output that is randomized. 384 00:25:16,740 --> 00:25:20,900 So if I take that same number again in the future and run into the same 385 00:25:20,900 --> 00:25:24,820 pseudo random function, I will get a different random output. 386 00:25:24,820 --> 00:25:26,840 That's what pseudo random functions do. 387 00:25:26,840 --> 00:25:31,080 So it's gonna take that group master key, input, I put that into the pseudo 388 00:25:31,080 --> 00:25:38,060 random function, and it will derive a group temporal key, a GTK. 389 00:25:38,060 --> 00:25:43,060 And the GTK is what's used, as you can see here, to encrypt those downstream, 390 00:25:43,060 --> 00:25:47,520 multicast, and broadcast streams, that the access point needs to send 391 00:25:47,520 --> 00:25:50,460 to the wireless LAN clients. 392 00:25:50,460 --> 00:25:55,400 Now once that group temporal key is derived, we don't just wanna send 393 00:25:55,400 --> 00:25:59,620 it to the wireless LAN clients in the air unencrypted, because then somebody 394 00:25:59,620 --> 00:26:03,140 who's just passively sniffing the wireless LAN could see it. 395 00:26:03,140 --> 00:26:07,060 And then they'll be able to decode all the broadcast and multicast at 396 00:26:07,060 --> 00:26:08,740 the access point ascending. 397 00:26:08,740 --> 00:26:13,040 So we need to securely transmit that down to the clients. 398 00:26:13,040 --> 00:26:14,460 How are we gonna do that? 399 00:26:14,460 --> 00:26:20,340 Well, that's gonna be done using the key encryption key that each client 400 00:26:20,340 --> 00:26:24,640 had. So if I go back here real quickly, let's just go back to the previous 401 00:26:24,640 --> 00:26:27,300 slide right here. 402 00:26:27,300 --> 00:26:31,240 Remember, the key encryption key, that's the one in the middle, that is 403 00:26:31,240 --> 00:26:34,660 one third of the pairwise transient key. 404 00:26:34,660 --> 00:26:40,680 So the way this is gonna work is once the access point boots up, it creates 405 00:26:40,680 --> 00:26:43,440 a group master key very, very quickly. 406 00:26:43,440 --> 00:26:48,340 And then within like seconds, it creates a group temporal key. 407 00:26:48,340 --> 00:26:50,800 Was it called group temporal or group? 408 00:26:50,800 --> 00:26:53,040 Yes, group temporal, the GTK. 409 00:26:53,040 --> 00:26:55,140 Now it's got that GTK. 410 00:26:55,140 --> 00:26:59,600 Now a few minutes or a few hours later, you associate to that access point, 411 00:26:59,600 --> 00:27:01,840 right? You join the wireless LAN. 412 00:27:01,840 --> 00:27:04,560 The EAP over LAN four way exchange happens. 413 00:27:04,560 --> 00:27:08,560 During that EAP over LAN four way exchange, you and the access point come 414 00:27:08,560 --> 00:27:12,020 up with a shared pairwise transient key that we see right here. 415 00:27:12,020 --> 00:27:13,260 You both have it. 416 00:27:13,260 --> 00:27:15,380 You both divide that into three pieces. 417 00:27:15,380 --> 00:27:18,180 And this is just for you, just for your session. 418 00:27:18,180 --> 00:27:21,060 One of those pieces being the key encryption key. 419 00:27:21,060 --> 00:27:25,060 Now that four way EAP over LAN handshake isn't done yet. 420 00:27:25,060 --> 00:27:29,240 In message number three, which is the message from the access point to 421 00:27:29,240 --> 00:27:33,420 you. All right, so in the third message of the EAP over LAN handshake, 422 00:27:33,420 --> 00:27:37,100 the access point will take that group temporal key and it will encrypt 423 00:27:37,100 --> 00:27:41,720 it with the key encryption key and send it to you. 424 00:27:41,720 --> 00:27:46,520 And now you've got that particular key so you can decrypt any broadcast 425 00:27:46,520 --> 00:27:51,660 or multicast frames that the access point sends you later on in time. 426 00:27:51,660 --> 00:27:55,760 So every single person that joins the access point, this is why they need 427 00:27:55,760 --> 00:27:59,640 to derive a key encryption key, which is one third of that pairwise transient 428 00:27:59,640 --> 00:28:04,620 because if they didn't have that, they wouldn't be able to receive the 429 00:28:04,620 --> 00:28:10,120 group temporal key that the access point needs to give them. 430 00:28:10,120 --> 00:28:16,100 And so here we can see is a sniffer trace and I'm highlighting the sniffer 431 00:28:16,100 --> 00:28:18,120 trace message number three. 432 00:28:18,120 --> 00:28:20,280 There's the four way EAP over LAN handshake. 433 00:28:20,280 --> 00:28:23,060 So this is called M3 or message number three. 434 00:28:23,060 --> 00:28:27,440 And you can see down there, it says the type is 802.1x. 435 00:28:27,440 --> 00:28:33,940 So 0x888E, that's for all E-frames or given that ether type value. 436 00:28:33,940 --> 00:28:37,860 And down at the very bottom, we see WPA key data. 437 00:28:37,860 --> 00:28:42,420 Now we can't really tell what that is because it's encrypted. 438 00:28:42,420 --> 00:28:45,720 This is encrypted using the key encryption key, but I can tell you in 439 00:28:45,720 --> 00:28:49,100 there is the group temporal key. 440 00:28:49,100 --> 00:28:52,020 It's included in that output right there. 441 00:28:52,020 --> 00:28:56,160 All right, so that concludes that particular video. 442 00:28:56,160 --> 00:28:59,580 Thank you so much for watching and I really hope it was helpful for you.