1 00:00:04,480 --> 00:00:11,220 Hello and welcome to this video titled WPA2, Personal PMK Derivation. 2 00:00:11,220 --> 00:00:15,880 In this video I want to talk a little bit more detail about how the pairwise 3 00:00:15,880 --> 00:00:20,080 master key is derived in WPA2. 4 00:00:20,080 --> 00:00:23,100 And you might be thinking to yourself, well I'm watching this video in 5 00:00:23,100 --> 00:00:26,220 the context of a course on WPA3. 6 00:00:26,220 --> 00:00:28,680 So why do I need to know this? 7 00:00:28,680 --> 00:00:34,160 Well once you understand how the pairwise master key is derived in WPA2 8 00:00:34,160 --> 00:00:40,540 and its relative flaws due to this process, you will appreciate even more 9 00:00:40,540 --> 00:00:47,040 how they fixed it in WPA3 and why the pairwise master key in WPA3 is derived 10 00:00:47,040 --> 00:00:49,680 in a much better, safer way. 11 00:00:49,680 --> 00:00:54,360 But if you didn't know this, you wouldn't really understand why WPA3 is 12 00:00:54,360 --> 00:00:59,100 so much better. So let's look and see how WPA2 does it. 13 00:00:59,100 --> 00:01:04,060 So once again we know that if you're doing WPA enterprise, you have an 14 00:01:04,060 --> 00:01:07,600 authentication server on the back end, a radius server, and that's going 15 00:01:07,600 --> 00:01:09,740 to derive a master session key. 16 00:01:09,740 --> 00:01:13,600 Also as a review, once that master session key is derived, the first half 17 00:01:13,600 --> 00:01:18,720 of that will be renamed as the pairwise master key. 18 00:01:18,720 --> 00:01:23,940 Now we're talking about personal version of WPA, then we don't have a 19 00:01:23,940 --> 00:01:25,180 master session key. 20 00:01:25,180 --> 00:01:30,160 Instead, we use that pre shared key or that passphrase like coffee 123 21 00:01:30,160 --> 00:01:35,400 or I and E456, you know whatever the wireless LAN passphrase is that's 22 00:01:35,400 --> 00:01:39,940 that's staple to the wall for everybody to see, we use that as the basis 23 00:01:39,940 --> 00:01:43,080 for creating our pairwise master key. 24 00:01:43,080 --> 00:01:48,040 Now how it does it in WPA2 is very different than WPA3. 25 00:01:48,040 --> 00:01:55,380 So in WPA2, it uses something called a PBKDF2 key derivation function. 26 00:01:55,380 --> 00:01:58,740 And that's where we're going to focus on on this video. 27 00:01:58,740 --> 00:02:05,720 WPA3 uses a completely different process called the SAE exchange function. 28 00:02:05,720 --> 00:02:10,760 And once you recognize the PBKDF2 function in this video, you'll be able 29 00:02:10,760 --> 00:02:15,300 to appreciate how the SAE exchange function is better. 30 00:02:15,300 --> 00:02:18,740 All right, so let's focus on WPA2 here. 31 00:02:18,740 --> 00:02:24,620 So first of all, PBKDF2, what that is such a crazy long, weird impossible 32 00:02:24,620 --> 00:02:26,180 to remember acronym. 33 00:02:26,180 --> 00:02:29,140 Well, it does actually stand for something, although I'll be honest with 34 00:02:29,140 --> 00:02:31,360 you, I've looked at this thing hundreds of times. 35 00:02:31,360 --> 00:02:34,800 I still don't have it memorized. 36 00:02:34,800 --> 00:02:40,820 So PBKDF2 means password based key derivation function too. 37 00:02:40,820 --> 00:02:42,580 Ah, that makes sense. 38 00:02:42,580 --> 00:02:45,760 Okay. So if you ever want to dig into the guts of this and see the core 39 00:02:45,760 --> 00:02:51,480 details of how it works, you'll it was originally defined in RFC 2898, 40 00:02:51,480 --> 00:02:54,620 and then it was updated in RFC 8018. 41 00:02:54,620 --> 00:02:55,660 So there you go. 42 00:02:55,660 --> 00:02:58,640 If you have a hard time sleeping a night one night. 43 00:02:58,640 --> 00:03:03,940 So here's sort of the basis behind this key derivation function and why 44 00:03:03,940 --> 00:03:08,380 we need it. We know that when you get onto an access point and you configure 45 00:03:08,380 --> 00:03:13,760 a WPA2 personal wireless LAN, or if you're doing this on a controller 46 00:03:13,760 --> 00:03:17,960 like a 9800 controller, either way, you're going to be asked to input 47 00:03:17,960 --> 00:03:21,820 some sort of a pre shared key, some sort of a pass freeze for that wireless 48 00:03:21,820 --> 00:03:26,860 LAN. And that passphrase typically has to be a minimum of eight characters 49 00:03:26,860 --> 00:03:29,580 up to 63 characters in length. 50 00:03:29,580 --> 00:03:32,440 So you've got that that range there from eight to 63. 51 00:03:32,440 --> 00:03:36,820 Obviously the longer your passphrase, the more secure it is. 52 00:03:36,820 --> 00:03:38,300 But here's the deal. 53 00:03:38,300 --> 00:03:41,460 It's giving you this variability, right? 54 00:03:41,460 --> 00:03:43,660 If you want to type in an eight character one, you can. 55 00:03:43,660 --> 00:03:46,380 If you want to type in a 12 character passphrase, fine. 56 00:03:46,380 --> 00:03:46,980 Go ahead and do it. 57 00:03:46,980 --> 00:03:52,580 But the problem is, is that we discover from a previous video that the 58 00:03:52,580 --> 00:03:56,120 pairwise master key always is the same length. 59 00:03:56,120 --> 00:03:58,680 It's 32 bytes in length, right? 60 00:03:58,680 --> 00:04:05,900 32 bytes. So if I have as my input an eight character thing or a 16 character 61 00:04:05,900 --> 00:04:11,780 thing or a 59 character thing, how am I always going to get as a result 62 00:04:11,780 --> 00:04:18,080 the exact same, I should say a fixed length of 32 bytes pairwise master 63 00:04:18,080 --> 00:04:25,640 key. And that is the purpose of the PBK DF2 function is to provide the 64 00:04:25,640 --> 00:04:30,960 sort of like mathematical or algorithm and formula to stretch whatever 65 00:04:30,960 --> 00:04:35,460 the passphrase was that you gave it into a full fledged pairwise master 66 00:04:35,460 --> 00:04:41,020 key. Now how does it work without going too much into the math here, we 67 00:04:41,020 --> 00:04:45,840 start with our pass phrase and then we include a salt. 68 00:04:45,840 --> 00:04:48,520 The salt is basically just the SSID. 69 00:04:48,520 --> 00:04:52,760 So whatever your SSID is, but the PBK DF2 function says include a salt. 70 00:04:52,760 --> 00:04:55,500 And this particular case is salt is the SIS ID. 71 00:04:55,500 --> 00:05:00,040 Then you're going to run that through an HMAC Shaw one function. 72 00:05:00,040 --> 00:05:04,660 And you're going to do this 4096 times. 73 00:05:04,660 --> 00:05:09,020 And each iteration is going to take the result of the previous hash as 74 00:05:09,020 --> 00:05:10,780 input for the next one. 75 00:05:10,780 --> 00:05:17,060 Until you get a 256 bit pairwise master key. 76 00:05:17,060 --> 00:05:22,540 Now, if you're familiar with the HMAC Shaw one function, obviously this 77 00:05:22,540 --> 00:05:25,760 is used for a lot of different things, not just Wi-Fi. 78 00:05:25,760 --> 00:05:28,240 A lot of things use HMAC Shaw one. 79 00:05:28,240 --> 00:05:34,240 So HMAC Shaw one was designed to do is take any variable length input, 80 00:05:34,240 --> 00:05:37,680 like in this case our pass phrase. 81 00:05:37,680 --> 00:05:41,840 And once you shove it into this HMAC Shaw one function, it ends up creating 82 00:05:41,840 --> 00:05:45,380 at the end a fixed length output. 83 00:05:45,380 --> 00:05:51,760 Now, in the case of HMAC Shaw one, that fixed length output is 160 bits, 84 00:05:51,760 --> 00:05:53,660 which is 20 bytes. 85 00:05:53,660 --> 00:05:57,120 Now you might be thinking, but wait a second, Keith, 20 bytes. 86 00:05:57,120 --> 00:06:02,260 You told me that the pairwise master key has to be 32 bytes. 87 00:06:02,260 --> 00:06:03,880 So this is a little short. 88 00:06:03,880 --> 00:06:07,260 Well, that's why this thing is run multiple times. 89 00:06:07,260 --> 00:06:10,560 And and then its outputs are concatenated together. 90 00:06:10,560 --> 00:06:14,240 So basically you might take like two outputs together, which will give 91 00:06:14,240 --> 00:06:18,680 you 40 bytes and then just chop off the eight bytes at the end, leaving 92 00:06:18,680 --> 00:06:23,520 you 32 bytes. And then it will do this over and over and over again. 93 00:06:23,520 --> 00:06:28,740 And the purpose of doing it 4096 times is to make it stronger and stronger 94 00:06:28,740 --> 00:06:33,100 and stronger so that hopefully an attacker will have to use a lot of computational 95 00:06:33,100 --> 00:06:37,380 power if they want to try to reverse engineer this. 96 00:06:37,380 --> 00:06:40,960 So the result is the pairwise master key. 97 00:06:40,960 --> 00:06:44,580 Now, why do we care about this? 98 00:06:44,580 --> 00:06:50,580 So we know that the PDKDF to its whole purpose of being in this case is 99 00:06:50,580 --> 00:06:55,800 to take your variable length WPA to personal passphrase and convert that 100 00:06:55,800 --> 00:07:02,220 at the very end into a 256 bit pairwise master key. 101 00:07:02,220 --> 00:07:05,780 Otherwise knows a 32 byte pairwise master key. 102 00:07:05,780 --> 00:07:08,900 Now here's the problem. 103 00:07:08,900 --> 00:07:15,540 Number one, the iteration count is fixed and Shaw one is relatively fast. 104 00:07:15,540 --> 00:07:21,780 So if you end if you start this whole process with a fairly weak passphrase 105 00:07:21,780 --> 00:07:27,480 like Cisco one two three or password one one one something easily, you 106 00:07:27,480 --> 00:07:33,480 know, guessed with minimal computational power, somebody could actually 107 00:07:33,480 --> 00:07:39,880 take your pairwise master key and then reverse engineer it and figure 108 00:07:39,880 --> 00:07:42,160 out what your wireless LAN passphrase is. 109 00:07:42,160 --> 00:07:45,520 And now they could get access onto your wireless LAN. 110 00:07:45,520 --> 00:07:49,900 Now that would not give them the ability to decrypt your frames though 111 00:07:49,900 --> 00:07:54,400 because keep in mind that even though we have a pairwise master key, we're 112 00:07:54,400 --> 00:07:57,080 still going to have to go through some additional steps to create a pairwise 113 00:07:57,080 --> 00:08:01,520 transient key and then eventually a temporal key. 114 00:08:01,520 --> 00:08:07,120 And every user has their own unique PTK and TK. 115 00:08:07,120 --> 00:08:14,520 But in the world of WPA to because the wireless LAN passphrase is always 116 00:08:14,520 --> 00:08:15,980 the same for everybody. 117 00:08:15,980 --> 00:08:19,240 And the SSID is always the same. 118 00:08:19,240 --> 00:08:22,960 And those are really the only inputs that are used in this system here. 119 00:08:22,960 --> 00:08:27,120 That means everybody's going to end up having the exact same pairwise 120 00:08:27,120 --> 00:08:32,240 master key. So somebody can get a hold of that pairwise master key. 121 00:08:32,240 --> 00:08:36,880 They can reverse engineer it and discover what the original passphrase 122 00:08:36,880 --> 00:08:38,760 is for your wireless LAN. 123 00:08:38,760 --> 00:08:42,200 And now somebody who's not supposed to be on your wireless LAN could get 124 00:08:42,200 --> 00:08:46,720 on your wireless LAN because they have the Wi-Fi passphrase. 125 00:08:46,720 --> 00:08:56,140 So in summary, short or easy to guess PSK's like INE123, coffee is good, 126 00:08:56,140 --> 00:09:01,460 whatever your passphrase is, makes WPA too personal, easy to crack with 127 00:09:01,460 --> 00:09:03,540 offline attacks. 128 00:09:03,540 --> 00:09:06,860 And what we mean by an offline attack here just to not to go too far to 129 00:09:06,860 --> 00:09:12,540 the weeds here. But if I had a wireless sniffer trace going, I'm not part 130 00:09:12,540 --> 00:09:13,460 of the wireless LAN. 131 00:09:13,460 --> 00:09:17,140 Maybe I'm sitting on the parking lot, but even the parking lot with my, 132 00:09:17,140 --> 00:09:21,420 you know, a little antenna sticking out of my window, I can capture all 133 00:09:21,420 --> 00:09:25,160 the Wi-Fi frames on a particular wireless LAN that's on the other side 134 00:09:25,160 --> 00:09:27,520 of the wall of like an office building. 135 00:09:27,520 --> 00:09:30,060 And so I just sit out there for several hours. 136 00:09:30,060 --> 00:09:33,960 Now, and I'm collecting traffic and I'm storing on like a hard drive or 137 00:09:33,960 --> 00:09:40,380 something. Well, as I'm collecting traffic, if I actually capture somebody 138 00:09:40,380 --> 00:09:44,680 who's joining that wireless LAN, so I can actually see their four way 139 00:09:44,680 --> 00:09:49,840 EAP over LAN handshake, if I can get that, I can actually use that with 140 00:09:49,840 --> 00:09:51,000 WPA too personal. 141 00:09:51,000 --> 00:09:57,000 If they started out with a very weak Wi-Fi passphrase, if I can see their 142 00:09:57,000 --> 00:10:01,260 four way handshake, I can run that through an offline dictionary attack 143 00:10:01,260 --> 00:10:03,520 and try to reverse engineer. 144 00:10:03,520 --> 00:10:06,820 So basically a dictionary attack is where you have in your like server, 145 00:10:06,820 --> 00:10:12,300 you've got a dictionary of like 10 million passphrases, maybe stuff that 146 00:10:12,300 --> 00:10:16,540 was stolen off the dark web or something, stuff that was randomly generated, 147 00:10:16,540 --> 00:10:20,300 but you've got like just millions and millions of sample passphrases starting 148 00:10:20,300 --> 00:10:24,280 out with like password one, two, three admin, real easy stuff, but millions 149 00:10:24,280 --> 00:10:29,320 of them. And so when you see their EAP over LAN four way handshake, you 150 00:10:29,320 --> 00:10:33,360 can just take and remember that you've got the SSID because you see it 151 00:10:33,360 --> 00:10:34,540 in the beacons there. 152 00:10:34,540 --> 00:10:39,020 So you take the SSID that you're seeing in the beacon and then you just 153 00:10:39,020 --> 00:10:43,100 start with the first passphrase that you've got in your dictionary, your 154 00:10:43,100 --> 00:10:50,580 offline dictionary, run it through the same PBK DF2 function, see the 155 00:10:50,580 --> 00:10:54,720 resulting output and compare that output with what you see in the EAP 156 00:10:54,720 --> 00:10:56,700 over LAN four way handshake. 157 00:10:56,700 --> 00:11:00,400 And if you do that often enough, you might end up with a match. 158 00:11:00,400 --> 00:11:03,980 And if you end up with a match, you say, ah, the thing I started out with, 159 00:11:03,980 --> 00:11:09,300 which was like number 5000 six in my dictionary, that must be the wireless 160 00:11:09,300 --> 00:11:12,380 LAN passphrase they're using in that wireless LAN. 161 00:11:12,380 --> 00:11:15,680 And now that I know that I can join it, even though I'm not even part 162 00:11:15,680 --> 00:11:16,820 of that company. 163 00:11:16,820 --> 00:11:20,200 So with WPA two, it's susceptible to that. 164 00:11:20,200 --> 00:11:24,800 Now, if you're really curious about what the process is to do that, I 165 00:11:24,800 --> 00:11:28,380 would recommend going into our INE course catalog. 166 00:11:28,380 --> 00:11:33,680 And we have some courses in our cybersecurity section on Wi-Fi cracking. 167 00:11:33,680 --> 00:11:37,240 And we have some videos on there on WPA two cracking and it shows you 168 00:11:37,240 --> 00:11:38,700 how you can do that. 169 00:11:38,700 --> 00:11:43,340 So that's how WPA two comes up with the pairwise master key. 170 00:11:43,340 --> 00:11:45,540 Thank you so much for watching this video. 171 00:11:45,540 --> 00:11:46,460 And I hope it was helpful.