1 00:00:04,760 --> 00:00:10,100 Hello and welcome to this video titled introduction to SAE simultaneous 2 00:00:10,100 --> 00:00:13,420 authentication of equals. 3 00:00:13,420 --> 00:00:19,500 So in this video, we're going to start getting into the details of how 4 00:00:19,500 --> 00:00:26,320 WPA3 comes up with unique values in a different way than WPA2. 5 00:00:26,320 --> 00:00:29,980 Now let's do a quick review of some of the key concepts. 6 00:00:29,980 --> 00:00:33,980 First of all, remember that a PMK stands for pairwise master key. 7 00:00:33,980 --> 00:00:39,080 Recall that secure Wi-Fi according to the robust security network architecture 8 00:00:39,080 --> 00:00:44,900 of 802.11i requires the use of several keys. 9 00:00:44,900 --> 00:00:48,900 The pairwise master key being a fundamental base key that you typically 10 00:00:48,900 --> 00:00:54,120 start with. And then other encryption and integrity keys such as the key 11 00:00:54,120 --> 00:01:00,660 encryption key and the temporal key are derived ultimately from the PMK 12 00:01:00,660 --> 00:01:04,360 with an intermediary step in between. 13 00:01:04,360 --> 00:01:09,260 So how do we get that pairwise master key? 14 00:01:09,260 --> 00:01:12,440 Well, we talked about in some previous videos that can come from one of 15 00:01:12,440 --> 00:01:19,040 two places. If you're doing a full 802 .1x exchange with WPA enterprise, 16 00:01:19,040 --> 00:01:23,560 then the radius authentication server will give you a big long master 17 00:01:23,560 --> 00:01:29,260 session key. You'll divide that in half and the first half you will rename 18 00:01:29,260 --> 00:01:32,520 or reuse as the pairwise master key. 19 00:01:32,520 --> 00:01:38,440 If you're doing WPA personal, then we're going to take that WPA passphrase 20 00:01:38,440 --> 00:01:42,240 or pre-shared key of whatever it is for your wireless LAN. 21 00:01:42,240 --> 00:01:45,020 And we're going to run that through some sort of a formula which will 22 00:01:45,020 --> 00:01:47,840 then derive the pairwise master key. 23 00:01:47,840 --> 00:01:52,460 Ultimately, however we get to it, the pairwise master key is then shared 24 00:01:52,460 --> 00:01:56,560 between the Wi-Fi client and the access point. 25 00:01:56,560 --> 00:02:01,360 And then we derive subsequent keys from it. 26 00:02:01,360 --> 00:02:08,000 Now, as a review in WPA2 personal, the pairwise master key was derived 27 00:02:08,000 --> 00:02:13,960 by taking your pre-shared key, your WPA2 pre-shared key like that you 28 00:02:13,960 --> 00:02:17,800 had on the wall somewhere or that you sent everybody in an email like 29 00:02:17,800 --> 00:02:21,420 our Wi-Fi password is Cisco123. 30 00:02:21,420 --> 00:02:24,080 Our Wi-Fi password is coffee is great. 31 00:02:24,080 --> 00:02:30,920 Whatever that Wi-Fi password is in WPA2, that along with the SSID uses 32 00:02:30,920 --> 00:02:36,500 what was called a salt was fed into the password-based key derivation 33 00:02:36,500 --> 00:02:39,820 function to the PBKDF2. 34 00:02:39,820 --> 00:02:43,240 Now, the problem with this was a couple of things. 35 00:02:43,240 --> 00:02:46,840 Number one, it was crackable. 36 00:02:46,840 --> 00:02:58,320 People started out with a real sort of easy, simplistic, easy to guess 37 00:02:58,320 --> 00:03:02,680 Wi-Fi passphrase, people could figure out what that was. 38 00:03:02,680 --> 00:03:07,020 If they were able to see the four-way EPUV or LAN handshake when any particular 39 00:03:07,020 --> 00:03:11,760 client was joining the wireless LAN, they could reverse engineer it because 40 00:03:11,760 --> 00:03:16,820 the PBKDF2 function is reverse-engineerable and they could figure out 41 00:03:16,820 --> 00:03:19,020 what that passphrase was. 42 00:03:19,020 --> 00:03:24,620 Another downside was it resulted in the same pairwise master key for each 43 00:03:24,620 --> 00:03:28,840 WPA2 client. So, there was some big downside to it. 44 00:03:28,840 --> 00:03:32,140 So, when WPA3 was being developed, they said, we need to do something 45 00:03:32,140 --> 00:03:34,220 about this. We need to fix this. 46 00:03:34,220 --> 00:03:41,160 So, in WPA3 personal, also known as WPA3SAE, they said, we're going to 47 00:03:41,160 --> 00:03:47,780 get rid of that PBKDF2 function and we're going to replace it with the 48 00:03:47,780 --> 00:03:53,540 simultaneous authentication of equals handshake called an SAE handshake. 49 00:03:53,540 --> 00:03:56,720 Now, this is also known as the dragonfly handshake. 50 00:03:56,720 --> 00:03:59,540 So, you'll see those two mixed interchangeably. 51 00:03:59,540 --> 00:04:01,340 So, how does this really change things? 52 00:04:01,340 --> 00:04:04,520 Well, the big difference here and we'll go more into the math of this 53 00:04:04,520 --> 00:04:11,100 in a separate video is that during the actual authentication stage, you 54 00:04:11,100 --> 00:04:15,340 use a Diffie-Hellman style, not exactly Diffie-Hellman, but very close 55 00:04:15,340 --> 00:04:21,160 to that in theory, key exchange to create unique pairwise master keys 56 00:04:21,160 --> 00:04:29,900 per client. So, the idea here is that with WPA2 personal, every station 57 00:04:29,900 --> 00:04:34,740 connected to the wireless LAN, regardless of what it was, started out 58 00:04:34,740 --> 00:04:38,380 with the exact same pairwise master key. 59 00:04:38,380 --> 00:04:40,240 This is WPA2 personal. 60 00:04:40,240 --> 00:04:46,300 In WPA3 personal, we use a different formula called SAE, which results 61 00:04:46,300 --> 00:04:52,440 in every station having a unique pairwise master key. 62 00:04:52,440 --> 00:04:54,220 So, how do we actually see this? 63 00:04:54,220 --> 00:04:59,800 Well, in WPA3, the simultaneous authentication of equals process actually 64 00:04:59,800 --> 00:05:05,440 changes the 802.11 authentication frames in a couple of ways. 65 00:05:05,440 --> 00:05:12,680 Number one, recall that in regular 802.11, whether you're doing WPA or 66 00:05:12,680 --> 00:05:17,220 WPA2, if you're doing a wire shark sniffer trace of things, you might 67 00:05:17,220 --> 00:05:20,760 see a whole bunch of beacons and then you might see a wireless LAN client 68 00:05:20,760 --> 00:05:24,900 send out a probe request, get a probe response back, and then what would 69 00:05:24,900 --> 00:05:31,980 you see next? You would see one 802 .11 management frame called, actually 70 00:05:31,980 --> 00:05:34,460 it may be it's a control frame. 71 00:05:34,460 --> 00:05:39,020 Anyway, an 802.11 frame called authentication go from the client to the 72 00:05:39,020 --> 00:05:42,820 access point and it would be called an open authentication. 73 00:05:42,820 --> 00:05:46,800 So, the actual type code in there would be a value for open and then you'd 74 00:05:46,800 --> 00:05:52,680 see an 802.11 authentication message go from the access point to the client 75 00:05:52,680 --> 00:05:54,500 and then you'd be done with that. 76 00:05:54,500 --> 00:05:58,660 Then you'd move on to your exchange of association frames, right? 77 00:05:58,660 --> 00:06:02,240 So, this it would just be this one two exchange of authentication, but 78 00:06:02,240 --> 00:06:05,140 the authentication frames really didn't do anything. 79 00:06:05,140 --> 00:06:09,060 They didn't exchange any passwords they weren't really used for authentication, 80 00:06:09,060 --> 00:06:11,640 not with with open authentication anyway. 81 00:06:11,640 --> 00:06:15,780 So, with WPA3, they said we're going to change this a little bit. 82 00:06:15,780 --> 00:06:21,400 First of all, in the authentication frame, we're going to change the authentication 83 00:06:21,400 --> 00:06:25,980 algorithm type from open to SAE. 84 00:06:25,980 --> 00:06:29,960 So, there's now a new authentication algorithm type of SAE identified 85 00:06:29,960 --> 00:06:33,140 with a value of three that you can see here. 86 00:06:33,140 --> 00:06:36,940 And instead of just doing a one two exchange of authentication messages, 87 00:06:36,940 --> 00:06:41,420 we're going to do a four message exchange, two messages from the client 88 00:06:41,420 --> 00:06:51,220 to the access point, two messages from the client. 89 00:06:51,220 --> 00:06:54,620 So, there are SAE commit frames. 90 00:06:54,620 --> 00:06:57,300 So, the way you'll see this in a wire shark sniffer trace, which you'll 91 00:06:57,300 --> 00:07:02,080 see in a moment, is that the client, the very first authentication message 92 00:07:02,080 --> 00:07:06,140 it will send is an SAE commit. 93 00:07:06,140 --> 00:07:11,200 The access point will respond with its own SAE commit. 94 00:07:11,200 --> 00:07:16,420 Then you'll see the client send an SAE confirm and the access point will 95 00:07:16,420 --> 00:07:24,400 respond with its own SAE confirm, total of four messages. 96 00:07:24,400 --> 00:07:28,460 So, the SAE commit frame, so this one two exchange of SAE commit frames 97 00:07:28,460 --> 00:07:35,760 is used to exchange data and random values between the access point and 98 00:07:35,760 --> 00:07:40,620 the client, so they can come up with a shared secret key using a formula 99 00:07:40,620 --> 00:07:43,480 very similar to the Diffie -Hellman formula. 100 00:07:43,480 --> 00:07:47,820 So, once that one two exchange of SAE commit frames is done, they've got 101 00:07:47,820 --> 00:07:49,540 the shared secret key. 102 00:07:49,540 --> 00:07:54,240 And then they do a one two exchange of SAE confirm frames just to confirm 103 00:07:54,240 --> 00:07:58,640 that, to confirm that they really do have the shared, the same shared 104 00:07:58,640 --> 00:08:03,200 secret key. Once that's confirmed, they can then take that shared secret 105 00:08:03,200 --> 00:08:09,240 key, put it into a formula and derive the pairwise master key. 106 00:08:09,240 --> 00:08:12,420 And we'll go through the the gory details of how that works in a subsequent 107 00:08:12,420 --> 00:08:16,460 video. But I just want to finish this video off here by showing you a 108 00:08:16,460 --> 00:08:20,080 sniffer trace from Wire Shark that actually demonstrates this. 109 00:08:20,080 --> 00:08:23,540 And see, here's the main takeaway is that you're no longer seeing just 110 00:08:23,540 --> 00:08:25,240 two authentication frames. 111 00:08:25,240 --> 00:08:30,640 So in WPA and WPA2, you would have seen two, one from the client, run 112 00:08:30,640 --> 00:08:32,540 from the access point, and that's it. 113 00:08:32,540 --> 00:08:35,120 And if you clicked on it, there'd really be nothing in there. 114 00:08:35,120 --> 00:08:37,940 We'd just say open authentication, but there wouldn't be really much of 115 00:08:37,940 --> 00:08:43,600 anything else in there with WPA3 personal, you now see four of them. 116 00:08:43,600 --> 00:08:47,160 And for example, if we click on this very first one here from the client 117 00:08:47,160 --> 00:08:52,300 going to the Cisco access point, you can see SAE message type is commit. 118 00:08:52,300 --> 00:08:54,520 So this is our very first commit message. 119 00:08:54,520 --> 00:08:58,320 So we have two commits and two confirms. 120 00:08:58,320 --> 00:09:02,060 And we'll dig more into the details of how all this works in a subsequent 121 00:09:02,060 --> 00:09:07,680 video. But this is sort of our first overview or intro of how SAE is fundamentally 122 00:09:07,680 --> 00:09:14,100 different in the types and quantities of messages that it sends as compared 123 00:09:14,100 --> 00:09:19,160 to WPA2. Thank you so much for watching this video. 124 00:09:19,160 --> 00:09:20,720 And I really hope it was helpful for you.