1 00:00:03,620 --> 00:00:10,860 Hello and welcome to this video titled WPA3 SAE PMK Derivation. 2 00:00:10,860 --> 00:00:15,580 So as the title says, in this particular video, we're going to go into 3 00:00:15,580 --> 00:00:23,000 the gory details of how the PMK is derived with WPA3 SAE. 4 00:00:23,000 --> 00:00:27,140 Now I should preface that by saying that with WPA3 SAE, there's actually 5 00:00:27,140 --> 00:00:31,920 something that's derived before the pairwise master key, which is something 6 00:00:31,920 --> 00:00:33,860 called a shared secret. 7 00:00:33,860 --> 00:00:36,860 So this is really going to be getting more into how that shared secret 8 00:00:36,860 --> 00:00:41,460 is derived. And once that is created, the pairwise master key can be derived 9 00:00:41,460 --> 00:00:44,760 from it. So let's just do a quick review right here. 10 00:00:44,760 --> 00:00:51,400 So we know that with WPA2, there were really only 2802.11 authentication 11 00:00:51,400 --> 00:00:54,980 messages that were exchanged and we can see them right here. 12 00:00:54,980 --> 00:00:59,140 And so the client would send an authentication message to the access point 13 00:00:59,140 --> 00:01:03,260 and the authentication algorithm was simply open system. 14 00:01:03,260 --> 00:01:07,360 And look at this, the authentication status code was successful. 15 00:01:07,360 --> 00:01:11,060 So the client was already saying, hey, I'm already successful in authenticating. 16 00:01:11,060 --> 00:01:15,600 This is basically just sort of an old carryover from a long time ago, 17 00:01:15,600 --> 00:01:19,300 where I said, look, we have to exchange authentication messages that's 18 00:01:19,300 --> 00:01:21,580 sort of like built into the standard. 19 00:01:21,580 --> 00:01:25,800 But they decide a long time ago, we're not actually going to do authentication 20 00:01:25,800 --> 00:01:30,840 right here. We're going to do authentication pretty much after association 21 00:01:30,840 --> 00:01:36,260 is done. So this is sort of just a carryover from that. 22 00:01:36,260 --> 00:01:39,600 And you can see here that the access point was send a message back to 23 00:01:39,600 --> 00:01:41,800 the client with another authentication message. 24 00:01:41,800 --> 00:01:46,740 Also authentication algorithm open system saying, yep, you're good. 25 00:01:46,740 --> 00:01:50,340 But really, authentication wasn't actually taking place here. 26 00:01:50,340 --> 00:01:55,420 Neither side was doing anything to actually authenticate the other side. 27 00:01:55,420 --> 00:02:00,600 Well, with WPA three with WPA three personal, otherwise known as simultaneous 28 00:02:00,600 --> 00:02:04,320 authentication of equals, they changed that. 29 00:02:04,320 --> 00:02:08,160 They said, look, we're actually going to authenticate each side right 30 00:02:08,160 --> 00:02:10,460 here in the authentication stage. 31 00:02:10,460 --> 00:02:15,160 And we're going to use this to come up with our pairwise master key. 32 00:02:15,160 --> 00:02:18,980 And so one of the things they did to change this is in increasing it from 33 00:02:18,980 --> 00:02:21,420 two messages to four messages. 34 00:02:21,420 --> 00:02:23,380 And you can see them right here. 35 00:02:23,380 --> 00:02:28,300 And you can also see that in the authentication algorithm, they changed 36 00:02:28,300 --> 00:02:32,260 it to simultaneous authentication of equals. 37 00:02:32,260 --> 00:02:33,680 So you can see that right here. 38 00:02:33,680 --> 00:02:36,100 It no longer says open authentication. 39 00:02:36,100 --> 00:02:40,100 It now says version three, which is S A E. 40 00:02:40,100 --> 00:02:44,180 Okay. And then in this, these four message exchanges, there's actually 41 00:02:44,180 --> 00:02:45,540 a bunch of stuff in here. 42 00:02:45,540 --> 00:02:49,540 There's something, for example, called a scalar and a finite field element. 43 00:02:49,540 --> 00:02:53,660 And we're going to be talking about the details of that in this video 44 00:02:53,660 --> 00:02:58,080 right here. Now I will give you a heads up right now. 45 00:02:58,080 --> 00:03:03,020 If your objective of watching these videos is simply just to learn the 46 00:03:03,020 --> 00:03:15,280 bare minimum of NA or some CCMP wireless exam, then you can stop right 47 00:03:15,280 --> 00:03:16,680 now in this video. 48 00:03:16,680 --> 00:03:19,540 Everything I'm going to go forward in this video is going to be above 49 00:03:19,540 --> 00:03:23,220 and beyond what you would simply need to know for the purposes of passing 50 00:03:23,220 --> 00:03:24,980 a certification exam. 51 00:03:24,980 --> 00:03:27,440 You might be wondering, well, then Keith, why did you create the video 52 00:03:27,440 --> 00:03:28,800 in the first place? 53 00:03:28,800 --> 00:03:34,800 Well, to me, if I have an engineering mindset, I will take a look at this 54 00:03:34,800 --> 00:03:38,160 and I will be naturally curious about things. 55 00:03:38,160 --> 00:03:43,160 I'll wonder like, okay, why exactly do we need four messages? 56 00:03:43,160 --> 00:03:46,620 Okay, I understand that the first two messages are called commit. 57 00:03:46,620 --> 00:03:49,500 The second two messages are called confirm. 58 00:03:49,500 --> 00:03:53,440 And maybe if I was studying for a certification exam, that's all I would 59 00:03:53,440 --> 00:03:57,600 need to know. But for me, with my mindset, I'm naturally curious about, 60 00:03:57,600 --> 00:04:02,460 well, what makes the commit messages different than the confirm messages? 61 00:04:02,460 --> 00:04:05,940 And if I do a sniffer trace, like I did right here, I'll notice that the 62 00:04:05,940 --> 00:04:10,780 commit messages will have stuff in it like a scalar and a finite field 63 00:04:10,780 --> 00:04:14,620 element that are not present in the confirm messages. 64 00:04:14,620 --> 00:04:16,600 The confirm message has something else. 65 00:04:16,600 --> 00:04:19,660 And I naturally sort of wonder, well, what are these things called the 66 00:04:19,660 --> 00:04:21,560 scalar and the finite field? 67 00:04:21,560 --> 00:04:22,920 What are they used for? 68 00:04:22,920 --> 00:04:27,300 Why is it important in the whole dragonfly exchange, otherwise known as 69 00:04:27,300 --> 00:04:29,500 SAE, that we have these? 70 00:04:29,500 --> 00:04:33,500 And so this video is really sort of to answer those of you who are like 71 00:04:33,500 --> 00:04:36,940 me a little bit curious about what are these messages? 72 00:04:36,940 --> 00:04:38,820 What exactly do they contain? 73 00:04:38,820 --> 00:04:43,720 And what are these fields in here without going to gory detail into the 74 00:04:43,720 --> 00:04:46,640 really deep math of everything? 75 00:04:46,640 --> 00:04:48,540 And so that's what this is for. 76 00:04:48,540 --> 00:04:52,380 Because for me, once I walk away from this, really understanding what 77 00:04:52,380 --> 00:04:56,140 these fields are and what really makes a commit message different than 78 00:04:56,140 --> 00:05:06,520 a confirm message, I can feel a little SAE above and beyond what a simple 79 00:05:06,520 --> 00:05:10,920 certification exam might ask me in a multiple choice question. 80 00:05:10,920 --> 00:05:17,140 So that all being said, let's go ahead and continue on right here. 81 00:05:17,140 --> 00:05:26,080 Okay. So with WPA3, one of the objectives was we know that one of the 82 00:05:26,080 --> 00:05:31,420 things that made WPA2 bad, or I should say a little insecure, is that 83 00:05:31,420 --> 00:05:37,820 everybody uses the same passphrase to join the wireless LAN, like coffee123. 84 00:05:37,820 --> 00:05:40,560 Well, that's the same with WPA3, right? 85 00:05:40,560 --> 00:05:44,340 You're going to have some when you're configuring a WPA3 personal wireless 86 00:05:44,340 --> 00:05:48,860 LAN, whether it be on the gooey of your access point or the web UI of 87 00:05:48,860 --> 00:05:51,040 your controller or whatever it is. 88 00:05:51,040 --> 00:05:53,900 One of the first things you're going to have to type in is a passphrase 89 00:05:53,900 --> 00:05:55,040 for the wireless LAN. 90 00:05:55,040 --> 00:05:58,700 So both two and three have a shared passphrase. 91 00:05:58,700 --> 00:06:02,720 One of the differences though, is in a previous video, we talked about 92 00:06:02,720 --> 00:06:11,440 how with WPA2, there is a formula that's used called a P BKDRF2, I think 93 00:06:11,440 --> 00:06:16,060 I have that right functionality, which the end result of that was it took 94 00:06:16,060 --> 00:06:20,100 that passphrase and end up creating a pairwise master key from it. 95 00:06:20,100 --> 00:06:24,380 But the problem was everybody had the same pairwise master key. 96 00:06:24,380 --> 00:06:25,820 They all shared it. 97 00:06:25,820 --> 00:06:28,640 Now the good thing is the pairwise master key is not used to actually 98 00:06:28,640 --> 00:06:30,040 encrypt and decrypt data. 99 00:06:30,040 --> 00:06:34,340 We have to do some further key derivation functions until eventually we 100 00:06:34,340 --> 00:06:38,340 get to the temporal key, the TK, and that's what's actually used to encrypt 101 00:06:38,340 --> 00:06:40,120 and decrypt our data. 102 00:06:40,120 --> 00:06:42,220 But it starts with the PMK. 103 00:06:42,220 --> 00:06:47,040 So if everybody has the exact same PMK, that's not a good thing, right? 104 00:06:47,040 --> 00:06:52,660 In a good security world, everybody's keys would be different. 105 00:06:52,660 --> 00:06:57,060 We wouldn't have a shared set of keys among the same sets of people. 106 00:06:57,060 --> 00:06:59,880 So that was one of the problems with WPA2. 107 00:06:59,880 --> 00:07:05,740 So WPA3 said, we need to come up with a unique pairwise master key for 108 00:07:05,740 --> 00:07:07,280 every individual. 109 00:07:07,280 --> 00:07:09,040 They shouldn't all have the same. 110 00:07:09,040 --> 00:07:12,400 And so this is now talking about how does that happen? 111 00:07:12,400 --> 00:07:16,540 How do we come up with a unique pairwise master key when we have, when 112 00:07:16,540 --> 00:07:20,780 we're starting with a shared secret that's the same, like coffee, one, 113 00:07:20,780 --> 00:07:25,380 two, three, or Cisco, one, two, three, whatever the WPA3 passphrase is, 114 00:07:25,380 --> 00:07:29,020 how do we get from that same shared passphrase that everybody's typing 115 00:07:29,020 --> 00:07:34,720 in to connect to the wireless LAN to a unique pairwise master key? 116 00:07:34,720 --> 00:07:39,500 And the way we do that is we have to come up with some unique shared secret 117 00:07:39,500 --> 00:07:42,360 before the pairwise master key. 118 00:07:42,360 --> 00:07:45,980 And that's what this video here is going to be talking about is during 119 00:07:45,980 --> 00:07:53,020 that, that SAE commit and confirm process, the ultimate end goal of that 120 00:07:53,020 --> 00:07:59,380 is to come up with some shared secret path, some shared secret number. 121 00:07:59,380 --> 00:08:03,780 And then that's, that's unique between that client and that access point. 122 00:08:03,780 --> 00:08:08,160 So every client will have a different shared secret at the end of their 123 00:08:08,160 --> 00:08:11,100 four way SAE message exchange. 124 00:08:11,100 --> 00:08:16,080 And then from that shared secret that was derived just for that session, 125 00:08:16,080 --> 00:08:20,360 they can then derive the pairwise master key after that, which will be 126 00:08:20,360 --> 00:08:24,860 obviously unique because the shared secret that was derived before that 127 00:08:24,860 --> 00:08:26,660 was also unique. 128 00:08:26,660 --> 00:08:29,400 So how do we do that? 129 00:08:29,400 --> 00:08:35,460 So WPA3 sort of does away with that whole PBK DRF2 function and comes 130 00:08:35,460 --> 00:08:42,060 up with a different shared secret. 131 00:08:42,060 --> 00:08:47,820 And it looks very much like Diffie Hellman in the way it works. 132 00:08:47,820 --> 00:08:53,260 So with Diffie Hellman, we have some known public information that we 133 00:08:53,260 --> 00:08:57,180 mathematically compute with our huge random number and some prime numbers 134 00:08:57,180 --> 00:08:59,940 to compute the pairwise master key. 135 00:08:59,940 --> 00:09:05,980 So the changes, so we change the random numbers on each successive authentication 136 00:09:05,980 --> 00:09:11,360 attempt, which derives a new unique shared secret and pairwise master. 137 00:09:11,360 --> 00:09:14,760 Don't worry. We're going to go into this in detail. 138 00:09:14,760 --> 00:09:20,160 So let's start with a review of modular arithmetic. 139 00:09:20,160 --> 00:09:22,800 So let me show you something here. 140 00:09:22,800 --> 00:09:35,100 If I showed you something like 32 this, okay, if I said, figure that out 141 00:09:35,100 --> 00:09:38,480 for me, 32, 32, modulo five. 142 00:09:38,480 --> 00:09:41,720 Now if you already know how to do that, you can skip this slide right 143 00:09:41,720 --> 00:09:45,020 here, just, just fast forward and go to the next slide. 144 00:09:45,020 --> 00:09:48,700 But if you say, what does modulo mean and what is this? 145 00:09:48,700 --> 00:09:50,660 How do I do this? 146 00:09:50,660 --> 00:09:53,460 Well then that then you're in the right place. 147 00:09:53,460 --> 00:09:57,420 Okay, let's do a review of modular arithmetic. 148 00:09:57,420 --> 00:10:03,540 Sometimes you want to create an algorithm or a, or a function that divides 149 00:10:03,540 --> 00:10:09,520 numbers by a certain value, X, and in the examples before X and the examples 150 00:10:09,520 --> 00:10:12,880 below X is going to be the number four. 151 00:10:12,880 --> 00:10:15,880 And then after dividing the numbers by that certain value, you're going 152 00:10:15,880 --> 00:10:17,340 to have some sort of a remainder. 153 00:10:17,340 --> 00:10:20,940 Let's say the remainder is Y and you want to actually take the remainder 154 00:10:20,940 --> 00:10:25,460 and plug that into your formula or your algorithm. 155 00:10:25,460 --> 00:10:28,500 So you're not actually looking for what you're dividing it by. 156 00:10:28,500 --> 00:10:31,640 You're looking for what the remainder is of that division. 157 00:10:31,640 --> 00:10:34,860 And we call that modular arithmetic. 158 00:10:34,860 --> 00:10:39,340 For example, here we have 25 divided by four equals six with a remainder 159 00:10:39,340 --> 00:10:45,080 of one. If we take 34 divided by four, that gives us eight with a remainder 160 00:10:45,080 --> 00:10:50,240 of two and 31 divided by four is seven with a remainder of three. 161 00:10:50,240 --> 00:10:54,180 And maybe it's those remainders that we want to plug into our formula 162 00:10:54,180 --> 00:10:56,460 or our algorithm. 163 00:10:56,460 --> 00:11:04,140 So when we're creating a mathematical expression that's looking for the 164 00:11:04,140 --> 00:11:09,580 remainder of something, that's called modular or modulo expressions. 165 00:11:09,580 --> 00:11:17,800 So in this case, our values of 25, 34, and 31, if we apply it against 166 00:11:17,800 --> 00:11:24,080 modulo four, what we're dividing against, that will yield the remainders 167 00:11:24,080 --> 00:11:24,980 we're looking for. 168 00:11:24,980 --> 00:11:28,440 So this is typically expressed mathematically, for example, if we look 169 00:11:28,440 --> 00:11:34,540 at the first one here, 25 modulo four will give us one. 170 00:11:34,540 --> 00:11:39,780 So this is saying we're taking some number, dividing it by some other 171 00:11:39,780 --> 00:11:44,300 number four in this case, and we're looking for what the remainder is. 172 00:11:44,300 --> 00:11:50,860 So that's how you do this expression right here, or 34% four or 34 modulo 173 00:11:50,860 --> 00:11:57,320 four would equal two, 31 modulo four would equal three, right? 174 00:11:57,320 --> 00:11:58,620 We're looking for the remainder. 175 00:11:58,620 --> 00:12:02,420 So this type of expression yields what the remainder is. 176 00:12:02,420 --> 00:12:06,740 So that's going to be important as we go into Diffie-Hellman and then 177 00:12:06,740 --> 00:12:09,160 ultimately how SAE does it. 178 00:12:09,160 --> 00:12:12,220 So let's just do a review of classic Diffie-Hellman. 179 00:12:12,220 --> 00:12:14,920 You've got peer A and peer B. 180 00:12:14,920 --> 00:12:19,980 And the goal of Diffie-Hellman is to use large prime numbers, use modular 181 00:12:19,980 --> 00:12:24,320 arithmetic that we just did a review on in the previous slide, to come 182 00:12:24,320 --> 00:12:28,860 up with a shared secret value without actually ever exchanging the shared 183 00:12:28,860 --> 00:12:31,080 secret value in the clear. 184 00:12:31,080 --> 00:12:36,140 So we want peer A and peer B to come up with some shared secret number. 185 00:12:36,140 --> 00:12:40,580 And if someone was actually looking at the transactions between peer A 186 00:12:40,580 --> 00:12:45,580 and peer B, they will never actually see that shared secret value. 187 00:12:45,580 --> 00:12:48,360 So here's how Diffie-Hellman does it. 188 00:12:48,360 --> 00:12:52,620 We start out with three values. 189 00:12:52,620 --> 00:12:56,120 So two of those are well known. 190 00:12:56,120 --> 00:12:59,340 So we have some sort of a generator, some sort of base number, which is 191 00:12:59,340 --> 00:13:00,160 called a generator. 192 00:13:00,160 --> 00:13:02,220 We'll just call it G here. 193 00:13:02,220 --> 00:13:07,280 We have a modulus, which is like in the previous example, the modulus 194 00:13:07,280 --> 00:13:08,480 was four, right? 195 00:13:08,480 --> 00:13:11,160 We were dividing all three of those equations by four. 196 00:13:11,160 --> 00:13:13,640 So we have some static well known modulus. 197 00:13:13,640 --> 00:13:20,220 And then what is kept secret, what neither side knows about is some randomly 198 00:13:20,220 --> 00:13:22,240 selected exponent. 199 00:13:22,240 --> 00:13:26,740 So for every session, this exponent is going to be some new value. 200 00:13:26,740 --> 00:13:30,840 And peer A is going to have his own exponent, and peer B is going to have 201 00:13:30,840 --> 00:13:31,780 his own exponent. 202 00:13:31,780 --> 00:13:34,000 So that's A and B here. 203 00:13:34,000 --> 00:13:37,740 All right, so using these, how are we going to come up with a shared secret 204 00:13:37,740 --> 00:13:39,920 value that's the same for both of these? 205 00:13:39,920 --> 00:13:42,500 So here's the initial computation. 206 00:13:42,500 --> 00:13:48,760 Both sides will take their generator, their G value, okay? 207 00:13:48,760 --> 00:13:53,280 And they will say G to the power of whatever their exponent is. 208 00:13:53,280 --> 00:13:59,060 So peer A says G to the power of his exponent, peer B takes G to the power 209 00:13:59,060 --> 00:14:00,840 of his exponent. 210 00:14:00,840 --> 00:14:06,900 Now, whatever that is, we will then apply it against modulo M, okay? 211 00:14:06,900 --> 00:14:08,920 And that will give us some result. 212 00:14:08,920 --> 00:14:14,380 So A will say G to the power of my exponent, modulo M will give me some 213 00:14:14,380 --> 00:14:19,000 result, which will say is capital A, and same thing is happening over 214 00:14:19,000 --> 00:14:23,540 here. So these are considered the public keys to start out with. 215 00:14:23,540 --> 00:14:29,680 So peer A will send to peer B the result of his formula, A in this case. 216 00:14:29,680 --> 00:14:31,780 He'll say that's my public key. 217 00:14:31,780 --> 00:14:34,180 And peer B will do the same thing. 218 00:14:34,180 --> 00:14:38,420 He'll say, hey, peer A, let me tell you what my public key is. 219 00:14:38,420 --> 00:14:42,420 Now we haven't gotten to the shared secret yet, but we're getting close. 220 00:14:42,420 --> 00:14:47,340 Now, each side will perform a shared secret computation to come up with 221 00:14:47,340 --> 00:14:49,580 S, which is their shared secret value. 222 00:14:49,580 --> 00:14:51,160 How do they do that? 223 00:14:51,160 --> 00:14:57,520 So peer A takes the public key that he received from B, which is B here. 224 00:14:57,520 --> 00:15:01,320 He says, okay, I'm going to take B to the power of my exponent. 225 00:15:01,320 --> 00:15:05,160 Just like previously, I took G to the power of my exponent. 226 00:15:05,160 --> 00:15:09,040 I'm going to do the same thing, B to the power of my exponent. 227 00:15:09,040 --> 00:15:13,560 Do that whole modulo M equation again, and that will yield some value, 228 00:15:13,560 --> 00:15:16,960 which is my shared secret, because guess what? 229 00:15:16,960 --> 00:15:24,820 If on the other side, if peer B takes A's public key, which is A, to the 230 00:15:24,820 --> 00:15:32,400 power of his own exponent, which is B, modulo M will give the exact same 231 00:15:32,400 --> 00:15:35,680 value as the shared secret. 232 00:15:35,680 --> 00:15:38,220 Let's try this yourself. 233 00:15:38,220 --> 00:15:40,460 So I want you to do this yourself. 234 00:15:40,460 --> 00:15:43,640 So go ahead and pause this video, and I want you to take, let's say that 235 00:15:43,640 --> 00:15:48,000 both sides sort of agree that their generator is going to be the number 236 00:15:48,000 --> 00:15:50,680 five, so that'll be G. 237 00:15:50,680 --> 00:15:56,020 Their modulus will be 23, so that'll be the M value here. 238 00:15:56,020 --> 00:16:00,620 And on the left side, I want the random exponent to be seven, and on the 239 00:16:00,620 --> 00:16:04,320 right side, I want the random exponent to be 11. 240 00:16:04,320 --> 00:16:08,880 See if you can figure out what the shared secret value would be going 241 00:16:08,880 --> 00:16:11,460 through this. Go ahead and pause the video for a moment, and if you can't 242 00:16:11,460 --> 00:16:14,240 figure it out, that's okay, because when you play the video, I'm going 243 00:16:14,240 --> 00:16:15,560 to walk through it with you. 244 00:16:15,560 --> 00:16:24,040 But just pause the video and see if you can figure that out for yourself. 245 00:16:24,040 --> 00:16:26,380 Okay, so let's start working through this. 246 00:16:26,380 --> 00:16:30,000 So step number one would be to work through the equation. 247 00:16:30,000 --> 00:16:34,980 So on the left side, P or A, he's going to take five, because that was 248 00:16:34,980 --> 00:16:37,880 the generator, to the power of his random number. 249 00:16:37,880 --> 00:16:41,660 In this case, it was seven. 250 00:16:41,660 --> 00:16:44,000 Modulo 23 is going to give you 17. 251 00:16:44,000 --> 00:16:45,860 You say, Keith, how did you come up with that? 252 00:16:45,860 --> 00:16:49,020 Well, let's just use a calculator function for that. 253 00:16:49,020 --> 00:16:54,860 So for our calculator, we're going to have to change it to scientific 254 00:16:54,860 --> 00:16:57,800 notation. There we are. 255 00:16:57,800 --> 00:17:00,380 And you know, use whatever calculator you have on hand. 256 00:17:00,380 --> 00:17:04,700 So first I want to do five to the power of seven, because that's pure 257 00:17:04,700 --> 00:17:08,720 A's exponent. So I just simply do five. 258 00:17:08,720 --> 00:17:11,420 So x, y here is x to the power of y. 259 00:17:11,420 --> 00:17:17,860 So I've already put in x, y, seven equals, there we go. 260 00:17:17,860 --> 00:17:20,660 That equals 78,125. 261 00:17:20,660 --> 00:17:24,680 Now I want to do that to the modulo of 23. 262 00:17:24,680 --> 00:17:30,480 So for that, I'm going to change my calculator to programmer in this particular 263 00:17:30,480 --> 00:17:34,880 case, because that gets me mod over here. 264 00:17:34,880 --> 00:17:37,620 So it knows that carried over 70,000, 125. 265 00:17:37,620 --> 00:17:44,640 So I just do mod 23 equals 17. 266 00:17:44,640 --> 00:17:46,780 So that's how I got that number. 267 00:17:46,780 --> 00:17:50,700 And if I do the same thing on the other side, scientific. 268 00:17:50,700 --> 00:17:58,520 So I do on the other side, I'm going to be doing, let's go over here. 269 00:17:58,520 --> 00:18:05,640 The base. To the power of 11 in this case, because that's pure B, that 270 00:18:05,640 --> 00:18:08,220 gets us this big old number. 271 00:18:08,220 --> 00:18:11,220 And if I change it to programmer. 272 00:18:11,220 --> 00:18:16,800 And I do modulo 23. 273 00:18:16,800 --> 00:18:18,960 That gets me the number 22. 274 00:18:18,960 --> 00:18:24,020 So that's how we came up with 17 and 22. 275 00:18:24,020 --> 00:18:26,980 Now to come up with our shared secret. 276 00:18:26,980 --> 00:18:33,420 We do this. We take the number we received from our peer. 277 00:18:33,420 --> 00:18:37,940 So, so a received 22 from his peer. 278 00:18:37,940 --> 00:18:39,820 Right. That was a value of B. 279 00:18:39,820 --> 00:18:44,860 Multiplied to the power of a, modulo M gives us a shared secret. 280 00:18:44,860 --> 00:18:49,500 And if we did the same thing on the right, we'd get the exact same value. 281 00:18:49,500 --> 00:18:51,220 A shared secret being 22. 282 00:18:51,220 --> 00:18:53,600 Let's do our, our calculations here. 283 00:18:53,600 --> 00:18:58,480 So let's go back to scientific. 284 00:18:58,480 --> 00:19:01,920 So a received the value of 22. 285 00:19:01,920 --> 00:19:09,320 From his peer. He did that to the exponent of his own exponent. 286 00:19:09,320 --> 00:19:10,480 Cause that's all he knows. 287 00:19:10,480 --> 00:19:12,440 He doesn't know his peers exponent. 288 00:19:12,440 --> 00:19:15,740 That comes up with that big value right there. 289 00:19:15,740 --> 00:19:18,100 And then we want to do modulo 23. 290 00:19:18,100 --> 00:19:20,000 So I got a view programmer. 291 00:19:20,000 --> 00:19:21,600 I got to take that. 292 00:19:21,600 --> 00:19:27,620 Modulo 23 gives me 22. 293 00:19:27,620 --> 00:19:31,280 And if I do the same thing on this side, 17 to the power of 11, whatever 294 00:19:31,280 --> 00:19:35,880 that is, modulo 23 will also be 22. 295 00:19:35,880 --> 00:19:39,200 So this is real basic Diffie Hellman here. 296 00:19:39,200 --> 00:19:43,160 Now, when you're doing Diffie Hellman, typically one of the first things 297 00:19:43,160 --> 00:19:45,100 you will agree on in your first message. 298 00:19:45,100 --> 00:19:48,440 This is exchange is a Diffie Hellman group number, like Diffie Hellman 299 00:19:48,440 --> 00:19:51,560 group five or Diffie Hellman group 14. 300 00:19:51,560 --> 00:19:56,440 And when you are using classic Diffie Hellman, once you agree on your 301 00:19:56,440 --> 00:20:00,880 Diffie Hellman group, like Diffie Hellman group five, for example, that 302 00:20:00,880 --> 00:20:06,040 group has well known generator and well known modulus. 303 00:20:06,040 --> 00:20:07,840 So that's built into the group. 304 00:20:07,840 --> 00:20:11,580 And if I use Diffie Hellman group 14, for example, that will be a different 305 00:20:11,580 --> 00:20:13,840 generator and a different modulus. 306 00:20:13,840 --> 00:20:17,400 So the thing that you will be secret will be whatever your exponent is 307 00:20:17,400 --> 00:20:19,380 on your right and your left side. 308 00:20:19,380 --> 00:20:28,960 Now, how does WPA3SAE sort of use this to come up with its own shared 309 00:20:28,960 --> 00:20:33,000 secret? So let's go back here. 310 00:20:33,000 --> 00:20:38,480 So notice that in WPA3, we in our commit messages, so our first two messages 311 00:20:38,480 --> 00:20:41,320 are commit, our second two messages are confirmed. 312 00:20:41,320 --> 00:20:48,980 So in the WPA3 commit phase, we are exchanging two values, a scalar value 313 00:20:48,980 --> 00:20:52,420 and a finite field element value. 314 00:20:52,420 --> 00:20:59,060 So let's take a look and see how are these two values derived on each 315 00:20:59,060 --> 00:21:04,400 side so they can exchange them with each other. 316 00:21:04,400 --> 00:21:10,400 Okay, so in WPA3, we're going to start out with three values. 317 00:21:10,400 --> 00:21:14,620 I should say, yeah, so three things, but they're a little bit different 318 00:21:14,620 --> 00:21:16,720 than classic Diffie Hellman. 319 00:21:16,720 --> 00:21:21,960 So in WPA3, we're going to start out with a password element. 320 00:21:21,960 --> 00:21:25,260 And in another video, I'm going to talk about how do we come up with a 321 00:21:25,260 --> 00:21:29,320 password element, but I will say the password element sort of is derived 322 00:21:29,320 --> 00:21:34,760 using the SSID and the pre-shared key and a few other numbers. 323 00:21:34,760 --> 00:21:38,560 So this is going to be plugged into a sort of complex formula to come 324 00:21:38,560 --> 00:21:40,680 up with the password element. 325 00:21:40,680 --> 00:21:44,720 We haven't really gone into how that happens, but just we'll get there. 326 00:21:44,720 --> 00:21:48,500 So let's just say you've already done that complex formula that takes 327 00:21:48,500 --> 00:21:52,980 as the inputs, the SSID, the pre-shared key and some other value and that 328 00:21:52,980 --> 00:21:55,500 gives you a password element. 329 00:21:55,500 --> 00:21:59,540 So both the client and the access point should start out right out the 330 00:21:59,540 --> 00:22:03,060 gate with the same password element. 331 00:22:03,060 --> 00:22:07,280 Now, the client's going to come up with two randomly selected values. 332 00:22:07,280 --> 00:22:10,980 We just call that little a and big a, and we'll see how those are used 333 00:22:10,980 --> 00:22:12,220 in just a moment. 334 00:22:12,220 --> 00:22:16,100 And the access point comes up with two randomly selected values, little 335 00:22:16,100 --> 00:22:20,400 a, I'm saying little b and big b. 336 00:22:20,400 --> 00:22:23,940 And then there's going to be some static well-known modulus. 337 00:22:23,940 --> 00:22:26,980 We'll call it Q in this case. 338 00:22:26,980 --> 00:22:31,340 All right, so here's how we come up with our scalar value and our element 339 00:22:31,340 --> 00:22:35,960 value. Remember, if we go back to this slide, where are we here? 340 00:22:35,960 --> 00:22:39,000 Right here, we're talking about how do we come up with the scalar and 341 00:22:39,000 --> 00:22:40,660 the finite field element. 342 00:22:40,660 --> 00:22:42,760 So now we're coming up with these two values. 343 00:22:42,760 --> 00:22:46,820 How do we do it? 344 00:22:46,820 --> 00:22:50,580 Okay, so the scalar value, and we're just going to call the scalar value 345 00:22:50,580 --> 00:22:53,520 for the client, S, A. 346 00:22:53,520 --> 00:22:57,760 So he's A, so little S capital A, that's going to be his scalar value. 347 00:22:57,760 --> 00:23:02,280 Over here, the access point scalar value is going to be little S capital 348 00:23:02,280 --> 00:23:07,820 B or S B. That's his the scalar for B, the scalar for A. 349 00:23:07,820 --> 00:23:08,920 So how do we come up with that? 350 00:23:08,920 --> 00:23:14,120 Well, we take our two random values, we add them together, so A little 351 00:23:14,120 --> 00:23:18,660 A plus A, and then we do modulo Q. 352 00:23:18,660 --> 00:23:23,940 For B, we take his two randomly selected values, add them together, little 353 00:23:23,940 --> 00:23:28,520 b capital B, whatever that is, modulo Q. 354 00:23:28,520 --> 00:23:33,000 So that is the scalar value that they're going to exchange with each other. 355 00:23:33,000 --> 00:23:37,820 And the element value, so for the element for A, so L, A, that's the element 356 00:23:37,820 --> 00:23:43,240 for A, we're simply going to take his password element to the power of 357 00:23:43,240 --> 00:23:46,020 negative capital A. 358 00:23:46,020 --> 00:23:51,500 So whatever the A was here, we're going to take PwE to the power of negative 359 00:23:51,500 --> 00:23:53,060 whatever that is. 360 00:23:53,060 --> 00:23:54,820 And same thing on the right. 361 00:23:54,820 --> 00:23:59,240 For the element of B, we're going to take the same password element, so 362 00:23:59,240 --> 00:24:03,240 they both have the same shared password element to the power of negative 363 00:24:03,240 --> 00:24:08,140 capital B. So that's what they're exchanging with each other in the commit 364 00:24:08,140 --> 00:24:13,280 messages. We saw that in the SAE commit message exchange, they exchange 365 00:24:13,280 --> 00:24:16,440 their scalar and their element values. 366 00:24:16,440 --> 00:24:22,100 And now we know mathematically how those are derived. 367 00:24:22,100 --> 00:24:28,140 Okay, so now at this point, we in on the backside, we create a shared 368 00:24:28,140 --> 00:24:32,080 secret. So this is happening before the confirms are right after the one 369 00:24:32,080 --> 00:24:36,320 to exchange of the SAE commit messages, just with that. 370 00:24:36,320 --> 00:24:39,080 So if I go back here. 371 00:24:39,080 --> 00:24:48,660 Let's see, where was it? 372 00:24:48,660 --> 00:24:53,380 Right here. Okay, so this is, we're highlighting this here. 373 00:24:53,380 --> 00:24:56,720 So this is from the client to the Cisco access point. 374 00:24:56,720 --> 00:24:58,840 Notice that's highlight in blue up above. 375 00:24:58,840 --> 00:25:02,840 So this is showing the commit message that the client is sending to the 376 00:25:02,840 --> 00:25:06,740 access point. He says, Hey, here's the result of my scalar. 377 00:25:06,740 --> 00:25:10,680 Here's the result of my finite field element computation. 378 00:25:10,680 --> 00:25:14,420 Now, if I was able to click on the authenticate on the commit message 379 00:25:14,420 --> 00:25:18,020 from the access point to the client, we would see he's sending his own 380 00:25:18,020 --> 00:25:20,640 scalar and finite field element. 381 00:25:20,640 --> 00:25:25,860 So after they both exchange their commit messages, before they do the 382 00:25:25,860 --> 00:25:29,460 confirm messages, they are going to come up with their own shared secret. 383 00:25:29,460 --> 00:25:32,340 And so how's that going to happen? 384 00:25:32,340 --> 00:25:40,420 We can see that right here. 385 00:25:40,420 --> 00:25:45,360 So notice the client here says, okay, I just received the scalar value 386 00:25:45,360 --> 00:25:47,360 from the access point. 387 00:25:47,360 --> 00:25:48,800 That's a scalar of B. 388 00:25:48,800 --> 00:25:53,360 So I'm going to take my password element to the power of his scalar. 389 00:25:53,360 --> 00:25:58,760 And I'm going to multiply that times his finite field element. 390 00:25:58,760 --> 00:26:00,020 We call that element B. 391 00:26:00,020 --> 00:26:02,560 So this is the, so I'm going to, I'm going to multiply these things to 392 00:26:02,560 --> 00:26:03,600 two things together. 393 00:26:03,600 --> 00:26:10,740 And then whatever that product is to the power of my little a value. 394 00:26:10,740 --> 00:26:14,680 Oops, let's go back. 395 00:26:14,680 --> 00:26:18,520 And then on the other side, the access point is going to take the same 396 00:26:18,520 --> 00:26:46,440 password element to the power of the scalar he received from the client. 397 00:26:46,440 --> 00:26:55,640 So the next step is the SAE confirm messages. 398 00:26:55,640 --> 00:26:58,400 Okay, so here's the commit phase. 399 00:26:58,400 --> 00:27:01,440 They both exchange their scalar and their elements. 400 00:27:01,440 --> 00:27:05,520 They ended up coming up with the same statement. 401 00:27:05,520 --> 00:27:07,860 So we have the same shared secret value. 402 00:27:07,860 --> 00:27:13,800 And now the purpose of the SAE confirm is to confirm, okay, do you have 403 00:27:13,800 --> 00:27:16,140 the same shared secret as me? 404 00:27:16,140 --> 00:27:18,520 You should if you did your math right. 405 00:27:18,520 --> 00:27:24,160 So the purpose of the SAE confirm exchange is to validate that. 406 00:27:24,160 --> 00:27:26,320 So how do we do that? 407 00:27:26,320 --> 00:27:29,300 So in the SAE confirm message, you're going to see here in just a moment 408 00:27:29,300 --> 00:27:32,940 this big long value, which is called a confirm token. 409 00:27:32,940 --> 00:27:37,860 And this is really just the result of applying in a H. 410 00:27:37,860 --> 00:27:44,040 Mac hash digest computation against the following inputs. 411 00:27:44,040 --> 00:27:50,980 So if I'm the client, I'm now going to take the my scalar and my element. 412 00:27:50,980 --> 00:27:55,580 I'm going to take your scalar and your element that you sent me when you 413 00:27:55,580 --> 00:27:58,600 sent me your commit message. 414 00:27:58,600 --> 00:28:02,460 I'm going to take the shared secret that was derived. 415 00:28:02,460 --> 00:28:07,760 And I'm going to take a sequence number of one and I'm going to hash that 416 00:28:07,760 --> 00:28:13,000 with the H Mac, with, you know, the hash message authentication code. 417 00:28:13,000 --> 00:28:14,840 That's what H Mac comes up with. 418 00:28:14,840 --> 00:28:19,220 And that's going to give me my token value, my confirm token. 419 00:28:19,220 --> 00:28:26,640 And guess what? You're going to do the exact same thing. 420 00:28:26,640 --> 00:28:30,380 My scalar and element that I sent you, you're going to take the shared 421 00:28:30,380 --> 00:28:34,400 secret that you derive the number of one and you're going to come up with 422 00:28:34,400 --> 00:28:36,900 a confirm token yourself. 423 00:28:36,900 --> 00:28:43,920 And this is how we can confirm that we both have the exact same values. 424 00:28:43,920 --> 00:28:46,820 So let's see that right here. 425 00:28:46,820 --> 00:28:54,680 So it's actually it's not. 426 00:28:54,680 --> 00:29:00,720 So here I need to clarify something I said earlier, because you're, you 427 00:29:00,720 --> 00:29:03,100 might be looking this and saying, well, wait a second. 428 00:29:03,100 --> 00:29:07,900 The confirm token values, which means change the color here real quickly. 429 00:29:07,900 --> 00:29:11,240 Are these big, long values right here? 430 00:29:11,240 --> 00:29:12,700 They're not the same. 431 00:29:12,700 --> 00:29:15,360 I can see here they're clearly different because one starts out with a 432 00:29:15,360 --> 00:29:16,700 five five on the bottom. 433 00:29:16,700 --> 00:29:18,800 The other starts out with C A F. 434 00:29:18,800 --> 00:29:19,920 They're not the same number, Keith. 435 00:29:19,920 --> 00:29:24,320 So what gives? So just to clarify something. 436 00:29:24,320 --> 00:29:31,760 So both of these values are the result of an H Mac hash algorithm. 437 00:29:31,760 --> 00:29:36,280 They're taking almost exactly the same inputs. 438 00:29:36,280 --> 00:29:38,600 We saw that previous. 439 00:29:38,600 --> 00:29:41,700 So if I go back to the previous slide here, just a second. 440 00:29:41,700 --> 00:29:44,600 Let's go back here. 441 00:29:44,600 --> 00:29:47,120 They are taking his inputs. 442 00:29:47,120 --> 00:29:49,780 The same scalar and element values. 443 00:29:49,780 --> 00:29:53,280 So both the client and the access point are taking their own. 444 00:29:53,280 --> 00:29:58,140 The client is taking his scalar and element and he's taking the access 445 00:29:58,140 --> 00:29:59,720 point scalar and element. 446 00:29:59,720 --> 00:30:04,580 The access point is taking the client scalar element and the access point 447 00:30:04,580 --> 00:30:05,720 scalar and element. 448 00:30:05,720 --> 00:30:07,800 So that's the same on both sides. 449 00:30:07,800 --> 00:30:11,160 They both came up with the same shared secret value. 450 00:30:11,160 --> 00:30:12,940 So that's the same. 451 00:30:12,940 --> 00:30:16,340 This, however, needs to change a little bit. 452 00:30:16,340 --> 00:30:18,600 Let me just pause and change this. 453 00:30:18,600 --> 00:30:22,420 Okay. Here I've made it a little bit more technically correct. 454 00:30:22,420 --> 00:30:25,320 I've changed this bullet point right here. 455 00:30:25,320 --> 00:30:32,500 You see what's going into the hash digest is a confirm counter value. 456 00:30:32,500 --> 00:30:36,880 So both sides are putting in the scalars and elements that he both computed. 457 00:30:36,880 --> 00:30:39,060 Both sides are putting in the shared secret. 458 00:30:39,060 --> 00:30:41,040 But then there's a confirm counter. 459 00:30:41,040 --> 00:30:47,560 Well, when the client is sending his confirm to the access point, that's 460 00:30:47,560 --> 00:30:49,660 the very first confirm message. 461 00:30:49,660 --> 00:30:53,300 So the client will have a confirm counter of one saying this is the first 462 00:30:53,300 --> 00:30:54,660 confirm number one. 463 00:30:54,660 --> 00:31:00,520 When the access point is creating his confirm message, that is the second 464 00:31:00,520 --> 00:31:01,600 confirm message. 465 00:31:01,600 --> 00:31:04,400 So the access point will put in the value of two. 466 00:31:04,400 --> 00:31:05,260 Well, guess what? 467 00:31:05,260 --> 00:31:08,480 Just those two, those little differences right there of the client putting 468 00:31:08,480 --> 00:31:13,700 in one and the access point putting in two into that hash digest is actually 469 00:31:13,700 --> 00:31:17,820 going to result in two very different numbers. 470 00:31:17,820 --> 00:31:23,780 So the CAF number and this A55 number, this is actually computed from 471 00:31:23,780 --> 00:31:28,700 the client because he used the confirm counter of one and the access point 472 00:31:28,700 --> 00:31:32,060 used the confirm counter of two. 473 00:31:32,060 --> 00:31:38,080 But knowing that in advance, both sides can use these confirm tokens to 474 00:31:38,080 --> 00:31:43,300 validate that the other side has the correct shared secret. 475 00:31:43,300 --> 00:31:47,000 And that is the purpose of the confirm message exchange. 476 00:31:47,000 --> 00:31:53,080 Now, once the commit messages have been exchanged and the confirm messages 477 00:31:53,080 --> 00:31:57,820 have been exchanged, finally, they can compute the pairwise master key 478 00:31:57,820 --> 00:32:03,200 after this. So when they finally start doing the four way EAP over land 479 00:32:03,200 --> 00:32:09,040 message exchanges, they will start with the same shared pairwise master 480 00:32:09,040 --> 00:32:13,160 key. But notice it will be unique just for this pair of people. 481 00:32:13,160 --> 00:32:18,580 This client and this access point will have computed a totally unique 482 00:32:18,580 --> 00:32:23,840 shared secret, which will derive a totally unique pairwise master key 483 00:32:23,840 --> 00:32:28,840 that's different than if another client connects to the exact same access 484 00:32:28,840 --> 00:32:34,560 point. So thank you so much for watching this video and I hope it was 485 00:32:34,560 --> 00:32:35,220 helpful for you.