1
00:00:04,300 --> 00:00:11,060
 Hello and welcome this video titled
 WPA3 password element generation.

2
00:00:11,060 --> 00:00:18,460
 So WPA3SAE, so we're not talking about
 the enterprise version of WPA,

3
00:00:18,460 --> 00:00:23,280
 the personal version of WPA, uses a simultaneous
 authentication of equals.

4
00:00:23,280 --> 00:00:26,640
 And we've seen in some previous videos
 that this entails the exchange

5
00:00:26,640 --> 00:00:34,200
 of four frames, two SAE commit frames
 and two SAE confirm frames.

6
00:00:34,200 --> 00:00:38,920
 The whole purpose of that is to derive
 a shared secret value between the

7
00:00:38,920 --> 00:00:41,540
 access point and the wireless LAN client.

8
00:00:41,540 --> 00:00:44,900
 And then that shared secret value can
 go through a bit more mathematical

9
00:00:44,900 --> 00:00:50,600
 computations to ultimately derive the
 shared pairwise master key between

10
00:00:50,600 --> 00:00:52,800
 the client and the access point.

11
00:00:52,800 --> 00:00:59,640
 Now the password element is a critical
 component of this entire process.

12
00:00:59,640 --> 00:01:06,040
 And it is used as one input among several
 of the math functions that are

13
00:01:06,040 --> 00:01:08,380
 used to create that shared secret.

14
00:01:08,380 --> 00:01:13,640
 So here we can see the formula used
 to create that shared secret.

15
00:01:13,640 --> 00:01:18,000
 And we can see that the password element
 is used in four different places.

16
00:01:18,000 --> 00:01:21,540
 It's used to derive the finite field
 element values, otherwise it's called

17
00:01:21,540 --> 00:01:23,340
 element values here.

18
00:01:23,340 --> 00:01:27,220
 It's also used to derive the shared
 secret value at the very end.

19
00:01:27,220 --> 00:01:32,040
 So PWE is the password element
 and we can see it's used here.

20
00:01:32,040 --> 00:01:36,300
 So this video is going to talk a little
 bit about how we come up with

21
00:01:36,300 --> 00:01:38,620
 that number, the password element.

22
00:01:38,620 --> 00:01:43,900
 Now you might be wondering, okay, so
 why are we going into why we need

23
00:01:43,900 --> 00:01:45,080
 to come up with that value?

24
00:01:45,080 --> 00:01:46,580
 It just works, right?

25
00:01:46,580 --> 00:01:50,760
 I mean, it's not really something I
 can change or affect or modify in

26
00:01:50,760 --> 00:01:54,080
 any way, right? Well, it depends.

27
00:01:54,080 --> 00:01:59,360
 On most no autonomous access points,
 like you have if you have a home

28
00:01:59,360 --> 00:02:02,960
 based access point at your house that has
 its own little web UI and everything,

29
00:02:02,960 --> 00:02:07,800
 it probably doesn't give you any control
 over how the password element

30
00:02:07,800 --> 00:02:11,140
 is created. It just is going
 to work in the background.

31
00:02:11,140 --> 00:02:15,660
 But we'll see here it is to moment on
 enterprise wireless gear, for example,

32
00:02:15,660 --> 00:02:19,720
 wireless access points are controlled by
 a Cisco 9800 wireless and controller.

33
00:02:19,720 --> 00:02:24,200
 It will actually give you a little
 dropdown box that lets you control

34
00:02:24,200 --> 00:02:28,800
 the process by which the password
 element is created.

35
00:02:28,800 --> 00:02:35,340
 And if you select a password element
 method that the access points or

36
00:02:35,340 --> 00:02:38,880
 the clients don't support, then you're
 going to end up with a mismatch

37
00:02:38,880 --> 00:02:44,400
 between the password element value
 that the access point came up with

38
00:02:44,400 --> 00:02:48,140
 versus the password element value
 that the client came up with.

39
00:02:48,140 --> 00:02:51,620
 And then the client obviously won't
 be able to connect to that wireless

40
00:02:51,620 --> 00:02:56,620
 LAN. So it's important to understand
 the two methods available to us to

41
00:02:56,620 --> 00:03:00,660
 create this password element so that
 if you are on gear that gives you

42
00:03:00,660 --> 00:03:04,140
 that option, you sort of know what's
 going on the background and you're

43
00:03:04,140 --> 00:03:07,620
 a little bit informed as to
 maybe which one to select.

44
00:03:07,620 --> 00:03:11,360
 All right, so let's go a little
 bit more detail into this.

45
00:03:11,360 --> 00:03:17,040
 So how the password element is created
 in the first place is that it takes

46
00:03:17,040 --> 00:03:22,360
 various inputs, such as the SSID, the
 client's MAC address, and the access

47
00:03:22,360 --> 00:03:26,320
 points MAC address into its derivation.

48
00:03:26,320 --> 00:03:31,700
 Each connection between a client and
 an access point will derive a unique

49
00:03:31,700 --> 00:03:34,460
 password element value.

50
00:03:34,460 --> 00:03:39,360
 So Bob connecting to the same access
 point as Sally, Bob's connection

51
00:03:39,360 --> 00:03:43,500
 is going to have a different password
 value password element value than

52
00:03:43,500 --> 00:03:46,260
 Sally's connection to the access point.

53
00:03:46,260 --> 00:03:50,880
 So the password element is a value map
 to a point on an elliptic curve.

54
00:03:50,880 --> 00:04:07,480
 Now when you server.

55
00:04:07,480 --> 00:04:23,680
 One of these brilliant methods is the
 responsible LinkFor DiffieHellman.

56
00:04:23,680 --> 00:04:26,580
 You know that when you're using DiffieHellman,
 one of the first things

57
00:04:26,580 --> 00:04:30,920
 that the two devices have to agree on
 is the DiffieHellman group they're

58
00:04:30,920 --> 00:04:34,720
 going to use. For example, DiffieHellman
 Group 5, DiffieHellman Group

59
00:04:34,720 --> 00:04:36,820
 14 and so on and so forth.

60
00:04:36,820 --> 00:04:42,420
 Because each group has two values that
 come standard as part of that group,

61
00:04:42,420 --> 00:04:44,140
 two publicly well known values.

62
00:04:44,140 --> 00:04:46,980
 There is a base or generator value.

63
00:04:46,980 --> 00:04:49,920
 Okay, so that's the same thing base
 generator, just different terms for

64
00:04:49,920 --> 00:04:53,500
 the same thing that are mapped to that
 particular DiffieHellman Group

65
00:04:53,500 --> 00:04:58,340
 and there is a modulus value, this
 map to that particular group.

66
00:04:58,340 --> 00:05:03,160
 But here when we're talking about elliptic
 curve DiffieHellman, and that's

67
00:05:03,160 --> 00:05:07,340
 what we're really looking at here, is
 elliptic curve DiffieHellman also

68
00:05:07,340 --> 00:05:11,640
 has different group values
 like group 19 and group 20.

69
00:05:11,640 --> 00:05:16,100
 But they rely on this concept
 of an elliptic curve.

70
00:05:16,100 --> 00:05:18,780
 And what's sort of really, and now
 this is good, we don't want to get

71
00:05:18,780 --> 00:05:22,840
 too far into the weeds here because
 the math gets amazingly complex.

72
00:05:22,840 --> 00:05:27,800
 But the idea behind an elliptic curve
 that's used for DiffieHellman purposes

73
00:05:27,800 --> 00:05:33,280
 is that every point on that curve
 matches a mathematical formula.

74
00:05:33,280 --> 00:05:35,380
 For example, let me do
 that animation again.

75
00:05:35,380 --> 00:05:39,200
 Look at this curve here and you'll see
 some points just randomly placed

76
00:05:39,200 --> 00:05:46,180
 on it. Each point has a value for its
 x coordinate and its y coordinate.

77
00:05:46,180 --> 00:05:50,220
 Right, its x axis and its y axis can
 be mapped to two different points

78
00:05:50,220 --> 00:05:55,420
 in x and a y. Well, sort of the unique
 thing about this particular curve

79
00:05:55,420 --> 00:06:01,160
 is that any point that you find on
 it, if you put those x and y values

80
00:06:01,160 --> 00:06:04,000
 into this formula, it will always work.

81
00:06:04,000 --> 00:06:11,900
 So y squared will be equal to
 x to the 3 plus a x plus b.

82
00:06:11,900 --> 00:06:15,240
 Now we're not going to get into
 what is a x and what is b?

83
00:06:15,240 --> 00:06:17,180
 Feel free to research that if you want.

84
00:06:17,180 --> 00:06:22,000
 But the point is there is a definite
 relationship between x and y that

85
00:06:22,000 --> 00:06:28,240
 is repeatable across all the various
 points you could find on this curve.

86
00:06:28,240 --> 00:06:36,680
 So as far as WPA3SA is concerned, what
 the goal here is to map the pre

87
00:06:36,680 --> 00:06:41,880
-shared key like INE123 or coffee is good,
 whatever your wireless LAN passphrases

88
00:06:41,880 --> 00:06:47,680
 for WPA3, you take that as an input,
 the SSID is an input, a few other

89
00:06:47,680 --> 00:06:52,280
 things, and then behind the scenes
 there's some very complex math that

90
00:06:52,280 --> 00:06:58,580
 ends up mapping those values
 to some point on this curve.

91
00:06:58,580 --> 00:07:09,800
 So if the access point and the client
 are taking the exact same sets of

92
00:07:09,800 --> 00:07:15,080
 inputs, the WPA3 pre-shared key, the
 SSID and a couple of other things,

93
00:07:15,080 --> 00:07:20,080
 and using the exact same elliptic curve
 Diffie-Hellman group, they should

94
00:07:20,080 --> 00:07:25,400
 come up with the exact same element
 value, which is related to one of

95
00:07:25,400 --> 00:07:28,000
 the points on this curve here.

96
00:07:28,000 --> 00:07:32,020
 So you can see here when the client
 sends its group message, it says,

97
00:07:32,020 --> 00:07:38,780
 look, the password element I'm creating
 is based on elliptic curve Diffie

98
00:07:38,780 --> 00:07:40,080
-Hellman group 19.

99
00:07:40,080 --> 00:07:43,540
 See how it says ECP group 19 right here?

100
00:07:43,540 --> 00:07:49,220
 So that tells the access point, hey,
 I need to use that same ECDH group

101
00:07:49,220 --> 00:07:54,380
 so that I'm coming up with my password
 element the exact same way the

102
00:07:54,380 --> 00:07:59,080
 client did. Now, like I said,
 why do we care about this?

103
00:07:59,080 --> 00:08:04,300
 Well, we care about this because the
 actual mechanics of how those values

104
00:08:04,300 --> 00:08:11,420
 of like passphrase and SSID are ultimately
 mapped to a point on that curve

105
00:08:11,420 --> 00:08:15,860
 are possibly configurable and there's
 two ways those could be configured.

106
00:08:15,860 --> 00:08:21,160
 There's one called hash to element and
 another called hunting and pecking.

107
00:08:21,160 --> 00:08:24,840
 Now, like I said, a lot of access points
 are like standalone home access

108
00:08:24,840 --> 00:08:27,620
 points won't give you a choice
 between those two.

109
00:08:27,620 --> 00:08:33,000
 In the background, it will just default
 to one, but on upper end enterprise

110
00:08:33,000 --> 00:08:34,880
 gear, you might have a
 choice between that.

111
00:08:34,880 --> 00:08:39,820
 And the point here is that the client
 and the access point must use the

112
00:08:39,820 --> 00:08:44,980
 same method. Here's a screenshot from
 a Cisco 9800 catalyst wireless LAN

113
00:08:44,980 --> 00:08:49,800
 controller. And you can see here as part
 of configuring your WPA3 wireless

114
00:08:49,800 --> 00:08:52,940
 LAN, WPA3 is selected here.

115
00:08:52,940 --> 00:08:57,340
 And notice that the authentication
 key management is SAE, so we're not

116
00:08:57,340 --> 00:08:59,320
 using 802.1x here.

117
00:08:59,320 --> 00:09:04,880
 And down here under SAE password
 element, there's a pulldown menu.

118
00:09:04,880 --> 00:09:06,260
 And you've got some choices here.

119
00:09:06,260 --> 00:09:08,860
 You could select hash to element only.

120
00:09:08,860 --> 00:09:11,460
 You could do hunting and pecking only.

121
00:09:11,460 --> 00:09:16,160
 Or you could say, let's try both
 and see which one works.

122
00:09:16,160 --> 00:09:20,680
 So in the next video, we're going to
 talk a little bit more about what

123
00:09:20,680 --> 00:09:25,400
 the difference is between the hunting
 and pecking method versus the hash

124
00:09:25,400 --> 00:09:26,800
 to element method.

125
00:09:26,800 --> 00:09:30,400
 We're not going to go into the weeds
 about how they mechanically operate,

126
00:09:30,400 --> 00:09:36,300
 but I will show you some buggy behavior
 that might happen, especially

127
00:09:36,300 --> 00:09:41,380
 if you're dealing with access points
 that don't necessarily support both

128
00:09:41,380 --> 00:09:46,420
 of these. So for now, the takeaway from
 this is that the password element

129
00:09:46,420 --> 00:09:49,900
 is a point on an elliptic curve.

130
00:09:49,900 --> 00:09:54,280
 How we got that point on the elliptic
 curve is by using either the hunting

131
00:09:54,280 --> 00:09:58,120
 and pecking method or the
 hash to element method.

132
00:09:58,120 --> 00:10:03,640
 And it takes as inputs common values
 that both the wireless land client

133
00:10:03,640 --> 00:10:09,360
 and the access point are aware of, namely
 the pre-share key and the SSID.

134
00:10:09,360 --> 00:10:12,040
 And with that, we will leave
 it at that for this video.

135
00:10:12,040 --> 00:10:13,660
 Thank you so much for watching.

136
00:10:13,660 --> 00:10:15,000
 And I hope it was helpful for you.