1 00:00:04,540 --> 00:00:10,640 Hello and welcome this video titled HNP and H2E. 2 00:00:10,640 --> 00:00:14,860 So let's start by cutting right to the chase and then if you're still 3 00:00:14,860 --> 00:00:18,920 interested you can keep along with me to get more of the gory details. 4 00:00:18,920 --> 00:00:24,880 So here we have the output of a Cisco Calist 9800 Wireless LAN controller 5 00:00:24,880 --> 00:00:29,000 specifically the section where you are either creating or editing an existing 6 00:00:29,000 --> 00:00:34,320 wireless LAN and you're dealing with a WPA3 wireless LAN that's using 7 00:00:34,320 --> 00:00:39,620 SAE. So this is not enterprise this is a WPA3 personal and you notice 8 00:00:39,620 --> 00:00:43,060 down there in the bottom right there is a drop down box called the SAE 9 00:00:43,060 --> 00:00:48,640 password element giving you the three options you see here both H2E and 10 00:00:48,640 --> 00:00:52,600 HNP hash to element only and hunting and pecking only. 11 00:00:52,600 --> 00:00:55,980 So before I go into the gory details here let me just break it down real 12 00:00:55,980 --> 00:01:02,480 quickly. So ideally you would select hash to element only that's the newest 13 00:01:02,480 --> 00:01:08,440 most secure method of coming up with a password element that SAE requires. 14 00:01:08,440 --> 00:01:13,560 However, a lot of older access points and clients don't support hash to 15 00:01:13,560 --> 00:01:18,440 element and you may end up with some buggy behavior if you support that. 16 00:01:18,440 --> 00:01:24,760 Also if you select both H2E and HNP you might still get some buggy behavior 17 00:01:24,760 --> 00:01:28,820 and some clients that are unable to connect if you're using older access 18 00:01:28,820 --> 00:01:30,640 points or older clients. 19 00:01:30,640 --> 00:01:35,820 So it's probably safest to select the older method of hunting and pecking 20 00:01:35,820 --> 00:01:39,380 only you will guarantee be able to have your clients connect to the wireless 21 00:01:39,380 --> 00:01:41,560 LAN if you select that. 22 00:01:41,560 --> 00:01:45,620 Okay now that I've mentioned that let's go into the details of what is 23 00:01:45,620 --> 00:01:50,800 hunting and pecking what is H2E and how do they work and overall why is 24 00:01:50,800 --> 00:01:53,780 H2E better than hunting and pecking. 25 00:01:53,780 --> 00:01:57,660 Now to start with that discussion we have to first talk really to high 26 00:01:57,660 --> 00:02:00,400 level about something called elliptic curves. 27 00:02:00,400 --> 00:02:05,040 Now elliptic curves go into a lot of gory very detailed math. 28 00:02:05,040 --> 00:02:08,000 I'm not a mathematician so I'm not going to go anywhere even close to 29 00:02:08,000 --> 00:02:12,200 that I'm just going to skim this at like a 50,000 foot level. 30 00:02:12,200 --> 00:02:16,180 So starting out with if you just think about a general curve in the first 31 00:02:16,180 --> 00:02:20,600 place like you would graph it on a graphing paper or something we know 32 00:02:20,600 --> 00:02:25,500 that curves are made up of an infinite quantity of points and each point 33 00:02:25,500 --> 00:02:30,500 on a curve is represented by two values and x value which represents where 34 00:02:30,500 --> 00:02:35,360 that point is on the horizontal line and a y value that represents a value 35 00:02:35,360 --> 00:02:39,440 of where that is on the vertical axis okay. 36 00:02:39,440 --> 00:02:42,580 So all curves have an infinite amount of points that can be represented 37 00:02:42,580 --> 00:02:45,180 each point in that way. 38 00:02:45,180 --> 00:02:49,460 Now when it comes to elliptic curves elliptic curves although if you look 39 00:02:49,460 --> 00:02:53,100 them up in documentations and papers in Google a lot of times they'll 40 00:02:53,100 --> 00:02:55,540 show shapes like this right here. 41 00:02:55,540 --> 00:02:59,780 In reality an elliptic curve is not really a two-dimensional object it's 42 00:02:59,780 --> 00:03:05,540 a mathematical formula and it's a mathematical formula in which the x 43 00:03:05,540 --> 00:03:11,240 and the y coordinates the values for the x and y have to follow very specific 44 00:03:11,240 --> 00:03:16,720 equations they have to adhere to an equation and if an x or y coordinate 45 00:03:16,720 --> 00:03:22,740 does not meet a particular formula then it does not belong on an elliptic 46 00:03:22,740 --> 00:03:26,980 curve okay so let's go a little bit more detailed into that some of the 47 00:03:26,980 --> 00:03:28,880 elliptic curve math. 48 00:03:28,880 --> 00:03:40,880 So in WPA3SAE we need to submit messages that's the whole point of that 49 00:03:40,880 --> 00:03:45,960 the the SAE commit messages have to well actually they have to exchange 50 00:03:45,960 --> 00:03:47,640 they have to create a shared secret. 51 00:03:47,640 --> 00:03:53,140 So in SAE we start out with exchanging some information in the commit 52 00:03:53,140 --> 00:03:57,720 messages that ends up resulting in a shared secret we then exchange some 53 00:03:57,720 --> 00:04:02,360 confirm messages to confirm that the client and the access point actually 54 00:04:02,360 --> 00:04:07,540 do have the same shared secret once that's confirmed then we can use a 55 00:04:07,540 --> 00:04:12,800 other a little bit more math to convert that shared secret into a pairwise 56 00:04:12,800 --> 00:04:16,400 master key and then it proceeds on from there during the EAP over land 57 00:04:16,400 --> 00:04:20,260 four-way exchange to come up with the transient key the key encryption 58 00:04:20,260 --> 00:04:22,440 key and other things. 59 00:04:22,440 --> 00:04:27,560 So everything starts with the shared secret we have to derive that first. 60 00:04:27,560 --> 00:04:32,020 So there's lots of mathematical inputs and formulas used to come up with 61 00:04:32,020 --> 00:04:35,880 that shared secret one of the inputs is something called the password 62 00:04:35,880 --> 00:04:42,220 element. So the password element is derived in SAE using the elliptic 63 00:04:42,220 --> 00:04:46,800 curve diffihelmin formula so that's the basis for coming up with the password 64 00:04:46,800 --> 00:04:52,640 element and there are different formulas for elliptic curve diffihelmin 65 00:04:52,640 --> 00:04:55,460 just like if you're doing regular diffihelmin if you're doing regular 66 00:04:55,460 --> 00:04:59,320 diffihelmin one of the like for example for an ipsec VPN or something 67 00:04:59,320 --> 00:05:03,140 like that to come up with a shared secret key at the very beginning when 68 00:05:03,140 --> 00:05:06,780 you're doing like the iC authentication or something in regular diffihelmin 69 00:05:06,780 --> 00:05:10,820 the first thing you and your peer have to agree on is the diffihelmin 70 00:05:10,820 --> 00:05:14,280 group you're going to use and those groups are numbered like diffihelmin 71 00:05:14,280 --> 00:05:19,860 group five diffihelmin group 14 and each diffihelmin group when you agree 72 00:05:19,860 --> 00:05:25,740 on the group you're agreeing on a set of shared parameters like one group 73 00:05:25,740 --> 00:05:31,120 and its equation might use a certain prime number that's really big another 74 00:05:31,120 --> 00:05:35,000 group might use a different prime number that's even bigger and so there's 75 00:05:35,000 --> 00:05:40,060 some shared values that each group adheres to so the same thing is true 76 00:05:40,060 --> 00:05:44,260 when we're doing elliptic curve diffihelmin we have to agree on the elliptic 77 00:05:44,260 --> 00:05:48,620 curve diffihelmin group we're going to use and whatever group we use will 78 00:05:48,620 --> 00:05:54,840 dictate what formula the points on the curve have to adhere to so for 79 00:05:54,840 --> 00:06:01,200 example here's an example of the group 19 otherwise known as NIST P256 80 00:06:01,200 --> 00:06:06,460 that's actually used by WPA3 SAE this is the formula and i'll go into 81 00:06:06,460 --> 00:06:09,720 a little bit more details about this formula right here but at a high 82 00:06:09,720 --> 00:06:15,400 level the takeaway is is that if i give a number to represent the x coordinate 83 00:06:15,400 --> 00:06:21,960 well if i go through this formula okay and then at the end of it if whatever 84 00:06:21,960 --> 00:06:27,460 the result of this thing on the right is is the same thing as some number 85 00:06:27,460 --> 00:06:35,260 squared so if the result on the right x to the 3 plus ax plus b mod p 86 00:06:35,260 --> 00:06:40,320 if that whole thing ends up being some value that's a square of something 87 00:06:40,320 --> 00:06:51,940 else then i've got my y coordinate and that means that the x and the y 88 00:06:51,940 --> 00:06:55,940 formula so for two values representing x and y to be considered a valid 89 00:06:55,940 --> 00:07:01,020 elliptic curve point they must adhere to the formula now just to break 90 00:07:01,020 --> 00:07:03,380 this down a little bit more in case you're a little bit interested in 91 00:07:03,380 --> 00:07:08,300 the math here i was wondering well what is you know if i supply a value 92 00:07:08,300 --> 00:07:14,080 of x that's great but i have to also know what a and b and p are in order 93 00:07:14,080 --> 00:07:19,420 in order to do this formula here on the right so you can see here um in 94 00:07:19,420 --> 00:07:22,160 this picture this tells you a little bit more about this go ahead and 95 00:07:22,160 --> 00:07:25,100 feel free to pause this video if you're curious about this but you can 96 00:07:25,100 --> 00:07:30,900 see p a and b are these fixed numbers these fixed values that come with 97 00:07:30,900 --> 00:07:35,540 group 19 and then you would apply these against whatever value of x you 98 00:07:35,540 --> 00:07:39,660 come up with and then at the end of the day if everything on the right 99 00:07:39,660 --> 00:07:44,680 here comes up with the value that that you can that's the square of something 100 00:07:44,680 --> 00:07:53,840 now you have your y coordinate so just to restate wpa3sae must first derive 101 00:07:53,840 --> 00:07:58,280 a password element before performing the sae exchange this has to happen 102 00:07:58,280 --> 00:08:03,480 before the very first commit message is even sent and the password element 103 00:08:03,480 --> 00:08:08,560 is going to be a value and it's going to be a valid point on the agreed 104 00:08:08,560 --> 00:08:12,520 so the password element is actually going to be a number that somehow 105 00:08:12,520 --> 00:08:18,460 incorporates both the x and the y now it's far too detailed in math for 106 00:08:18,460 --> 00:08:23,520 me to explain to you how to two numbers one representing an x coordinate 107 00:08:23,520 --> 00:08:27,960 and one representing a y coordinate how do we convert those two numbers 108 00:08:27,960 --> 00:08:33,800 into a single thing that we can use as our password element but it does 109 00:08:33,800 --> 00:08:38,340 it so elliptic curve diffi helman somehow figures that out so just know 110 00:08:38,340 --> 00:08:42,740 that that is what the password element is the password element represents 111 00:08:42,740 --> 00:08:48,080 those two points on the line that meet the elliptic curve formula so let's 112 00:08:48,080 --> 00:08:51,120 just give sort of like a real simplistic example of how this works now 113 00:08:51,120 --> 00:08:57,240 this is not how ecd h works or sae e this is just giving sort of a real 114 00:08:57,240 --> 00:09:01,440 sort of high level of sort of the mechanics of this so imagine if we use 115 00:09:01,440 --> 00:09:06,100 a real simple formula for our elliptic curve diffi helman group let's 116 00:09:06,100 --> 00:09:12,140 say it was y squared equals x minus one and so i need to come up with 117 00:09:12,140 --> 00:09:18,380 a value of x that if i take that value of x minus one it will equal something 118 00:09:18,380 --> 00:09:24,080 that is squared and then i'll have my two points okay so we know that 119 00:09:24,080 --> 00:09:30,500 in wp three sae there are inputs that go into this formula to come up 120 00:09:30,500 --> 00:09:36,720 with the value of x those inputs being at minimum the s sid and the passphrase 121 00:09:36,720 --> 00:09:39,500 as well as a couple of other things as well but we're trying to keep it 122 00:09:39,500 --> 00:09:44,860 real simple here so the re i'm using an s sid of ace and a passphrase 123 00:09:44,860 --> 00:09:50,220 of b 55 for very simple reason because i want to convert each one of those 124 00:09:50,220 --> 00:09:55,640 characters into an aske value because remember at the end of the day sae 125 00:09:55,640 --> 00:10:00,900 is taking your s sid of coffee one two three and your passphrase of best 126 00:10:00,900 --> 00:10:06,300 coffee ever and somehow converting that into a numerical number to plug 127 00:10:06,300 --> 00:10:10,220 into this formula so i just chose an s sid in a passphrase that's real 128 00:10:10,220 --> 00:10:19,560 easy to turn into numbers so a is 65 and aske c is 67 and e is 69 so if 129 00:10:19,560 --> 00:10:23,340 i took let's say my formula at took those three numbers add them together 130 00:10:23,340 --> 00:10:30,040 and i get 201 and then i do the same thing for my passphrase b is 66 five 131 00:10:30,040 --> 00:10:35,480 is 53 five again is 53 these are the aske values for these characters 132 00:10:35,480 --> 00:10:40,920 take those and together i get 172 now if the formula said okay now that 133 00:10:40,920 --> 00:10:44,460 you've done that add those together to get one number see so what i'm 134 00:10:44,460 --> 00:10:48,780 doing right here is providing a real simplistic example of one way in 135 00:10:48,780 --> 00:10:53,380 theory that we could take these things that you typed in your s sid in 136 00:10:53,380 --> 00:10:58,520 your passphrase and convert them into one number one string of numbers 137 00:10:58,520 --> 00:11:03,000 now this is not how sae does it i'm just giving you sort of an idea of 138 00:11:03,000 --> 00:11:08,520 oh here's how it could happen so now that we've got that we need to figure 139 00:11:08,520 --> 00:11:13,280 out if there's if we could plug this into a formula and if this could 140 00:11:13,280 --> 00:11:19,500 be a valid elliptic curve point so is it possible that 373 could represent 141 00:11:19,500 --> 00:11:28,080 x on our formula well let's take it and if it's not what do we do about 142 00:11:28,080 --> 00:11:33,800 that well what if we did this how do i change 373 into a suitable value 143 00:11:33,800 --> 00:11:39,340 for x that will satisfy the equation let's try hashing it here's an example 144 00:11:39,340 --> 00:11:45,580 let's try this so what if we take the hash of 373 and let's say the first 145 00:11:45,580 --> 00:11:53,080 time we do it we get the value of 501 okay will that work 501 minus 1 146 00:11:53,080 --> 00:11:59,720 is 500 is there some value that if that value were squared would equal 147 00:11:59,720 --> 00:12:05,740 500 no i don't think so so that can't possibly be a valid elliptical curve 148 00:12:05,740 --> 00:12:09,800 point all right let's do attempt number two what if the formula said let's 149 00:12:09,800 --> 00:12:14,440 take the result of 501 and hash that and maybe the result of that hash 150 00:12:14,440 --> 00:12:23,800 is 207 all right check it again 207 minus 1 that's 206 is 206 y squared 151 00:12:23,800 --> 00:12:30,820 could we come up with y if y squared equal 206 no we couldn't that wouldn't 152 00:12:30,820 --> 00:12:34,920 give us a valid y number what about attempt number three oh look at this 153 00:12:34,920 --> 00:12:40,980 so if we take our value our previous value of 207 hash it again now we 154 00:12:40,980 --> 00:12:51,180 come up with 145 oh look at this 145 minus 1 is 144 guess what 12 squared 155 00:12:51,180 --> 00:13:01,740 equals 144 so now we can say well if x is 145 then y could be 12 and now 156 00:13:01,740 --> 00:13:06,780 we have two points that match our elliptic curve formula and now if we 157 00:13:06,780 --> 00:13:11,160 could somehow combine those two things into a single value we would have 158 00:13:11,160 --> 00:13:16,360 our password element so you can see in this sort of high level theoretical 159 00:13:16,360 --> 00:13:22,180 example we're using hashing and we're doing multiple attempts to come 160 00:13:22,180 --> 00:13:27,560 up with a value that will satisfy this value of x in this formula and 161 00:13:27,560 --> 00:13:31,680 we started out with some values that were typed in by you the s s i d 162 00:13:31,680 --> 00:13:39,760 in the passphrase to to do all of this all right so how does wpa3 sae 163 00:13:39,760 --> 00:13:47,120 actually do it so we know that we have to perform a password element we 164 00:13:47,120 --> 00:13:50,000 know that we're going to be doing this using elliptic curve diffie helman 165 00:13:50,000 --> 00:13:55,200 and there are two ways that this can be done and this goes back to that 166 00:13:55,200 --> 00:13:58,660 picture that we saw of the 9800 controller at the beginning of this video 167 00:13:58,660 --> 00:14:04,400 one method is called hash to element the other method is called hunting 168 00:14:04,400 --> 00:14:09,160 and pecking now here's the critical ingredient whichever one you select 169 00:14:09,160 --> 00:14:13,560 it has to be done by both the client and the access point they have to 170 00:14:13,560 --> 00:14:17,460 use the same method in other words if the client is coming up with his 171 00:14:17,460 --> 00:14:21,320 password element using hash to element and yet the access point is taking 172 00:14:21,320 --> 00:14:26,540 the same inputs that passphrase and s s i d but he is using hunting and 173 00:14:26,540 --> 00:14:31,200 pecking it won't work and the client will not be able to associate to 174 00:14:31,200 --> 00:14:35,840 that access point and that's what we get right here so this is where we 175 00:14:35,840 --> 00:14:39,180 have to choose now if you leave this box alone you don't select anything 176 00:14:39,180 --> 00:14:46,880 it will default to both h2e and hnp and i will tell you that if you're 177 00:14:46,880 --> 00:14:50,720 using an access point that's oh that was manufactured within probably 178 00:14:50,720 --> 00:14:55,040 the last couple of years that should be fine but where you might run into 179 00:14:55,040 --> 00:14:59,600 trouble is if you're using an older access point that so three four five 180 00:14:59,600 --> 00:15:05,060 years older older then leaving it the defaults here is going to cause 181 00:15:05,060 --> 00:15:08,340 you some odd behavior and i'll actually show you some examples of that 182 00:15:08,340 --> 00:15:12,340 in the subsequent video after this one so let's start out with hunting 183 00:15:12,340 --> 00:15:17,500 and pecking historically this is the one that came out first so when wpa 184 00:15:17,500 --> 00:15:23,180 three first was invented you know by the Wi-Fi alliance and they said 185 00:15:23,180 --> 00:15:27,840 oh wpa three needs to go through this sa exchange but before we do that 186 00:15:27,840 --> 00:15:32,060 we need to come up with a password element and they said hmm how are we 187 00:15:32,060 --> 00:15:35,760 going to do that how are we going to take a passphrase and s s i d and 188 00:15:35,760 --> 00:15:39,220 maybe a MAC address and a couple of other things and come up with a number 189 00:15:39,220 --> 00:15:43,920 that we can use as a possible x-coordinate to feed into our formula to 190 00:15:43,920 --> 00:15:48,400 see if it works and so this is the way they came up with it first hunting 191 00:15:48,400 --> 00:15:52,960 and pecking so how's it work it actually works kind of like what i did 192 00:15:52,960 --> 00:15:57,840 in my previous high level example it uses a hashing mechanism to convert 193 00:15:57,840 --> 00:16:03,120 the passphrase the s s i d and a few other things to a point on the curve 194 00:16:03,120 --> 00:16:07,920 kind of like what i did previously in my example now very good chance 195 00:16:07,920 --> 00:16:11,760 at the first time it hashes it and comes up with the value and it plugs 196 00:16:11,760 --> 00:16:16,640 that value into the formula that we saw with that big a and p and b values 197 00:16:16,640 --> 00:16:20,620 and x to the three and everything it probably won't work it probably won't 198 00:16:20,620 --> 00:16:24,560 come up with a value that satisfies y on the left side so we will have 199 00:16:24,560 --> 00:16:28,600 to do it again now the way that hunting and pecking works it says okay 200 00:16:28,600 --> 00:16:32,140 the first so what i'm going to do is i'm going to take my inputs of my 201 00:16:32,140 --> 00:16:37,040 static inputs of passphrase s s i d MAC address maybe one or two other 202 00:16:37,040 --> 00:16:41,120 things and i'm going to add to that something called a counter maybe start 203 00:16:41,120 --> 00:16:44,760 out with a counter value of one and i'm going to hash all that and then 204 00:16:44,760 --> 00:16:48,820 see if the result is something that's a valid x coordinate if that doesn't 205 00:16:48,820 --> 00:16:52,540 work i'll keep all my normal inputs the same i'm certainly not going to 206 00:16:52,540 --> 00:16:55,820 use a different passphrase or a different s s i d all that's going to 207 00:16:55,820 --> 00:16:59,820 remain the same i'm just going to increase the counter and now because 208 00:16:59,820 --> 00:17:03,620 that one little changes happened i'll hash it again and that will come 209 00:17:03,620 --> 00:17:09,500 up with a different hash result that i can test now as you can see here 210 00:17:09,500 --> 00:17:16,820 it's going to thousands or even millions of times until it hashes to a 211 00:17:16,820 --> 00:17:23,480 value that actually does work in that group 19 egaliptic curve diffi helman 212 00:17:23,480 --> 00:17:29,240 formula and then we've got our x number which translates to a y number 213 00:17:29,240 --> 00:17:34,600 so potentially many iterations and weaker security now why they say weaker 214 00:17:34,600 --> 00:17:40,220 security here is because there's a trade -off here we know that in general 215 00:17:40,220 --> 00:17:44,880 in security whenever you're dealing with a password or a passphrase you 216 00:17:44,880 --> 00:17:49,020 know what's the general recommendation make it really long and something 217 00:17:49,020 --> 00:17:52,700 that people can't guess right so the same thing is true here when you're 218 00:17:52,700 --> 00:17:56,640 setting up your wpa3 sae wireless LAN you're gonna have to go into the 219 00:17:56,640 --> 00:18:00,400 controller or the access point and type in what the passphrase is that 220 00:18:00,400 --> 00:18:04,860 you're going to give to everybody else well here's the problem if you 221 00:18:04,860 --> 00:18:09,660 give it a really short easy-term memorized password like coffee is great 222 00:18:09,660 --> 00:18:15,620 or something something short like that well on the on the pro on the upside 223 00:18:15,620 --> 00:18:19,600 that's easy for all the people at your store whatever to see on the wall 224 00:18:19,600 --> 00:18:24,340 and type into their phones or their tablets right and then if you're using 225 00:18:24,340 --> 00:18:29,300 and hunting and pecking the shorter the password the less hashing iterations 226 00:18:29,300 --> 00:18:33,300 it will have to do until it finally comes up with a valid x-coordinate 227 00:18:33,300 --> 00:18:39,160 maybe it only has to hash coffee is great like 5,000 times before it finds 228 00:18:39,160 --> 00:18:45,000 an x-coordinate but that's not so good so what if we're talking about 229 00:18:45,000 --> 00:18:48,820 a company right where you're not posting the passphrase on the wall you 230 00:18:48,820 --> 00:18:52,120 don't want people outside the walls of your company gaining access to 231 00:18:52,120 --> 00:18:56,980 your Wi-Fi so you you know email all of your new employees or you give 232 00:18:56,980 --> 00:19:00,100 your new employees you know a card or something that's got the passphrase 233 00:19:00,100 --> 00:19:03,960 on it or maybe you do it for yourself on their laptop before you hand 234 00:19:03,960 --> 00:19:08,360 it out to them as a company owned asset either way the poll point is we 235 00:19:08,360 --> 00:19:12,280 don't want outsiders to know what that passphrase is because we don't 236 00:19:12,280 --> 00:19:17,860 want to get them on our Wi-Fi they don't belong there so we say well we 237 00:19:17,860 --> 00:19:22,480 should probably have a really long passphrase then well the longer your 238 00:19:22,480 --> 00:19:27,040 passphrase is the more iterations of hashing hunting and pecking is going 239 00:19:27,040 --> 00:19:31,780 to go through and it can actually be very computationally expensive on 240 00:19:31,780 --> 00:19:36,260 the smartphone and the laptop to go through these possibly millions of 241 00:19:36,260 --> 00:19:41,160 iterations of hunting and pecking for a long complex Wi-Fi password before 242 00:19:41,160 --> 00:19:45,200 it finally finds that x-coordinate that's going to use to fill into the 243 00:19:45,200 --> 00:19:50,060 formula and so that's one of the downsides is hey i'm trying to do what 244 00:19:50,060 --> 00:19:52,660 they tell me to do i'm trying to come up with a really long passphrase 245 00:19:52,660 --> 00:19:56,400 but it's computationally expensive and it's causing my CPU to overheat 246 00:19:56,400 --> 00:19:59,320 because hunting and pecking is having to go through millions and millions 247 00:19:59,320 --> 00:20:04,700 of hashes to finally work and the other downside of hunting and pecking 248 00:20:04,700 --> 00:20:10,020 that they say is that you know if somebody on the outside is sniffing 249 00:20:10,020 --> 00:20:13,600 your wireless traffic right and their goal is to either get on to your 250 00:20:13,600 --> 00:20:17,460 Wi-Fi or they want to you know crack the cryptography so they can decrypt 251 00:20:17,460 --> 00:20:21,960 people's frames whatever their malicious goal is the objective is we want 252 00:20:21,960 --> 00:20:26,300 to give them as little information as possible we want to prevent them 253 00:20:26,300 --> 00:20:32,300 from guessing anything about what's going on in the Wi-Fi so with this 254 00:20:32,300 --> 00:20:38,560 method here if i if somebody is Wi-Fi had a really short simple passphrase 255 00:20:38,560 --> 00:20:45,720 and i was sniffing okay and i was actually seeing like you could you could 256 00:20:45,720 --> 00:20:49,720 measure the time when the client first sends its commit message when this 257 00:20:49,720 --> 00:20:54,040 client sends its commit message the client has already generated a password 258 00:20:54,040 --> 00:20:57,660 element so it's already gone through the hashing and stuff but the access 259 00:20:57,660 --> 00:21:02,700 point hasn't yet because until the client sends the message the access 260 00:21:02,700 --> 00:21:07,080 point is not going to know what diffie helman or i should say elliptic 261 00:21:07,080 --> 00:21:10,940 curve diffie helman group that client wants to use because there's more 262 00:21:10,940 --> 00:21:15,860 than one so the access point can't generate its password element until 263 00:21:15,860 --> 00:21:20,080 it sees that commit message from the client and it knows what group that 264 00:21:20,080 --> 00:21:24,620 client is using so if i was watching everything on the outside and i was 265 00:21:24,620 --> 00:21:29,720 doing a stiffer trace i could actually see hmm it looks like i can actually 266 00:21:29,720 --> 00:21:33,700 measure the time and like microseconds or milliseconds between when the 267 00:21:33,700 --> 00:21:37,640 first commit message was seen and then the second commit message from 268 00:21:37,640 --> 00:21:42,280 the access point came back and i might be able to infer based on that 269 00:21:42,280 --> 00:21:47,560 time if that time is really short i can infer that the passphrase they're 270 00:21:47,560 --> 00:21:51,840 using must be something pretty short and simple whereas if the time is 271 00:21:51,840 --> 00:21:56,160 longer then i can for oh that's probably really long complex passphrase 272 00:21:56,160 --> 00:21:59,780 they're using because it's taking a lot longer to come up with that password 273 00:21:59,780 --> 00:22:02,680 element and that's why that second commit message is taking a little bit 274 00:22:02,680 --> 00:22:07,500 longer to go back there are actually some sorts of attacks that use that 275 00:22:07,500 --> 00:22:11,920 as sort of like a basis in their attack so that's another downside of 276 00:22:11,920 --> 00:22:17,140 hunting and pecking now the pro here is that any Wi-Fi client that supports 277 00:22:17,140 --> 00:22:23,700 wpa3 will support this because this was the original way that wpa3 sae 278 00:22:23,700 --> 00:22:28,400 used to come up with that password element but we talked right now about 279 00:22:28,400 --> 00:22:32,860 some of the downsides so later on people developed something called hash 280 00:22:32,860 --> 00:22:37,080 to element this is newer this came out after hunting and pecking and it 281 00:22:37,080 --> 00:22:43,500 uses a cryptographically specified hash to curve algorithm so here's really 282 00:22:43,500 --> 00:22:46,980 the details of this and we don't have to go into any math or anything 283 00:22:46,980 --> 00:22:51,380 for you to take away why this is better why is this better because somehow 284 00:22:51,380 --> 00:22:56,960 in a way that i do not understand this is able to take your inputs of 285 00:22:56,960 --> 00:23:00,740 your passphrase and your SSID and maybe the the MAC address of the client 286 00:23:00,740 --> 00:23:05,880 or the access point and somehow go whoop right there and figure out what 287 00:23:05,880 --> 00:23:10,900 a password element value is that would satisfy that elliptic curve diffi 288 00:23:10,900 --> 00:23:14,500 helman group without doing multiple iterations and saying does this work 289 00:23:14,500 --> 00:23:18,740 nope does that work nope does that oh yeah that one works it somehow bypasses 290 00:23:18,740 --> 00:23:23,400 all that in zips right to the answer i have no idea how that works but 291 00:23:23,400 --> 00:23:28,140 it works so this is more efficient and safer than hunting and pecking 292 00:23:28,140 --> 00:23:32,800 but like i said the problem is some older clients and access points unfortunately 293 00:23:32,800 --> 00:23:37,980 don't support this so as our final takeaways for this particular video 294 00:23:37,980 --> 00:23:42,740 one thing to know is that access points do advertise in their beacons 295 00:23:42,740 --> 00:23:48,900 what password element capability they support in their beacons and probe 296 00:23:48,900 --> 00:23:53,760 responses they actually in their beacons they actually say you know there's 297 00:23:53,760 --> 00:23:58,400 actually if if if they support hash to element there's a special information 298 00:23:58,400 --> 00:24:02,420 element that they insert into the beacons and i'll show you that in a 299 00:24:02,420 --> 00:24:05,800 subsequent slide but to give you a preview right now it's actually dictated 300 00:24:05,800 --> 00:24:12,560 by the IEEE that if a access point supports hash to element it must put 301 00:24:12,560 --> 00:24:17,400 a special information element right after the rsn element right after 302 00:24:17,400 --> 00:24:21,060 the robust security network element they have to put another one in there 303 00:24:21,060 --> 00:24:26,060 that has a little bit set that says i am doing hash to element or at least 304 00:24:26,060 --> 00:24:29,680 it says i can support hash to element that that one little bit if it's 305 00:24:29,680 --> 00:24:34,540 set to one says i'm capable of this and then it leaves it up to the client 306 00:24:34,540 --> 00:24:38,620 to decide whether or not it wants to use hash to element or whether or 307 00:24:38,620 --> 00:24:43,400 not it wants to use hunting and pecking now like it says right here if 308 00:24:43,400 --> 00:24:48,220 wireless clients see that beacons or they see that probe response and 309 00:24:48,220 --> 00:24:52,080 they see that information element in there then most of the time if the 310 00:24:52,080 --> 00:24:57,100 client actually not most of the time all the time it says in the actual 311 00:24:57,100 --> 00:25:01,800 IEEE specs it says if a client sees that bit set to one and the client 312 00:25:01,800 --> 00:25:07,580 supports hash to element it should use hash to element not hunting and 313 00:25:07,580 --> 00:25:11,660 pecking it will only use hunting and pecking if it doesn't see that information 314 00:25:11,660 --> 00:25:15,780 element so it says hmm access point is not indicating that he supports 315 00:25:15,780 --> 00:25:19,900 hash to element in any way i guess i need to use the older method of hunting 316 00:25:19,900 --> 00:25:24,060 and pecking now here's another sort of very important thing to be aware 317 00:25:24,060 --> 00:25:31,020 of if you're using Wi-Fi 6e or Wi-Fi 7 or anything else that might come 318 00:25:31,020 --> 00:25:36,340 out in the future those require hash to element so that is mandatory so 319 00:25:36,340 --> 00:25:39,560 obviously you're going to need a newer access point to support those newer 320 00:25:39,560 --> 00:25:44,520 Wi-Fi standards and they will support h2e just make sure that your clients 321 00:25:44,520 --> 00:25:49,320 also support it now if you're unsure about what the capabilities are of 322 00:25:49,320 --> 00:25:53,200 your access points to your clients just stick with hunting and pecking 323 00:25:53,200 --> 00:25:58,280 and you should be safe so that's it for this video thank you so much for