1 00:00:04,540 --> 00:00:09,300 Hello and welcome to this video titled, Potential Problems with Hash to 2 00:00:09,300 --> 00:00:15,760 Element. So as a review, in case you're coming into this video fresh and 3 00:00:15,760 --> 00:00:19,440 you haven't seen any other videos on this particular topic, just as a 4 00:00:19,440 --> 00:00:25,120 review, we know that WPA3SAE must first derive a number called a password 5 00:00:25,120 --> 00:00:28,600 element before performing the SAE exchange. 6 00:00:28,600 --> 00:00:31,920 So the password element is going to be a number that's plugged into the 7 00:00:31,920 --> 00:00:36,860 various formulas that are used during the SAE commit process. 8 00:00:36,860 --> 00:00:39,560 Now how is that password element created? 9 00:00:39,560 --> 00:00:43,840 Well, it's done by finding a common element, which is a common point on 10 00:00:43,840 --> 00:00:45,160 an elliptic curve. 11 00:00:45,160 --> 00:00:48,520 And in previous videos, we talked about how points on elliptic curves 12 00:00:48,520 --> 00:00:51,140 have to match certain formulas. 13 00:00:51,140 --> 00:00:55,860 That the x value that you use, you have to plug into the formula, and 14 00:00:55,860 --> 00:01:01,360 if it derives a valid y value, then you've got your two valid points. 15 00:01:01,360 --> 00:01:02,920 So how is this done? 16 00:01:02,920 --> 00:01:08,020 Well, there's two complex mathematical ways to derive these valid x and 17 00:01:08,020 --> 00:01:12,940 y points by taking your passphrase and your SSID and a few other things 18 00:01:12,940 --> 00:01:17,280 as inputs. So how do we take the passphrase, SSID, MAC addresses and other 19 00:01:17,280 --> 00:01:22,000 things and come up with some value that we can test against the elliptic 20 00:01:22,000 --> 00:01:26,640 curve formula to see if it is indeed a valid x coordinate? 21 00:01:26,640 --> 00:01:30,080 Well, the two ways are hash to element and hunting and pecking. 22 00:01:30,080 --> 00:01:31,880 Hash to element is newer. 23 00:01:31,880 --> 00:01:34,240 It's more secure than hunting and pecking. 24 00:01:34,240 --> 00:01:41,060 And if a wireless LAN access point advertises hash to element capabilities, 25 00:01:41,060 --> 00:01:45,900 and if the client supports it, the clients will prefer hash to element. 26 00:01:45,900 --> 00:01:48,840 All right, so you might be thinking, great, I'm just going to use hash 27 00:01:48,840 --> 00:01:49,660 to element then. 28 00:01:49,660 --> 00:01:51,360 It's newer, it's more secure. 29 00:01:51,360 --> 00:01:53,220 I'm just going to use it. 30 00:01:53,220 --> 00:01:55,720 So now I'm going to show you in the subsequent slides for this particular 31 00:01:55,720 --> 00:01:59,780 video are some gotchas or bugs or caveats. 32 00:01:59,780 --> 00:02:05,380 I actually noticed in the lab when I was using various hash to element 33 00:02:05,380 --> 00:02:09,120 combinations in the creation of my wireless LAN. 34 00:02:09,120 --> 00:02:10,440 I'll tell you right off the bat. 35 00:02:10,440 --> 00:02:13,840 I cannot explain why this is happening. 36 00:02:13,840 --> 00:02:18,340 I've wrapped my mind around all the mechanics of how the controller and 37 00:02:18,340 --> 00:02:22,960 the access point communicate, who talks to the client when, what messages 38 00:02:22,960 --> 00:02:28,300 are going on, and I just gave up and I couldn't figure out why what you're 39 00:02:28,300 --> 00:02:30,980 about to see actually is happening. 40 00:02:30,980 --> 00:02:35,480 So I can only show you what you might experience and advise you how to 41 00:02:35,480 --> 00:02:38,940 avoid it. All right, so that being the case. 42 00:02:38,940 --> 00:02:45,440 So some older access points that do support hunting and pecking do not 43 00:02:45,440 --> 00:02:46,680 support hash to element. 44 00:02:46,680 --> 00:02:51,020 So you might recall that when WPA3 first came out and they said, oh, you 45 00:02:51,020 --> 00:02:55,440 can do a personal version of it called WPA3SAE. 46 00:02:55,440 --> 00:02:59,980 All right, well, if you're doing WPA3SAE, that means you have to create 47 00:02:59,980 --> 00:03:01,000 a password element. 48 00:03:01,000 --> 00:03:04,120 You have to because that's ultimately going to help you create the secret 49 00:03:04,120 --> 00:03:08,540 key, which is going to ultimately help you create your pairwise master 50 00:03:08,540 --> 00:03:10,960 key. So we got start with the password element. 51 00:03:10,960 --> 00:03:14,940 And so the original form was doing hunting and pecking. 52 00:03:14,940 --> 00:03:17,960 So, and then hash to element came later. 53 00:03:17,960 --> 00:03:21,560 So if you've got some older access points like your, for example, Cisco 54 00:03:21,560 --> 00:03:25,880 3802i is an example because that's what I have here in my lab. 55 00:03:25,880 --> 00:03:30,120 I found out much to my dismay that they don't support hash to element. 56 00:03:30,120 --> 00:03:32,600 They only support hunting and pecking. 57 00:03:32,600 --> 00:03:37,380 So here's sort of the thing that I discovered unpleasantly that the Cisco 58 00:03:37,380 --> 00:03:42,800 9800 wireless LAN controller will still allow you when configuring or 59 00:03:42,800 --> 00:03:48,420 editing a wireless LAN to select hash to element, even if the access points 60 00:03:48,420 --> 00:03:51,220 it's managing don't support it. 61 00:03:51,220 --> 00:03:55,460 Now you might think, well, wait a second, the controller knows all the 62 00:03:55,460 --> 00:03:56,600 access points is controlling. 63 00:03:56,600 --> 00:04:00,280 It's got all their information because they had to join it via capwap. 64 00:04:00,280 --> 00:04:05,160 So should the controller be aware of what access points are older and 65 00:04:05,160 --> 00:04:08,820 don't support H2E and what access points do support it? 66 00:04:08,820 --> 00:04:12,520 And wouldn't you think it's logical that if you select H2E in your wireless 67 00:04:12,520 --> 00:04:15,840 LAN that you get some sort of error message or pop up saying, unsupport 68 00:04:15,840 --> 00:04:19,500 or something like that, nope, you won't see anything like that. 69 00:04:19,500 --> 00:04:23,740 It will let you create the wireless LAN, selecting hash to element, even 70 00:04:23,740 --> 00:04:27,860 if the downstream access points it's managing are old and don't even know 71 00:04:27,860 --> 00:04:31,260 what hash to element actually is. 72 00:04:31,260 --> 00:04:35,260 Now keep in mind that this capability of hash to element is supposed to 73 00:04:35,260 --> 00:04:37,180 be advertised in beacons. 74 00:04:37,180 --> 00:04:41,440 The access point every, you know, 10 milliseconds, actually every 100 75 00:04:41,440 --> 00:04:45,100 milliseconds is supposed to when sending out its beacons include a little 76 00:04:45,100 --> 00:04:47,800 information element in there, which I'll show you in just a minute that 77 00:04:47,800 --> 00:04:50,280 says, I support hash to element. 78 00:04:50,280 --> 00:04:53,660 So hey, clients, if you want to do that, I can do that too. 79 00:04:53,660 --> 00:04:58,640 So here we have a situation where the wireless LAN controller has been 80 00:04:58,640 --> 00:05:02,260 configured saying this wireless LAN, this WP3 wireless LAN is going to 81 00:05:02,260 --> 00:05:05,980 use hash to element to create the password element. 82 00:05:05,980 --> 00:05:08,640 And then it's pushed that down to the access point and the access point 83 00:05:08,640 --> 00:05:11,400 is saying, huh, I don't know what that is. 84 00:05:11,400 --> 00:05:15,760 What's H2E? So what's going to go on in that situation? 85 00:05:15,760 --> 00:05:17,700 What happens in that case? 86 00:05:17,700 --> 00:05:19,140 This is what I'm going to show you. 87 00:05:19,140 --> 00:05:23,860 So in an ideal world, this is what you'd see coming out of your access 88 00:05:23,860 --> 00:05:26,580 points every 100 milliseconds with those beacons. 89 00:05:26,580 --> 00:05:28,340 So here's a beacon you can see here. 90 00:05:28,340 --> 00:05:29,600 Here's the sort of the first part of it. 91 00:05:29,600 --> 00:05:31,400 You can see the RSN information element. 92 00:05:31,400 --> 00:05:35,280 And then right below that, there's the RSN extension. 93 00:05:35,280 --> 00:05:38,200 I love how they capitalize the X there, the extension element. 94 00:05:38,200 --> 00:05:42,520 And there's a bit in there called the SAE hash to element. 95 00:05:42,520 --> 00:05:45,580 And if that bit is set to one, that means this is true. 96 00:05:45,580 --> 00:05:49,980 So this is how the access point is telling all the clients and potential 97 00:05:49,980 --> 00:05:53,520 clients out there, I support this capability. 98 00:05:53,520 --> 00:05:58,200 If you wish to use it, you can because I know how to deal with it. 99 00:05:58,200 --> 00:06:00,060 That's what you should see. 100 00:06:00,060 --> 00:06:07,280 Okay. Now the remaining slides here are going to show you what I saw in 101 00:06:07,280 --> 00:06:12,280 the lab when I was using older access points that don't support hash to 102 00:06:12,280 --> 00:06:17,560 element. So we know that in your 9800, if I go back here just a little 103 00:06:17,560 --> 00:06:22,040 bit. Right here. 104 00:06:22,040 --> 00:06:26,460 It defaults to both H2E and HNP. 105 00:06:26,460 --> 00:06:29,740 So if you don't click anything in this box right here, this SAE password 106 00:06:29,740 --> 00:06:35,200 L, if you just leave it alone, the default is both H2E and HNP. 107 00:06:35,200 --> 00:06:39,520 Now, what are you going to see if the actual access point doesn't support 108 00:06:39,520 --> 00:06:42,440 H2E? What's going to happen then? 109 00:06:42,440 --> 00:06:47,220 All right. So what you're going to see then is this. 110 00:06:47,220 --> 00:06:54,860 Yes. So when a client tries to connect, you're going to see that it looks 111 00:06:54,860 --> 00:06:55,920 like it's working. 112 00:06:55,920 --> 00:06:59,060 Look at this. We see, let me just go ahead and do this up here. 113 00:06:59,060 --> 00:07:04,440 We see the four SAE authentication messages, right? 114 00:07:04,440 --> 00:07:09,000 The two commits, the two confirms, that all looks good. 115 00:07:09,000 --> 00:07:14,480 So clearly the access point and the client came up with a password element. 116 00:07:14,480 --> 00:07:18,720 That they were able to use that matched, but for some reason. 117 00:07:18,720 --> 00:07:23,020 And then you go through the association messages, you start doing the 118 00:07:23,020 --> 00:07:24,560 EAP over land keys. 119 00:07:24,560 --> 00:07:28,020 So we say here, we see message one, message two, message three, and then 120 00:07:28,020 --> 00:07:34,980 right there, right after EAP over land key message three, the client will 121 00:07:34,980 --> 00:07:38,180 send to the access point a disassociation message. 122 00:07:38,180 --> 00:07:42,160 Now, like I said, I cannot explain the mechanics of why this is happening 123 00:07:42,160 --> 00:07:46,660 under the hood. I just want you to know that if you see this, that's what's 124 00:07:46,660 --> 00:07:51,940 going on. What's going on is that your controller is using both H2E and 125 00:07:51,940 --> 00:07:57,780 HNP, but the actual access point is not supporting H2E. 126 00:07:57,780 --> 00:08:03,460 And so this weird behavior is what happens is the client almost gets all 127 00:08:03,460 --> 00:08:04,620 the way through. 128 00:08:04,620 --> 00:08:08,380 But then after the end of message three, it says, no, I'm done. 129 00:08:08,380 --> 00:08:14,160 I'm leaving this wireless land. 130 00:08:14,160 --> 00:08:16,200 So that's what you'll see there. 131 00:08:16,200 --> 00:08:20,960 Now, you could also, if you see that, you might say, oh, man, I'm going 132 00:08:20,960 --> 00:08:25,020 to start the radioactive trace on my 9800 controller and see what's going 133 00:08:25,020 --> 00:08:27,560 on. And this is what you'll see. 134 00:08:27,560 --> 00:08:34,900 So it says here, it says EAP key right there says, sent M3 successfully. 135 00:08:34,900 --> 00:08:41,900 Now, normally the controller plays no part in the authentication message 136 00:08:41,900 --> 00:08:46,760 exchange, the association messages exchanged, or the EAP over land key 137 00:08:46,760 --> 00:08:48,380 message exchanges. 138 00:08:48,380 --> 00:08:51,960 Normally, that's only done between the access point and the client. 139 00:08:51,960 --> 00:08:53,720 It's very time sensitive. 140 00:08:53,720 --> 00:08:57,120 And, you know, if you actually think about it, a controller could be managing 141 00:08:57,120 --> 00:09:02,020 hundreds of access points and thousands and thousands of clients. 142 00:09:02,020 --> 00:09:05,960 The controller just doesn't have enough bandwidth to be able to process 143 00:09:05,960 --> 00:09:09,980 all those messages going back and forth with thousands of clients. 144 00:09:09,980 --> 00:09:11,440 It doesn't see that. 145 00:09:11,440 --> 00:09:15,520 But when you turn on the radio active trace and you start tracing, for 146 00:09:15,520 --> 00:09:18,760 example, a particular client, it's kind of like the controller sends a 147 00:09:18,760 --> 00:09:22,380 message downstream to the access point saying, hey, tell me what you're 148 00:09:22,380 --> 00:09:25,400 doing. I want to have visibility into the messages that's going on. 149 00:09:25,400 --> 00:09:29,600 So keep in mind that normally the controller wouldn't see these EAP messages. 150 00:09:29,600 --> 00:09:31,400 He wouldn't take part in that. 151 00:09:31,400 --> 00:09:34,960 But when you turn on radioactive trace, he's like getting a copy of them. 152 00:09:34,960 --> 00:09:38,520 He's getting messages from the access point so he knows what's going on. 153 00:09:38,520 --> 00:09:41,700 And so it shows you right here, just like we saw in the sniffer trace, 154 00:09:41,700 --> 00:09:46,640 after the EAP over land message three is sent out, then all of a sudden 155 00:09:46,640 --> 00:09:52,080 we get deleting the client and says client delete reason, EAP timeout 156 00:09:52,080 --> 00:09:57,220 failure. So once again, can't explain what's going on underneath the hood 157 00:09:57,220 --> 00:09:58,540 here and why this is happening. 158 00:09:58,540 --> 00:10:03,400 But these are your two indicators here of what you would see if things 159 00:10:03,400 --> 00:10:07,640 are failing with both hash to element and hunting and pecking. 160 00:10:07,640 --> 00:10:12,620 Now, what if we switch in the controller to hash to element only? 161 00:10:12,620 --> 00:10:14,740 What if we select that in the dropdown window? 162 00:10:14,740 --> 00:10:19,080 Well, then the failure will actually happen much, much more quickly. 163 00:10:19,080 --> 00:10:26,260 You'll see that the client will send his first commit message. 164 00:10:26,260 --> 00:10:31,380 And then the access point will send a commit message back. 165 00:10:31,380 --> 00:10:33,920 See right here, type commit. 166 00:10:33,920 --> 00:10:37,060 But right there, the access point will send in his commit message back 167 00:10:37,060 --> 00:10:39,980 a message saying unspecified failure. 168 00:10:39,980 --> 00:10:44,060 And then the client will deauthenticate. 169 00:10:44,060 --> 00:10:45,940 And then everything just starts all over again. 170 00:10:45,940 --> 00:10:47,460 This just starts repeating. 171 00:10:47,460 --> 00:10:51,080 So he won't even get as far as the EAP over land messages in this particular 172 00:10:51,080 --> 00:10:53,180 case with hash to element only. 173 00:10:53,180 --> 00:10:54,340 This is what you see. 174 00:10:54,340 --> 00:10:58,680 And once again, what do we see in a radioactive trace in this case? 175 00:10:58,680 --> 00:11:03,440 In this case, we see it actually is a little bit more explicit. 176 00:11:03,440 --> 00:11:09,400 It says PWE mismatch expected hash to element status code. 177 00:11:09,400 --> 00:11:12,520 Now, this, this, obviously, you will leave you sort of scratching your 178 00:11:12,520 --> 00:11:16,200 head because you'll say, wait a second, when I can figure this wireless 179 00:11:16,200 --> 00:11:21,460 LAN in that dropdown box here at the end, I selected H2E only. 180 00:11:21,460 --> 00:11:22,780 I selected that. 181 00:11:22,780 --> 00:11:28,420 So if I selected that, then the access point is sending out his beacons. 182 00:11:28,420 --> 00:11:32,640 He should be with that hash to element equals true, meaning I support 183 00:11:32,640 --> 00:11:39,000 this. And if clients see that, they're supposed to use hash, they're supposed 184 00:11:39,000 --> 00:11:43,440 to select a diffi-helmin group that maps to hash to element. 185 00:11:43,440 --> 00:11:44,640 And this is one thing as well. 186 00:11:44,640 --> 00:11:50,320 So you might wonder when a client sends his commit message to the access 187 00:11:50,320 --> 00:11:56,560 point, how does the access point know if that client derived his password 188 00:11:56,560 --> 00:11:59,740 element using HNP or H2E? 189 00:11:59,740 --> 00:12:02,180 There's not, if you actually look in the sniffer trace of a commit message, 190 00:12:02,180 --> 00:12:05,880 there's no field in there that says, I used one or the other. 191 00:12:05,880 --> 00:12:10,240 There's not. Well, how he knows that is that there's certain elliptic 192 00:12:10,240 --> 00:12:15,460 curve diffi-helmin groups that are used for hash to element, and there's 193 00:12:15,460 --> 00:12:18,880 other groups that are used for hunting and pecking. 194 00:12:18,880 --> 00:12:22,380 And so in the commit message from the client, it will actually explicitly 195 00:12:22,380 --> 00:12:26,000 say what diffi-helmin group it used. 196 00:12:26,000 --> 00:12:29,140 So in this particular case here, when that commit message came in from 197 00:12:29,140 --> 00:12:35,220 the client, the diffi-helmin group was not a hash to element group. 198 00:12:35,220 --> 00:12:37,820 It was a hunting and pecking group. 199 00:12:37,820 --> 00:12:43,060 And the controller, the access point is saying, I've been configured for 200 00:12:43,060 --> 00:12:44,260 hash to element only. 201 00:12:44,260 --> 00:12:47,900 Why is the client trying to connect to me using hunting and pecking? 202 00:12:47,900 --> 00:12:48,640 That's a mismatch. 203 00:12:48,640 --> 00:12:49,400 That won't work. 204 00:12:49,400 --> 00:12:52,700 But what's funny here is the reason why the client's doing that is because 205 00:12:52,700 --> 00:12:54,520 the access point is old. 206 00:12:54,520 --> 00:12:58,620 And he actually didn't say he was capable of hash to element in his beacons 207 00:12:58,620 --> 00:13:00,840 because he doesn't support it. 208 00:13:00,840 --> 00:13:05,100 So once again, if we go a little bit deeper, why is this happening? 209 00:13:05,100 --> 00:13:08,200 I can't really explain it to you, but this is what you'll see. 210 00:13:08,200 --> 00:13:10,800 All right. So what's the takeaway from all of this? 211 00:13:10,800 --> 00:13:12,060 How to avoid these problems? 212 00:13:12,060 --> 00:13:17,480 Well, number one, if you're using Wi -Fi 6E or Wi-Fi 7, you got to do hash 213 00:13:17,480 --> 00:13:21,940 to element. So obviously, if you're doing Wi-Fi 6E or Wi-Fi 7, you're 214 00:13:21,940 --> 00:13:23,620 going to have a newer access point. 215 00:13:23,620 --> 00:13:25,760 Only newer access points support that. 216 00:13:25,760 --> 00:13:28,600 And so those will support hash to element. 217 00:13:28,600 --> 00:13:30,200 You don't have to worry about that. 218 00:13:30,200 --> 00:13:35,360 But if you're doing an older form of Wi-Fi, like Wi-Fi 6 or something 219 00:13:35,360 --> 00:13:40,460 even lower than that, your access point might not support hash to element. 220 00:13:40,460 --> 00:13:44,500 And you might end up having these types of problems when you're configuring 221 00:13:44,500 --> 00:13:48,480 it with your 9800 controller or possibly any other controller as well. 222 00:13:48,480 --> 00:13:50,080 So here's the moral of the story. 223 00:13:50,080 --> 00:13:55,900 If you know in advance that none of your access points support Wi-Fi 6E 224 00:13:55,900 --> 00:14:00,780 or greater, just configure your wireless LANs with hunting and pecking. 225 00:14:00,780 --> 00:14:06,220 On your controller, don't stick with the default of both H2E and HNP. 226 00:14:06,220 --> 00:14:08,240 We've already seen how that causes problems. 227 00:14:08,240 --> 00:14:13,040 Just go in that drop down window and select HNP only, and you won't have 228 00:14:13,040 --> 00:14:16,460 any issues. So that's it for this video. 229 00:14:16,460 --> 00:14:17,740 Thank you so much for watching. 230 00:14:17,740 --> 00:14:19,680 And I really hope it was helpful for you.