1 00:00:04,160 --> 00:00:09,020 Hello and welcome to this video titled WPA Transient and Temporal Key 2 00:00:09,020 --> 00:00:16,640 Generation. So once again, before I go into the mechanics of how these 3 00:00:16,640 --> 00:00:20,660 various keys are derived, I'd just like to start by giving you the high 4 00:00:20,660 --> 00:00:22,620 level critical information. 5 00:00:22,620 --> 00:00:25,900 So once again, if you're just simply watching this course because you 6 00:00:25,900 --> 00:00:30,680 want to pass some simple, you know, wireless exam, you might not need 7 00:00:30,680 --> 00:00:33,060 the level of detail I'm about to go into here. 8 00:00:33,060 --> 00:00:35,580 So what's the takeaway up front? 9 00:00:35,580 --> 00:00:37,160 The takeaway is this. 10 00:00:37,160 --> 00:00:42,280 Before the four-way EAP Overland exchange happens, the pairwise master 11 00:00:42,280 --> 00:00:44,240 key has already been developed. 12 00:00:44,240 --> 00:00:51,180 Now we're strictly focusing on WPA3 SAE here, as well as WPA2 personal. 13 00:00:51,180 --> 00:00:57,340 In both cases, the pairwise master key has to be derived before even the 14 00:00:57,340 --> 00:01:00,540 first message of the EAP Overland key exchange happens. 15 00:01:00,540 --> 00:01:05,840 Then the first message that happens is that the access point will send 16 00:01:05,840 --> 00:01:09,320 the first EAP Overland key message to the client. 17 00:01:09,320 --> 00:01:13,620 Once the client gets that, the client has everything it needs to create 18 00:01:13,620 --> 00:01:16,080 its pairwise transient key. 19 00:01:16,080 --> 00:01:21,560 From the pairwise transient key, it can then divide that up into three 20 00:01:21,560 --> 00:01:26,260 pieces, the temporal key, the key encryption key, and the key confirmation 21 00:01:26,260 --> 00:01:30,200 key. The client has everything it needs just after receiving the first 22 00:01:30,200 --> 00:01:34,360 message. After the client sends EAP Overland message number two to the 23 00:01:34,360 --> 00:01:38,960 access point, the access point has everything it needs to create all of 24 00:01:38,960 --> 00:01:41,620 those keys. That's pretty much it from a high level. 25 00:01:41,620 --> 00:01:45,060 Now let's go into the actual mechanics of how this works at a lower level 26 00:01:45,060 --> 00:01:49,600 so you can understand what's going on under the hood. 27 00:01:49,600 --> 00:01:56,060 Okay, so here we start out where due to the SAE exchange, both the station 28 00:01:56,060 --> 00:02:01,460 and the access point have derived their shared pairwise master key for 29 00:02:01,460 --> 00:02:03,720 this session, just for these two people. 30 00:02:03,720 --> 00:02:06,700 So they say, okay, well, the next thing we need to do in the chain of 31 00:02:06,700 --> 00:02:10,900 events is we need to derive our pairwise transient key. 32 00:02:10,900 --> 00:02:14,400 So the first thing that's going to happen is that access point is going 33 00:02:14,400 --> 00:02:18,520 to send an EAP Overland key message, the very first one, so we call this 34 00:02:18,520 --> 00:02:20,600 message one or M one. 35 00:02:20,600 --> 00:02:24,900 And in that EAP Overland key message, it's going to send something called 36 00:02:24,900 --> 00:02:28,480 an A-nots. Now in the next slide, I'm going to talk about what nounces 37 00:02:28,480 --> 00:02:30,540 are, but that's going to be a critical thing that we're going to see in 38 00:02:30,540 --> 00:02:35,040 just a moment. The client is going to send message number two upstream 39 00:02:35,040 --> 00:02:38,740 to the access point, which is going to have its own net knots called the 40 00:02:38,740 --> 00:02:43,380 S-nots. Nose A-nots here is for authenticator knots. 41 00:02:43,380 --> 00:02:48,420 S-nots is for supplicant knots, because even when you're doing personal, 42 00:02:48,420 --> 00:02:52,540 the station is still considered a supplicant and the access point is still 43 00:02:52,540 --> 00:02:56,480 considered the authenticator, even if you're not doing 802.1x. 44 00:02:56,480 --> 00:02:59,640 And then we have two other messages are exchanged to complete our four 45 00:02:59,640 --> 00:03:03,140 way exchange. Okay, so if you've never heard this term, knots before, 46 00:03:03,140 --> 00:03:09,460 what is that? So a nounce simply means a number used once, number used 47 00:03:09,460 --> 00:03:14,680 once. And we've seen that they're exchanged in the first two EAP Overland 48 00:03:14,680 --> 00:03:19,520 key messages. And they're freshly created every time a client associates 49 00:03:19,520 --> 00:03:22,620 or reassociates with an access point. 50 00:03:22,620 --> 00:03:26,060 And this is a key point here because in order to derive a fresh set of 51 00:03:26,060 --> 00:03:30,760 keys that are unique from any previous sessions you may have had, we have 52 00:03:30,760 --> 00:03:36,000 to have a fresh set of nounces, as well as a fresh pairwise master key 53 00:03:36,000 --> 00:03:41,280 as well. So this allows us to derive fresh pairwise keys. 54 00:03:41,280 --> 00:03:45,900 All right, so nounces these random numbers, numbers used once, are used 55 00:03:45,900 --> 00:03:51,960 as one of several inputs into a key derivation function, a KDF. 56 00:03:51,960 --> 00:03:54,340 That's the formula to come up with various keys. 57 00:03:54,340 --> 00:03:58,780 We'll show you how that works, along with MAC addresses and the pairwise 58 00:03:58,780 --> 00:04:03,180 master key. Now, if you're like me, you're sort of wondering, well, how 59 00:04:03,180 --> 00:04:06,760 do they come up with these random numbers called a number used once? 60 00:04:06,760 --> 00:04:08,840 How does the supplicant come up with that? 61 00:04:08,840 --> 00:04:11,120 How does the access point come up with it? 62 00:04:11,120 --> 00:04:16,480 Well, so nounces are produced by a cryptographically secure pseudo random 63 00:04:16,480 --> 00:04:21,860 number generator, otherwise known as CSPRNG, C spring. 64 00:04:21,860 --> 00:04:26,620 And what you're seeing right here is an example of on a Linux based client, 65 00:04:26,620 --> 00:04:31,300 for example, like on a MacBook that's a Linux based, you'll actually see 66 00:04:31,300 --> 00:04:37,440 deep in the guts of it in the slash dev slash you slash dev, there is 67 00:04:37,440 --> 00:04:39,500 a you random folder. 68 00:04:39,500 --> 00:04:43,540 And so you random is actually the cryptographically secure pseudo random 69 00:04:43,540 --> 00:04:48,420 number number generator that a Linux based system will use to create random 70 00:04:48,420 --> 00:04:52,740 numbers, for example, for this purpose to create its its s knots. 71 00:04:52,740 --> 00:04:57,800 And access points will also have their own C springs that they can use 72 00:04:57,800 --> 00:05:00,180 to create random numbers. 73 00:05:00,180 --> 00:05:02,040 Okay, so let's go back to this. 74 00:05:02,040 --> 00:05:07,100 So the access point has now sent its Epos over land message number one, 75 00:05:07,100 --> 00:05:11,720 which contains a random A knots, like in this case, 12345. 76 00:05:11,720 --> 00:05:15,020 We also have the access points MAC address. 77 00:05:15,020 --> 00:05:18,940 So now this client here has all of this information. 78 00:05:18,940 --> 00:05:22,900 Okay, so it knows the pairwise master key, it knows the MAC address of 79 00:05:22,900 --> 00:05:27,320 itself. Obviously the MAC address of the access point, it knows the access 80 00:05:27,320 --> 00:05:31,460 points, knots, the A knots, it also knows the S knots now it hasn't sent 81 00:05:31,460 --> 00:05:34,660 the S knots yet, but it's already computed it. 82 00:05:34,660 --> 00:05:37,340 We can see that right here, 33456. 83 00:05:37,340 --> 00:05:41,260 So with all that information, the client says I can now put that into 84 00:05:41,260 --> 00:05:46,000 a formula and compute my pairwise master key. 85 00:05:46,000 --> 00:05:49,660 So let's look and see how that actually happens. 86 00:05:49,660 --> 00:05:55,660 Now right here, this is WPA2, this is not WPA3, but the process is very 87 00:05:55,660 --> 00:05:58,680 similar. I'm going to show you how WPA2 does it. 88 00:05:58,680 --> 00:06:01,900 And then I'm going to compare that with WPA3. 89 00:06:01,900 --> 00:06:04,120 And remember, this is the personal version here. 90 00:06:04,120 --> 00:06:08,100 Okay, actually, no, this is enterprise as well, both personal and enterprise. 91 00:06:08,100 --> 00:06:12,000 You have to do the four way handshake and the derivation of the pairwise 92 00:06:12,000 --> 00:06:16,100 transient key and everything is the same, whether it's enterprise or personal. 93 00:06:16,100 --> 00:06:20,240 Okay, so the client receives EPUR land message number one, it's got all 94 00:06:20,240 --> 00:06:24,680 that stuff. So it's going to invoke something called a pseudo random function 95 00:06:24,680 --> 00:06:29,000 512, pseudo random function 512. 96 00:06:29,000 --> 00:06:30,100 What does that mean? 97 00:06:30,100 --> 00:06:34,760 So the idea here is we want to create a pairwise transient key. 98 00:06:34,760 --> 00:06:38,640 And according to the specifications, the pairwise transient key has to 99 00:06:38,640 --> 00:06:42,280 be 512 bits in length. 100 00:06:42,280 --> 00:06:46,220 That's why we have PRF 512. 101 00:06:46,220 --> 00:06:51,000 So this function here is going to take several pieces of information as 102 00:06:51,000 --> 00:06:53,900 input. And that's what this is showing you right here. 103 00:06:53,900 --> 00:06:56,340 So let's look at each one of these things. 104 00:06:56,340 --> 00:07:00,140 So the pseudo random function is going to take whatever the pairwise master 105 00:07:00,140 --> 00:07:02,220 key is. So that's right here. 106 00:07:02,220 --> 00:07:04,780 So it's going to take that as input. 107 00:07:04,780 --> 00:07:10,100 It's going to take this string called pairwise key expansion is actually 108 00:07:10,100 --> 00:07:12,760 going to be that text string that's going to be in there. 109 00:07:12,760 --> 00:07:16,800 And then it's going to look at the MAC address of the client, the MAC 110 00:07:16,800 --> 00:07:20,780 address of the access point, and it's going to say which one is smaller. 111 00:07:20,780 --> 00:07:24,400 I'll put that next is going to line all these values up left to right. 112 00:07:24,400 --> 00:07:26,700 So the minimum of the MAC addresses. 113 00:07:26,700 --> 00:07:30,100 And then right after that is going to have the bigger MAC address of those 114 00:07:30,100 --> 00:07:34,240 two. Then it's going to take a look at the a nonce and the S nonce and 115 00:07:34,240 --> 00:07:35,960 say which one of those is smaller. 116 00:07:35,960 --> 00:07:37,360 I'll put that one in. 117 00:07:37,360 --> 00:07:40,020 And then I'll put in the larger of the noncees. 118 00:07:40,020 --> 00:07:43,500 And then lastly, it'll put in a counter. 119 00:07:43,500 --> 00:07:49,580 So just imagine a long string of bits now 1010110 is created based on 120 00:07:49,580 --> 00:07:51,680 all of these values here. 121 00:07:51,680 --> 00:07:54,580 Now what do we do with that? 122 00:07:54,580 --> 00:07:58,060 So now we plug that into. 123 00:07:58,060 --> 00:08:00,640 So here's an example, right? 124 00:08:00,640 --> 00:08:03,140 XX Y Y that's our PMK. 125 00:08:03,140 --> 00:08:05,820 Here's the string pairwise key expansion. 126 00:08:05,820 --> 00:08:06,520 Here's the value. 127 00:08:06,520 --> 00:08:09,360 So here is the smallest MAC address. 128 00:08:09,360 --> 00:08:12,920 So between the client's MAC address and the access point, the client had 129 00:08:12,920 --> 00:08:13,740 the smaller MAC. 130 00:08:13,740 --> 00:08:15,040 So that came first. 131 00:08:15,040 --> 00:08:18,060 Access points, MAC came second because it was bigger. 132 00:08:18,060 --> 00:08:23,160 And then the access points, knots was smaller than the clients or the 133 00:08:23,160 --> 00:08:24,240 supplements, not. 134 00:08:24,240 --> 00:08:28,580 So the access points, knots went in, then the supplicants, knots followed 135 00:08:28,580 --> 00:08:34,420 by the counter. And all that is fed into an H MAC Shaw one function. 136 00:08:34,420 --> 00:08:37,860 Now keep in mind, this is WPA2. 137 00:08:37,860 --> 00:08:44,080 So the result of an H MAC Shaw one function is to create a number that 138 00:08:44,080 --> 00:08:46,880 is 160 bits long. 139 00:08:46,880 --> 00:08:49,060 Well, this is kind of problematic, isn't it? 140 00:08:49,060 --> 00:08:53,300 Because we need a pairwise transient key that's 512 bits long, and this 141 00:08:53,300 --> 00:08:54,420 isn't long enough. 142 00:08:54,420 --> 00:08:56,580 So guess what? We're going to take that count. 143 00:08:56,580 --> 00:08:59,700 We're going to leave all these inputs the same except for the counter. 144 00:08:59,700 --> 00:09:02,420 And we're going to increment that counter from one to two. 145 00:09:02,420 --> 00:09:06,720 And now we're going to run all that through the H MAC Shaw one again, 146 00:09:06,720 --> 00:09:09,320 and we come up with a different value. 147 00:09:09,320 --> 00:09:11,360 Still not quite 512 yet. 148 00:09:11,360 --> 00:09:15,800 So we increment the counter again, run it through the formula again, come 149 00:09:15,800 --> 00:09:20,480 up with another 160 bit value, increment the counter a fourth time. 150 00:09:20,480 --> 00:09:26,400 And now after four iterations of this, if we add all those together, that 151 00:09:26,400 --> 00:09:30,780 gives us 640 bits worth of material. 152 00:09:30,780 --> 00:09:36,780 So we simply chop off the last 128 bits, trim that, which leaves us ta 153 00:09:36,780 --> 00:09:42,560 -da our 512 bit pairwise transient key. 154 00:09:42,560 --> 00:09:47,140 So this all happened that fast the moment that the client received the 155 00:09:47,140 --> 00:09:50,000 EPUVRA LAN message one. 156 00:09:50,000 --> 00:09:57,660 Okay, so this is just we're going to go back to how WP3 does it in just 157 00:09:57,660 --> 00:10:00,120 a moment, but just as a recap here. 158 00:10:00,120 --> 00:10:05,520 So we know that the pairwise master key originates from either the pre 159 00:10:05,520 --> 00:10:09,460 shared key or in WPA3 SAE results. 160 00:10:09,460 --> 00:10:14,980 It's derived through many different formulas using like hunting and pecking 161 00:10:14,980 --> 00:10:18,220 hash to element, using a password element and so on and so forth. 162 00:10:18,220 --> 00:10:23,260 Or if you're doing 802.1x, then the authentication server simply sends 163 00:10:23,260 --> 00:10:27,600 you this big, massively long master session key and you just take the 164 00:10:27,600 --> 00:10:30,680 first half of that and that's your pairwise master key. 165 00:10:30,680 --> 00:10:33,040 Either way, that's already done. 166 00:10:33,040 --> 00:10:37,140 Then we get message number one from the access point to the client. 167 00:10:37,140 --> 00:10:40,760 And now the client has everything it needs to create its pairwise transient 168 00:10:40,760 --> 00:10:45,380 key. Then message number two goes from the client to the access point. 169 00:10:45,380 --> 00:10:50,520 And we'll see with that, the access point has everything it needs to derive 170 00:10:50,520 --> 00:10:53,480 the exact same pairwise transient key. 171 00:10:53,480 --> 00:10:57,940 So with a one two exchange, both sides have derived the pairwise transient 172 00:10:57,940 --> 00:11:01,220 keys. Now we'll talk about what the mick is and everything here in just 173 00:11:01,220 --> 00:11:04,960 a second. And then in message number three, from the access point to the 174 00:11:04,960 --> 00:11:08,480 client, that's where the access point says, hey, client, by the way, I've 175 00:11:08,480 --> 00:11:13,560 had this group tran, group temporal key hanging around here that I used 176 00:11:13,560 --> 00:11:16,760 to encrypt all my broadcast and multi-cast messages. 177 00:11:16,760 --> 00:11:20,740 Let me send that to you as well so that you can have that. 178 00:11:20,740 --> 00:11:23,480 And then lastly, in message number four, from the client to the access 179 00:11:23,480 --> 00:11:26,580 point, the client says, we're good, we're good to go. 180 00:11:26,580 --> 00:11:29,640 Let's start encrypting some actual data here so I can get to my websites 181 00:11:29,640 --> 00:11:36,180 and things. Okay, so here, this slide is going to look very much like 182 00:11:36,180 --> 00:11:40,160 the previous slide, but notice at the top, it says wp-8-3. 183 00:11:40,160 --> 00:11:42,140 So now we're back to wp-3. 184 00:11:42,140 --> 00:11:45,440 So same thing happens in epos overland, message number one. 185 00:11:45,440 --> 00:11:47,300 Okay, the client ends up knowing everything. 186 00:11:47,300 --> 00:11:54,140 Now notice, here, he's going to invoke a prf-256 function. 187 00:11:54,140 --> 00:11:56,680 Remember, let's go back here wp-2. 188 00:11:56,680 --> 00:12:01,600 And wp-2 is a prf-512 function. 189 00:12:01,600 --> 00:12:05,360 So the function's a little bit different with wp-3. 190 00:12:05,360 --> 00:12:08,440 You might see a way a second. 191 00:12:08,440 --> 00:12:12,500 Aren't we supposed to come up with a 512-bit pairwise transient key? 192 00:12:12,500 --> 00:12:15,180 Yes, we are, but look, this is actually more efficient. 193 00:12:15,180 --> 00:12:18,120 So we're going to take the exact same input. 194 00:12:18,120 --> 00:12:20,620 So this is no different than wp-2. 195 00:12:20,620 --> 00:12:23,840 The exact same inputs in the exact same order. 196 00:12:23,840 --> 00:12:25,200 So there they are. 197 00:12:25,200 --> 00:12:33,160 But now we're running them through an h -mac 256 algorithm, a hashing algorithm. 198 00:12:33,160 --> 00:12:37,560 And guess what? When it hashed all this stuff, the result is not a 160 199 00:12:37,560 --> 00:12:41,260 -bit thing like wp-2 had. 200 00:12:41,260 --> 00:12:44,180 It's a 256-bit number. 201 00:12:44,180 --> 00:12:47,240 So he only has to do it twice. 202 00:12:47,240 --> 00:12:51,780 So he increments the counter a second time, runs it through, and now he's 203 00:12:51,780 --> 00:12:53,900 got everything he needs. 204 00:12:53,900 --> 00:12:56,740 Hey, I don't know why that 4 is in there. 205 00:12:56,740 --> 00:13:02,060 There we go. Okay, so he's incremented the counter twice from 0x01 to 206 00:13:02,060 --> 00:13:09,240 0x02. That's now created two hash digest outputs, which are both 256-bits 207 00:13:09,240 --> 00:13:12,740 long. All he has to do is add those two things together and voila. 208 00:13:12,740 --> 00:13:16,280 He has got his pairwise transient key. 209 00:13:16,280 --> 00:13:20,920 So you can see the mechanics of this for wp-3 are virtually the same as 210 00:13:20,920 --> 00:13:25,900 for wp-2. The only difference is the hashing algorithm produces larger 211 00:13:25,900 --> 00:13:31,940 output. So it doesn't have to run through as many iterations as wp-2. 212 00:13:31,940 --> 00:13:38,840 Okay, so we've now got the pairwise transient key. 213 00:13:38,840 --> 00:13:42,780 So here we are. Okay, so we're back to the point where the client has 214 00:13:42,780 --> 00:13:44,640 received message number 1. 215 00:13:44,640 --> 00:13:49,300 And whether he was doing wp-2 or wp-3, it doesn't really matter. 216 00:13:49,300 --> 00:13:53,060 At the end of the game, after he's received message number 1, he's derived 217 00:13:53,060 --> 00:13:57,100 his pairwise transient key 512-bits. 218 00:13:57,100 --> 00:14:03,200 So before he even creates message number 2 to send it to the access point, 219 00:14:03,200 --> 00:14:05,040 he's going to do something first. 220 00:14:05,040 --> 00:14:09,020 After the 512-bit pairwise transient key is developed, he is going to 221 00:14:09,020 --> 00:14:13,380 divide that into three, actually four pieces. 222 00:14:13,380 --> 00:14:17,120 The first piece, like right here in red, he's going to say, I'm going 223 00:14:17,120 --> 00:14:20,220 to now call that my key confirmation key. 224 00:14:20,220 --> 00:14:21,960 What does he do with that? 225 00:14:21,960 --> 00:14:23,420 What's the purpose of that? 226 00:14:23,420 --> 00:14:27,920 Well, now that he's got the key confirmation key, he can send message 227 00:14:27,920 --> 00:14:30,900 number 2 to the access point. 228 00:14:30,900 --> 00:14:33,820 What's different between message 2 and message 1? 229 00:14:33,820 --> 00:14:34,720 Well, a couple of things. 230 00:14:34,720 --> 00:14:37,420 Number 1, message 1 contained the A-nots. 231 00:14:37,420 --> 00:14:41,200 The access points number used once, the A-nots. 232 00:14:41,200 --> 00:14:47,380 Here in message number 2, he's sending his own nots, the S-nots, from 233 00:14:47,380 --> 00:14:53,840 the client. And he's taking the entire message, and then he's putting 234 00:14:53,840 --> 00:14:59,580 at the end of it a message integrity code, a message integrity code, which 235 00:14:59,580 --> 00:15:02,120 is basically a way of checking the integrity of the message. 236 00:15:02,120 --> 00:15:05,920 He says, look, I'm going to take all the bits of my message number 2, 237 00:15:05,920 --> 00:15:10,980 run them through this mick formula, which is going to add the key confirmation 238 00:15:10,980 --> 00:15:16,880 key, and using the bits of the message plus the key confirmation key. 239 00:15:16,880 --> 00:15:19,660 And remember, where this key confirmation key come from? 240 00:15:19,660 --> 00:15:23,040 It's part of the pairwise transient key. 241 00:15:23,040 --> 00:15:26,600 So by using the message, the key confirmation key, I'm going to compute 242 00:15:26,600 --> 00:15:31,400 a message integrity code and put that at the end of the message. 243 00:15:31,400 --> 00:15:33,060 Now, why does he do that? 244 00:15:33,060 --> 00:15:37,080 Well, this is for the benefit of the access point. 245 00:15:37,080 --> 00:15:42,780 You see, once the access point receives message number 2, now he has all 246 00:15:42,780 --> 00:15:47,020 the same information that the client had at the beginning, and the access 247 00:15:47,020 --> 00:15:51,860 point can create the same pairwise transient key, this big long number 248 00:15:51,860 --> 00:15:53,960 here. And guess what? 249 00:15:53,960 --> 00:15:58,660 He has the added benefit of once he creates the pairwise transient key, 250 00:15:58,660 --> 00:16:02,140 he's also going to have the exact same key confirmation key. 251 00:16:02,140 --> 00:16:05,580 So now he can take a look at this message number 2, and he can say, well, 252 00:16:05,580 --> 00:16:08,420 I'm going to run it through the exact same formula. 253 00:16:08,420 --> 00:16:11,700 I'm going to use the key confirmation key I came up with. 254 00:16:11,700 --> 00:16:17,080 And if the mick I come up with is exactly the same as the mick in message 255 00:16:17,080 --> 00:16:23,060 number 2, I have my assurance that the client has the exact same PTK as 256 00:16:23,060 --> 00:16:27,360 me. So without exchanging the PTK over the wire, or I should say, over 257 00:16:27,360 --> 00:16:31,820 the wireless, now the access point can validate that the client has the 258 00:16:31,820 --> 00:16:36,140 same PTK. However, the client hasn't done that yet, right? 259 00:16:36,140 --> 00:16:39,540 The client, even though he knows he has a PTK, the client does not have 260 00:16:39,540 --> 00:16:44,600 yet the warm fuzzies that the access point derive the same number. 261 00:16:44,600 --> 00:16:47,940 So we're going to see here in message number 3, from the access point, 262 00:16:47,940 --> 00:16:50,680 the access point is also going to apply a mick. 263 00:16:50,680 --> 00:16:53,340 And that's how the client's going to know, ah, good. 264 00:16:53,340 --> 00:16:55,760 You must have the same key confirmation key as me. 265 00:16:55,760 --> 00:16:59,040 We're good. So we're going to see that here just coming up in a second. 266 00:16:59,040 --> 00:17:05,400 So now the second part of the pairwise transient key is used as the key 267 00:17:05,400 --> 00:17:08,940 encryption key. So what's that used for? 268 00:17:08,940 --> 00:17:11,980 Okay. So now the access point is going to say, hey, I need to send message 269 00:17:11,980 --> 00:17:15,760 number 3 back to the client, back to the client. 270 00:17:15,760 --> 00:17:21,180 And in message number 3, I'm going to give him the group temporal key. 271 00:17:21,180 --> 00:17:26,220 You know, the key I'm going to use to encrypt broadcast and multicast 272 00:17:26,220 --> 00:17:31,300 messages. And obviously he needs to have that so he can decrypt any broadcast 273 00:17:31,300 --> 00:17:33,740 or multicast messages that I send. 274 00:17:33,740 --> 00:17:38,520 And he says, I need to send that group temporal key in a secure way to 275 00:17:38,520 --> 00:17:39,460 the client. Hmm. 276 00:17:39,460 --> 00:17:40,680 How do I do that? 277 00:17:40,680 --> 00:17:44,900 Well, why don't I take the key encryption key and encrypt it? 278 00:17:44,900 --> 00:17:47,320 So that's what the key encryption key is used for. 279 00:17:47,320 --> 00:17:52,440 Its only purpose is for the access point to encrypt the group temporal 280 00:17:52,440 --> 00:17:59,120 key in this message number 3, and so that the client can decrypt it. 281 00:17:59,120 --> 00:18:02,060 And notice that the access point is also using that key confirmation key 282 00:18:02,060 --> 00:18:05,880 to come up with the mick value of this message. 283 00:18:05,880 --> 00:18:09,520 And then lastly, we have message number 4, where the client basically 284 00:18:09,520 --> 00:18:11,100 says, we're good. 285 00:18:11,100 --> 00:18:13,060 We've got all the same values. 286 00:18:13,060 --> 00:18:18,560 And so the last piece of this here in green, that is our temporal key. 287 00:18:18,560 --> 00:18:22,340 That's the actual key now that the access point and the client are going 288 00:18:22,340 --> 00:18:27,280 to use to encrypt and decrypt our unicast data, you know, the vast majority 289 00:18:27,280 --> 00:18:30,820 of data that you're sending to and from the access point. 290 00:18:30,820 --> 00:18:33,840 And you might be thinking, well, what's that last little piece that 987 291 00:18:33,840 --> 00:18:42,420 ABC? What's that little piece going to be used for? 292 00:18:42,420 --> 00:18:45,260 So that's the key to the machine material for optional mick keys if you're 293 00:18:45,260 --> 00:18:51,760 using T-cap, which in WPA3, you wouldn't be doing that, but in WPA2, you 294 00:18:51,760 --> 00:18:57,940 might if you're trying to be backwards compatible with older WPA devices. 295 00:18:57,940 --> 00:19:02,680 So that is the mechanics of how all those keys are developed and exchanged. 296 00:19:02,680 --> 00:19:05,700 Thank you so much for watching this video, and I hope it was helpful for