CWNP CWSP – Module 05 – Dynamic Encryption Key Generation Part 3

7. Authentication and Key Management (AKM) Part2

All right. So again, we said that in ACAM we are demanding authentication that’s 821 X and AES encryption for the type of exchange of information. And what we didn’t add in there was some of the traffic from the authentication server. So we’re assuming again by the standard 802. And I know this looks like a refresher of what I just drew, not as pretty as my picture. But anyway, as we go through here, like I said, those information elements are going to happen from the probes and everything else. We’re going to go through the authentication.

But the idea here is that if I were to look at a list of what we want to do is that at some point we’re making an assumption that there’s a secure channel, that the authenticator and the authentication server have some sort of secure channel. And we’ve talked about different types of EEP that could set that up and that the authentication credentials have to be distributed to the Supplicant and the authentication server through these well, here it is through these types of messages. So as I said, that first part really is the discovery and that’s back and forth, right, of information elements and then the authentication is also going to be done. And now what we see is that the Radius based server can help us with creating this pairwise master key and we’re going to go over this key hierarchy so you get kind of an idea of what’s happening. So a pairwise master key.

So think about, if you think about regular locks, locksmiths like an office building or like a hotel room, every client guest gets their own key to be able to open up their door and nobody else’s door, at least I hope not. Sadly enough, I’ve had the front desk give somebody a key in my room before, which is kind of scary. So always use a latch. But the manager or whoever’s at the front desk needs to have a master key to be able to terrible little machine that they have permission to be able to make basically a pairwise transient key or that single key for the room. Also the hotel manager and security usually have what we call a master key that can open up everything. I’m just trying to use these as analogies in your mind about why we want to create a pairwise master key and a group master key.

Here we’re seeing that the authenticator is going to be in part trying to create these master keys. So what we’re seeing here is that and by the way, again, it’s the authentication server that I’m talking about that’s making these GroupWise and pairwise master keys and they are going to work with the station going through the access point to basically generate the encryption key. And so that’s where they’re going to use that as kind of the seating material and that’s where they’re going to use the four way handshake to be able to basically generate the pairwise key that is designed just for that station or Supplicant.

So if I were to break out the four way handshake and just kind of take it through, what’s happening is that, well, it starts off with first of all, we now have right between these two, the master keys and the GMK is made by the Radius server. Basically, actually the authenticator. The first one is an EEP poll key message. And when that message is sent in there and the station knows the master key, then at that point it’s going to create the pairwise transient key and it’s going to send that information step two back so that the other side knows what that PTK is. And it’s again going to do it in a somewhat secure fashion with EEP over the land. Right. Another Epoll key message. The last thing we want to do is send the key over in clear text. Now the authenticator is going to create the group wise transient key, making it out of that master key. It’s going to send it over again by an EP Paul key message. And so now this site has the GroupWise transient key. And then basically we want to make sure we’re acknowledging it. And so we have another Epaul message, another key message where we’re verifying it. And so now for a while anyway, this access point is going to have the pairwise transient key and GroupWise transient key. I’m sorry, that client let me redraw that. That’s my laptop. And the access point over here is going to have a PTK for every user and that global GTK that it created and sends out.

8. Authentication and Key Management (AKM) Part3

So kind of an overview of AKM the operations. Like I said, one of the first assumptions is that we have assumed the authenticator and the authentication server have created a secure communications channel that we have discovered all of the information elements between the access point and the client or station. That’s supplicant, I guess if you want to that’s trying to make the connection that we can agree on the type of security. And then we started with the authentication and after we get through with the authentication, that’s when we then started going through that four way handshake to start creating those keys.

9. Authentication and Key Management (AKM) Part4

All right. So here we’re kind of seeing again maybe a better setup. So remember, what I said is the authentication server starts off by creating this master key and the Supplicant and the authentication server are going to generate this master encryption key from that which we called the PTK, right? Well, it just depends on the type of key because it was so we had a master key and then we got to the pairwise master key and the authentication server creates it moves it over to the authenticator and then from that information that they both have then remember, because they both created their own pairwise master key, then they create and do it through a secure, we hope EEP faraway handshake to develop the pairwise transient key again.

That’s where we assume we have a secure channel because if we don’t, what’s the purpose of doing this? If everybody can read the key that’s next to the access point. And then of course from there we also will see another four way group handshake to help make sure we have the group wise transient key. Again, differentiating between unicast and with the multicast. And remember, the PTK for the most part is temporal. It is temporary, I should say. If you leave the session and you leave your connection, then you’re going to have to go through this process again to get a new key. But I don’t think there’s any problem with that. And as I said, we haven’t got to the point yet where we’re going to talk about what happens if this user starts walking through the company and has to hit a different access point. Do they lose their session?

Do they lose their keys? Do they have to regrow through this process? The short answer is, from what we’ve talked about right now with no centralized wireless LAN controller, the answer is going to be yes. They’re going to have to go through that again. It could take up to 700 milliseconds. So if somebody was actually making a voice over IP call and voiceover IP demands that from end to end that there’s no more than 150 milliseconds of delay. We could either drop the phone call or just really have a horrible sounding phone call until that process fixes. And the other issue is that very often we’re probably on a different IP subnet and that could also break a lot of application. So eventually as we go through this, we’re going to talk about some of the mobility options that are available to us. But right now it’s a little bit outside the scope of this module.