CWNP CWSP – Module 06 – SOHO 802.11 Security

1. SOHO 802.11 Security

So this module is going to be about 800 and 211 security when it comes to the small office, home office what we call the Soho. So what we’re going to do is we’re going to take a look at those types of security settings that we would use in that smaller enterprise environment and that would be things like WPA, WPA II Personal, the WiFi Protected Setup or WPS. And we’ll also talk about some of the best practices for Soho security.

2. Introduction

So one of the first things we’re going to look at and I realize that maybe most of you are really more interested in larger enterprise security, but again, we need to look at wireless from all aspects when we’re talking about CWSP. And the idea behind the small office, home office or the remote office, branch office, really, is that we usually don’t have the same type of security. But I’m going to kind of focus here, I mean, because let’s think about what we would need. If I was a small or home office and I have this access point over here and I’ve got my computer, I want to connect to this access point. I really don’t think that I’m going to be using WPA Two Enterprise.

And why do I say that? Because, think about this again. If I’m a small office or a home office, I probably am not going to pay the money to get something like the license for a Windows server that’s running Active Directory because I just don’t need that. Nor am I going to pay for the licenses to get a Radius server or any of those other pieces of equipment that we need to be able to make that happen. It’s just not cost effective. So that’s where the WPA Two Personal comes in as a good solution to have a stronger authentication again, because it’s still CCMP AES for the encryption and we can still use that to create that robust security network so we can still meet all of those standards. And it is defined in the 800 and 211 I 2007 realm for being good.

Now, I know that we talked a lot about some of those services like AKM, basically the authentication and key management protocol. And when we talked about AKM and that hierarchy, we can use pre shared keys as a part of that. That’s what we’re really looking at here is that we’re not going to be making that big investment into other types of hardware or software.

So our goal then is to come up with a phrase, password, that type of thing. Now, we’ve been doing this since 2004 and a pre shared key in a robust security networks for the Soho is fine, but they do suggest that the key should be long. Remember, the longer the key, the more secure it’s going to be. So one of the goals of this pre shared key, which is also nice, is that we’re doing no more hex types of things like we did with WEP, which those keys weren’t very long to begin with and a little harder to remember.

Instead, what we want to do is to come up with past phrases and I’ll describe the past phrase here in a bit. But the reason for it is that the longer the past phrase, the harder as I said it would be for somebody to be able to crack it if they started intercepting the back and forth exchange as we were making the initial connection. So even something like this secret password, at least it’s long, it’s not very complicated, but a passphrase should be something a little bit more than just that. Now, as an example, one of the passwords I used a while ago was from a song that my kids kept listening, being sung by this purple dinosaur. It was Head and Shoulders, Knees and Toes and that sort of thing. So I created for me a type of passphrase where I was kind of doing that same thing, but using again, things like special characters, numbers. Here’s another numeric. Another numeric. Eric whatever seemed to be working. I could have even done a dollar sign over here. And again, the longer that you make it, the easier it is to remember. If you do it with something you can remember. Maybe that’s what I should have said. So I can remember head and shoulders, Knees and toes and you should be lucky. The number two, if you’ve ever heard the song that I’m not singing the whole thing to you because then it’ll stick in your head and you won’t pay attention to me anymore. That and you’ll be happy that I am not going to sing to you. But again, pass phrases are something that we look at. And as I said before, the longer the better.

3. Why a Passphrase

So one of the reasons why a passphrase is good is because it’s harder for us to be able to do a dictionary attack. And what I mean by a dictionary attack is that if we have a hacker over here and they start attacking against your passwords so whatever that password is, there’s a number of tools that they can run. Where? What? They’re going to have is a list of, like, the top 1000 passwords. And they’ll have an automated program that will try each one of those passwords in that premade list against that until they find one that matches. And unfortunately, a lot of people use the password password and so that’s definitely in that list. Another type of dictionary attack might be what I call a kind of a bio type where they’re going to look at dates of birth, kids names, things like that, that’s more about you and try combinations of those again in a dictionary attack to try to get out that password. The other type of attack besides the dictionary attack, let me draw another hacker over here. We get a lot of them on this page is what I’m going to call the brute force.

So brute force, well, I hate to say this, but brute force will always work to crack your password. I can’t guarantee that it won’t take months, maybe years, depending on how long your password is. But it will always work because it’s going to try every combination of letter, what they call alphabetic characters, numerical characters and special symbols. And they’ll start with the letter A, then letter B, assuming that if you had a one character password now they’d probably start off with like a six characters and then the next one would be a B. You get the idea, right? And so eventually they will crack that password. Now the other thing is that it’s harder for rainbow tables. So a rainbow table is what we call this precomputed hash. And this chart might not really help you understand precomputed hashes.

But here’s what they’re doing is that they’re basically taking every password that, again, kind of like the brute force, every combination of password. So here’s an example of these different chains and they take one like MyPass and then they hash it and then go through some anyway, it’s complicated process. Then they’ll go through some, reducing it to come up with all these passwords and hash functions, passwords and hash functions. And then what they do is that they take those hashes and they sort those hashes numerically in their tables.

So it’s not sorted alphabetically by the password, it’s sorted by the hash and then they put in the password they used to get there or to get that hash. And so now when they intercept your hash, they’re going to take that hash and do basically a table lookup. They’re just going to go through the list just like it was a dictionary, find out that hash that matches, and then they’ll know what password was created.

Now, one of the things that you have to realize is that if you looked at this entirety of the amount of work here is that it could take years to be able to come up with all the passwords or hashes for passwords with something like MD five. What I mean by that is that it takes time to do the hash and it takes time to list all the passwords that you want to have hashed. And then when you are thinking about what’s going through this process, once that big table is made, then they have to sort that hash and it takes a while. One of the things you’ll see on a demonstration is a tool that you can use to create your own rainbow table. And so here’s what it comes down to.

It doesn’t take long to make a rainbow table for up to eight letters or characters for a password, but it does take a lot of storage. And when you get up to nine, then ten, it exponentially goes up as far as the amount of time and storage. I mean, it might not be unusual for me wanting to do up to ten letters for a hash, and it taking two terabytes to store and maybe even taking 1. 5 years for a single computer to be able to make all of those tables. But people have done that already. You can go look online, you can download rainbow tables, you can pay for the ones that have been done. But then once you increase it, let’s say from ten to eleven letters or characters, you’re just going to see, like I said, an exponential increase in how much storage and time it takes.

So it is a good idea for hackers to start working on those, I guess. But that’s why we encourage people to start making these passwords long. You know, you always see people say, l eight characters for a password is pretty good. I’m thinking 15 or more characters for a password. Because my hopes are that not everybody has finished up to 15 characters for a rainbow table. And if they have, if I see that online, if you do your research, then I would add into it the 16th character. I would add make it bigger and bigger. Or maybe I’d say, okay, let’s make it 17 or more. I mean, the goal is to keep these tables from being used to be able to crack your passwords.

Now a complicated passphrase is even better because like I said, you can use the alphabet, right? So you can use lowercase, you can use uppercase, you can use numeric values, you can use special characters like exclamation point or dollar signs or at signs. And one of the things I found out, at least in the United States, is that because in the US. Our keyboard does not have the Euro sign, but you can create the euro sign with certain combination of using the Control button and some other values that the rainbow tables in the US. Didn’t include that in their creation. So even though it’s hard to type in, you might even consider using character sets that might be from other countries that may not have been included in your and the people doing these rainbow tables.

4. 4-Way Handshake Again

Now, just as a review and we saw this in some other modules, the pseudo random function to be able to create your four way handshake or to create what they call this pairwise type of transient key or pairwise transient key. And one of the other things that we did talk about is this idea of passphrase to pre shared key mapping. And like I said, that was designed so that end users can use a simple character pass phrase and then it would be converted to a 256 bit pre shared key. And, you know, again, it was still part of what we were trying to do. When we have this user connecting through this, in this case, right, we’re not using a radius or authentication. And the idea, of course, was that we were sending these key requests. And so we start off with this pairwise master key that was back to the hierarchy we talked about with AKM. And then we added the Salt, the Anus and the S not.

So you might remember that as we started this process up and we’re sending a key message and we get a bit again of the A nonce, the S nonce. And then the pairwise transient key is created and then we can exchange it. And both sides have the same pairwise transient key. But it was because of the nonces, right, that randomness that helped make the process more secure, what we again called adding salt to the equation. In a way, it’s kind of, again, that mathematical magic that we can use to be able to calculate a key on both sides without ever exchanging the key.

That’s why they call it a pseudorandom function because the nonsenses aren’t just purely random, they are mathematically derived, kind of like a public key, if you would. And both sides exchange that public key information with information they already had on each of the two sides and they come up with that pairwise transient key. Now, that was a way of creating dynamic keys. Now, the preshared key, I don’t know that we ever went through this before, is going to be kind of a combination when it’s all said and done. So what did we just say? We said that you could use a simple ASCII password, ASCII, which is just those are two eyes, by the way, not Roman numerals is just the character set numbers, special characters and all that sort of stuff.

And so what they do is they take a combination for this mapping of whatever passphrase you created, the SSID of the radio, the SSID length, and then they start adding in the I guess you could say now I have to continue on the next lengths almost ran out here. Anyway. So the simple passphrase is combined, like I said, with the SSID, the SSID length, and then it’s hashed 4096 times to be able to create a 256 bit total past phrase or pre shared key. I know that sounds like a lot of work. And again, that’s kind of the mathematics I was talking about that we use here as we’re exchanging things like the nonces. It does take a little bit of work, but surprisingly, it sounds like a lot of work, but in the worlds of processors and processing power, it’s really not that bad.

So if I were to take as an example, let’s say you came up with a passphrase of certification and not a very good passphrase. That’s a horrible pass phrase. And let’s say that the SSID. So here’s the column for SSID. This is the existing passphrase that you created. SSID, let’s say, is CWSP. Let’s say that’s what we made the SSID on ours. Then what’s going to happen is, like I said, we’re going to take that passphrase, the SSID, the length of the SSID, which in this case is four. And then when we go through that 4096 hashes to come up with the 256 bit Krished key, what you would start to see then as the actual key, the 256 bit key.

And I’m not going to write down an entire 256 bit key, but you’re going to start seeing basically the example of Hexadecimal values, because that’s what we get after our hashes are done. And again, I just keep doing that until we get to 256 bits. Remember that each value is four bits. So if I oh, my goodness. I’m going to do math in front of all of you. So if each character is four bits yeah, see, that’s easy enough. You all remember how to do Division. I’m doing it kind of the long way, so I forgot to do all the right subtraction, but I did it right. So that’s 64 characters that you would be using for the finished pass phrase or pre shared key, in that case.

9. Wi -Fi Protected Setup (WPS) Part3

Well, I guess I just mentioned this. Sometimes I do get ahead of myself. But remember, like I said, there are two phases to the registration mode. And maybe it’s a little bit nicer to see it typed than my handwriting, but like I said, phase one exchange of public keys and information about the roles who the registrar and Enrollee is. And then a phase two mutual authentication based on the Enrollees device path password.