CWNP CWSP – Module 05 – Dynamic Encryption Key Generation Part 4

10. RSNA Key Hierarchy

All right, our goal then of AKM is the creation of encryption keys. And so one of the first things we talked about is that at the top, we have a master key. And from that master key and through the exchange of information, we’re going to have a GroupWise and a pairwise master key. I’ve already gone through this process and talking about what happens and how from those master keys, like that hotel example, that we’re going to create a pairwise transient key for you, a group wise transient key for everybody else. And those are temporary.

Remember I said that this is the hotel manager who every time you check in, gets you a new key to your room and has to use their master key. Again, really, I can’t think of anything more to say as far as an analogy, assuming that you’ve all been into a hotel room before or made a master key for your house or whatever the case may be. And again, that’s all done through this process of the four way handshake. And I hope that I’ve talked a little bit enough, at least about this setup so you have a good idea of what’s happening if I were to try to maybe break down this process a little bit more like a flow chart about the pairwise master key.

Again, the idea of the pairwise master key and I don’t know how many more ways to say it, is to create the pairwise transient key so that the station and the access point know what that pairwise transient key is. Now, during this process, there are going to be some other types of messages. We’re going to have to have confirmations. So we have what looks like I’m typing kick, but I’m not CK, which is used, again, to provide integrity during the four way handshake and the group handshake. Then another piece of the communications that we have is the Kek that looks like kick. That’s, again, the key encryption key used to provide the data privacy during the four way handshake and the group handshake. And then obviously, we’re creating that temporal key, which is a part of TKIP or CCMP, and that’s the one that we use to encrypt or decrypt what we called in the frame, the MSDU.

11. Master Session Key (MSK)

All right, so are any of you out there tired of hearing about the four way handshake? Do you think maybe the four way handshake is an important part of this process for setting up dynamic keys? Again, let me just say it, dynamic keys and trying to reach the robust security network. So we start off, like I said, with the math master session key. And that is the beginning. Some of you might just call it the master key, whatever you want to use that as information. And the authentication server is going to be the one that comes up with that master session key or at least puts in the information that we can send it over to the Supplicant. And then the Supplicant and the authentication server should have the same material that’s going through here that they both would create the same pairwise master key. Now, that’s kind of like that diffie helmet thing I was talking about where we can exchange information without exchanging information, so we can put enough in there in that four way handshake to be able to get that process. And then we move that key, as we said, into the authenticator.

Now the authenticator will use that same information as the Supplicant to agree on a pairwise transient key. And that’s our first four way handshake that I just tried to talk about a little bit ago. And then remember, the authenticator is going to create the GroupWise transient key again from the master session key and send that out to the Supplicant. So let’s see if we kind of covered all of that and it’s all made some sense to you. So the first part, like I said, is the Supplicant and the authenticator are going to know about each other after the mutual authentication process. Like I said, the master session keys are created as a result of 802 one x. And so we have a mutual key and then the pairwise master key is created. The pairwise session key is computed. It says it’s the first 256 bits of the MSK. And then this is created after authentication or reauthentication to be able to get to that point where we have the pairwise keys. And maybe I said it better the first time than I said it the second time as I’m drawing it out, but that is kind of the goal of what we’re trying to do.

12. 4-Way Handshake

Wow. Here we are again. So let’s talk about the messages. So again we’re going to use a Paul keyframes to exchange this cryptographic information. And like I said, we’re going to do these handshakes to get these group keys and to eventually have these peer keys and the and so there’s six major purposes of having a four way handshake. Like I said, we want to make sure there is a pairwise master key. We want to sure that we have the current one because if we have the current one, then we can derive the pairwise transient key.

Then we install that on the Supplicant and authenticator, we transfer the GroupWise from the authenticator to the Supplicant and then the confirmation of the selection of the cipher suites probably AES. So what does it mean for us? Well, message one, I think I already just kind of covered it very well many other times. But one of the things we didn’t talk about is in these messages. So here we are, the authenticator and the supplicant. So the authenticator is the access point. Supplicant is this client are going to randomly create their respective nonsense. Remember that’s a random number. And the authenticator is going to send what we call an a nonce to the Supplicant and that now has all the information that’s necessary because again, it’s a pseudo random function. And the Supplicant can derive the pairwise transient key from the pairwise master key when it gets that a nonce. And of course it’s also going to send back what it calls the S nonce.

So kind of like the idea of diffie hellman, we’re exchanging information that is used to mathematically come up with the keys so that we can derive, as I said before, that pairwise transient key. So anyway, step two of the message. So now the Supplicant is going to send an epaul. Like I said, that’s going to be the Snots to the authenticator. I guess my little numbers didn’t line up very well. And the authenticator now has all of its necessary inputs for the pseudo random function. And again, right, they’ve already sent what they want to use through their information elements of the management frames. So we know how we’re going to use that. But that should then mean that the authenticator and as I said, Supplicant should have the same PTK. The authenticator is also going to validate the integrity of the mic. Then we have that third message.

Let’s see if I can line that up a little bit better. So if necessary, like I said, the authenticator can create the group wise temporal key and again sending it over epaul, send that to the Supplicant. So now and whatever other Supplicants need the GroupWise. And then finally kind of the acknowledgment the Supplicant is going to send and I’ll just call it an acknowledgment, but it’s basically a handshake that says that those keys have been installed. And now the authenticator, the access point, the supplicant have the pairwise transient key. And finally, after all of that communication about this four way handshake, we can say that we have the ability to set up secure communications and have done so without having to actually give away the key.