Awesome abstract explanation! Thank you very much! Just one thing, PSK is not passphrase, but is derived from passphrase and SSID. So, in WPA-PSK, PSK = KDF(passphrase, SSID, 4096 times, 256 bit); PMK = PSK.
The concept and unique value proposition of 802.1X over WPA/WPA2 with PSK has been clearly explained and along with good diagrams. The entire concept of 802.1X is complicated . But Brett has explained it redundantly so that it gets into the mind of the listener :). Thank you Brett for such a nice video :)
Bert, great video my friend!!!!! But this is where i am lost how is the Master key generated , yes you have the EAP exchange but then hard to grasp how MK is derived. Thanks!!!!! But overall awesome video..The point you made about the Open System Authentication PSK is a master stroke :) .
Great video, very will explained. One question if you see my feedback. If using a certificate (e.g. standard x509 client authentication certificate), I assume the RADIUS challenge to the supplication basically works by the RADIUS server taking a copy of the user certificate from active directory, using the public key within the certificate to encrypt a random value (nonce) send this the the supplicant who then de-crypts with the private key (which only the supplicant has) related to cert. Then the supplicant can re-encrypt this same value with the RADIUS Server certificate send back as the response to the challenge, then when the RADIUS server de-crypt the response with its private key (which again on the RADIUS server has) and it the response matches the challenge then the RADIUS server knows it is talking to the owner of the certificate (and not someone which just copied the certificate). Is that correct? Thanks Ernie
I am having doubt like whther this EAPOL handshaking happens only for WPA2 and WPA enterprise ?. as we are doing this after handshaking with radius server, normlay radius will come for enterprise only right ??
Purely out of curiousity, which accent is this? I'm confused, it sometimes sounds Australian (in my ears, that is), then it sounds like it's from the Southern US, which got me intrigued. I'm no native English speaker, so recognizing accents isn't my strongsuit.
@Brett: Pairwise Master Key - every Clients get the same Pairwise Master Key ? WPA2 use PASSWORD BASED KEY DERIVATION FUNCTION 2 So the Preshared Key Value is the Password and will be hased ( PUBLIC-KEY CRYPTOGRAPHY STANDARD 5 Version 2.0 ) with SSID + Lenght of SSID. Is the hash sum really every time the same result=same 256bit Pairwise Master Key ? Pairwise Master Key will use for 384bit PairwiseTransientKey PairwiseTransientKey will use for 128bit+128bitEAPOL + 128bitSessionKey/MIC Key
+MGPfilm The pairwise master key will be the same each time for every client in pre-shared key authentication. The pairwise transient key comes in the 4-way hand shake and is used as the encryption key to encrypt your data packets. EAPoL is during the EAP process of 802.1x and not pre-shared key authentication. Once the EAP authentication process is complete, the EAP tunnel is taken down because the authentication process is over and the Pairwise master key has been created. Once the EAP session is over, The pairwise Master Key is used to generate the pairwise transient key during the 4-way handshake. After the 4-way handshake is complete, and the pairwise transient key is generated, the controlled port opens and data can be encrypted and passed across the network. The data is encrypted with the pairwise transient key. The strength of your pairwise transient key is based on how it was derived. In 802.1x EAP authentication, every device gets a different session key protected in the EAP process and each client has a unique pairwise master key resulting in a unique pairwise transient key. In pre-shared key authentication you do not have the EAP process, the pairwise master key is the same for everyone and no EAP process to generate unique keys. I hope this helps, and thanks for watching.
