Wi-Fi Handshaking

Summary

Excerpt From wi-fi vulnerabilities part 1 Webinar
Find Out More on Wi-Fi Handshaking by CTO Dr. Brett Walkenhorst.
CTO Dr. Brett Walkenhorst explains the process of establishing a connection in wireless networks, focusing on the sequence of events from discovery to data transmission. In the video below, he describes the steps involved in authentication and association between a client and an access point and the additional complexities in enterprise networks.

Video Transcript

So we've got beacons and pro packets going back and forth all of the time. That's an asynchronous process. Everything else that is below that is largely a linear process, though there might be variations on a theme, which I'll talk about. But, basically, we have to do discovery first, and then there's other things that can happen once a client decides to connect to the access point.

So let's walk through that a little bit. Bit. And this, by the way, is largely the process that will be followed for personal networks, Wi Fi personal or as opposed to the enterprise networks. So let's say a client figures out that there is a network that it wants to join and it says, okay.

I'm gonna join that network. It sends an authentication request to the access point. The access point then responds with an authentication response. They agree on certain things, looking for compatibilities, and they're basically setting up setting the stage for being able to transfer data across that channel. So setting things up.

And same with an association request and association response. Once they've done those, now they have the information they need to begin sending data back and forth. On an open network that has no encryption enabled, that's basically it. They go through this process, and now they're gonna start sending data.

Hopefully, you don't have too many of those running around. Open networks are vulnerable. We'll talk more about that in a bit. But if you have encryption enabled, then there's gonna be some additional work that's being done to provide for mutual authentication so that everybody knows that everybody's legit and playing the right game, and then we'll be ready to send data.

So that happens by means of an e a poll process. This is a protocol for communicating and authenticating that includes certain information in the case of personal networks that's derived from the passphrase. So you've got a password that you gotta enter. Right? That's pretty common. When you go and purchase an access point, there's a default SSID and a default password that's probably printed on a label on the bottom.

But you have to enter that on your client in order to join. But, hopefully, you go and configure it and you change that SSID and you change the password. But whatever it is, there is a passphrase that everybody knows you have to know in order to establish a connection with an encrypted network.

Great. So these ea pull messages go back and forth containing elements of hashes of that passphrase and other data elements like the SSID, the MAC address, and so on. I'm not gonna go through that whole process here. But for today, it's enough to know that this four way handshake contains information that is derived from hashing the passphrase and other things.

So if I know the passphrase, I can validate that the other guy had the passphrase by means of the hashed function that it implements on that pass phrase and and other data elements. I can reproduce that when they send me that hashed verification code. I can verify it and know that, okay, they they've got the right pass brace.

So that kind of handshaking is just that the establishment of that authentication, but also the development of certain keys. And, again, I'm not gonna go through that today, but just note that different keys at different layers, including at the final layer, what basically constitutes a session key from which a portion is used to validate that everybody had the right passphrase to begin with.

Okay. So but one last thing I wanna point out. Everything I've just said is really specific to personal networks. It's general to everything, but that's pretty much it for the personal network. If you have an enterprise network, which would be a really good idea for corporate Wi Fi networks, then there are some additional steps that are gonna take place between the association sequence and the four way handshake with the EA poll messages one, two, three, and four.

And that's going to utilize a separate entity called a RADIUS server that is gonna serve as the authentication mechanism for clients seeking to join the network. So the client speaks to the access point. And then on the back end, the access point is communicating with the RADIUS server that will negotiate the authentication in some form or fashion.

There's many methods by which that RADIUS server seeks to enforce very secure authentication that often includes an inner and an outer layer of encryption. They use different methodologies for it. And some of them, the most secure, will use some form of certificate exchange and validation. So there's some additional negotiations that are gonna happen that establish the authentication mechanism, and then they will send encrypted EA poll messages for the four way handshake that will establish the keys that are necessary to begin encrypted communication.