WAY GROUP KEY HANDSHAKEFIGURE 17-15 WPA AUTHENTICATIONAT THE BEGINNI...

Question

2-Way Group Key HandshakeFigure 17-15 WPA AuthenticationAt the beginning of negotiations, the client and AP must agree on security capabilities.After the two agree on the same level of security, the 802.1x process starts. This is thestandard 802.1x process, as outlined previously. After successful 802.1x authentication,the authentication server derives a master key and sends it to the AP. The same key is de-rived from the client. Now the client and the AP have the same Pairwise Master Key(PMK), which will last for the duration of the session.Next, a four-way handshake occurs (see Figure 17-16), in which the client and authentica-tor communicate and a new key called a Pairwise Transient Key (PTK) is derived. This keyconfirms the PMK between the two, establishes a temporal key to be used for messageencryption, authenticates the negotiated parameters, and creates keying material for thenext phase, called the two-way group key handshake.ClientAuthenticatorRandom NumberDerive PTKResend Random NumberPTK DoneInstall PTKFigure 17-16 WPA Four-Way HandshakeWhen the two-way group key handshake occurs, the client and authenticator negotiatethe Group Transient Key (GTK), which is used to decrypt broadcast and multicast trans-missions.In Figure 17-16, you can see that the AP first generates a random number and sends it tothe client. The client then uses a common passphrase along with this random number toderive a key that is used to encrypt data to the AP. The client then sends its own randomnumber to the AP, along with a Message Integrity Code (MIC), which is used to ensurethat the data is not tampered with. The AP generates a key used to encrypt unicast trafficto the client. To validate, the AP sends the random number again, encrypted using the de-rived key. A final message is sent, indicating that the temporal key (TK) is in place on bothsides.The two-way handshake that exchanges the group key involves the generation of a GroupMaster Key (GMK), usually by way of a random number. After the AP generates theGMK, it generates a group random number. This is used to generate a Group TemporalKey (GTK). The GTK provides a group key and a MIC. This key changes when it times outor when a client leaves the network.To configure WPA, set the Layer 2 security method by choosing W WL LA AN Nss > > E Ed diitt. Thenselect the Security tab and choose W WP PA A+ +W WP PA A2 2 from the drop-down, as shown in Figure

WAY GROUP KEY HANDSHAKEFIGURE 17-15 WPA AUTHENTICATIONAT THE BEGINNI...

2-Way Group Key Handshake

Figure 17-15 WPA Authentication

At the beginning of negotiations, the client and AP must agree on security capabilities.

After the two agree on the same level of security, the 802.1x process starts. This is the

standard 802.1x process, as outlined previously. After successful 802.1x authentication,

the authentication server derives a master key and sends it to the AP. The same key is de-

rived from the client. Now the client and the AP have the same Pairwise Master Key

(PMK), which will last for the duration of the session.

Next, a four-way handshake occurs (see Figure 17-16), in which the client and authentica-

tor communicate and a new key called a Pairwise Transient Key (PTK) is derived. This key

confirms the PMK between the two, establishes a temporal key to be used for message

encryption, authenticates the negotiated parameters, and creates keying material for the

next phase, called the two-way group key handshake.

Client

Authenticator

Random Number

Derive PTK

Resend Random Number

PTK Done

Install PTK

Figure 17-16 WPA Four-Way Handshake

When the two-way group key handshake occurs, the client and authenticator negotiate

the Group Transient Key (GTK), which is used to decrypt broadcast and multicast trans-

missions.

In Figure 17-16, you can see that the AP first generates a random number and sends it to

the client. The client then uses a common passphrase along with this random number to

derive a key that is used to encrypt data to the AP. The client then sends its own random

number to the AP, along with a Message Integrity Code (MIC), which is used to ensure

that the data is not tampered with. The AP generates a key used to encrypt unicast traffic

to the client. To validate, the AP sends the random number again, encrypted using the de-

rived key. A final message is sent, indicating that the temporal key (TK) is in place on both

sides.

The two-way handshake that exchanges the group key involves the generation of a Group

Master Key (GMK), usually by way of a random number. After the AP generates the

GMK, it generates a group random number. This is used to generate a Group Temporal

Key (GTK). The GTK provides a group key and a MIC. This key changes when it times out

or when a client leaves the network.

To configure WPA, set the Layer 2 security method by choosing W WL LA AN Nss > > E Ed diitt. Then

select the Security tab and choose W WP PA A+ +W WP PA A2 2 from the drop-down, as shown in Figure

Bạn đang xem 2- - CCNA WIRELESS OFFICIAL EXAM CERTIFICATION GUIDE PART 38 DOC