2-Way Group Key Handshake
Figure 17-15 WPA Authentication
At the beginning of negotiations, the client and AP must agree on security capabilities.
After the two agree on the same level of security, the 802.1x process starts. This is the
standard 802.1x process, as outlined previously. After successful 802.1x authentication,
the authentication server derives a master key and sends it to the AP. The same key is de-
rived from the client. Now the client and the AP have the same Pairwise Master Key
(PMK), which will last for the duration of the session.
Next, a four-way handshake occurs (see Figure 17-16), in which the client and authentica-
tor communicate and a new key called a Pairwise Transient Key (PTK) is derived. This key
confirms the PMK between the two, establishes a temporal key to be used for message
encryption, authenticates the negotiated parameters, and creates keying material for the
next phase, called the two-way group key handshake.
Client
Authenticator
Random Number
Derive PTK
Resend Random Number
PTK Done
Install PTK
Figure 17-16 WPA Four-Way Handshake
When the two-way group key handshake occurs, the client and authenticator negotiate
the Group Transient Key (GTK), which is used to decrypt broadcast and multicast trans-
missions.
In Figure 17-16, you can see that the AP first generates a random number and sends it to
the client. The client then uses a common passphrase along with this random number to
derive a key that is used to encrypt data to the AP. The client then sends its own random
number to the AP, along with a Message Integrity Code (MIC), which is used to ensure
that the data is not tampered with. The AP generates a key used to encrypt unicast traffic
to the client. To validate, the AP sends the random number again, encrypted using the de-
rived key. A final message is sent, indicating that the temporal key (TK) is in place on both
sides.
The two-way handshake that exchanges the group key involves the generation of a Group
Master Key (GMK), usually by way of a random number. After the AP generates the
GMK, it generates a group random number. This is used to generate a Group Temporal
Key (GTK). The GTK provides a group key and a MIC. This key changes when it times out
or when a client leaves the network.
To configure WPA, set the Layer 2 security method by choosing W WL LA AN Nss > > E Ed diitt. Then
select the Security tab and choose W WP PA A+ +W WP PA A2 2 from the drop-down, as shown in Figure
Bạn đang xem 2- - CCNA WIRELESS OFFICIAL EXAM CERTIFICATION GUIDE PART 38 DOC