WEBVTT 1 00:00:00.180 --> 00:00:01.500 In this lesson, 2 00:00:01.500 --> 00:00:05.160 we will learn about WiFi authentication. 3 00:00:05.160 --> 00:00:08.460 WiFi authentication is used to manage 4 00:00:08.460 --> 00:00:12.420 and secure user access to wireless networks. 5 00:00:12.420 --> 00:00:16.663 WiFi authentication concepts include IEEE 802.1X, 6 00:00:18.720 --> 00:00:21.540 the Extensible Authentication Protocol, 7 00:00:21.540 --> 00:00:25.413 and the Simultaneous Authentication of Equals. 8 00:00:26.265 --> 00:00:30.450 802.1X is a network access control protocol 9 00:00:30.450 --> 00:00:33.210 that provides an authentication framework 10 00:00:33.210 --> 00:00:36.780 for devices connecting to a WiFi network. 11 00:00:36.780 --> 00:00:40.500 EAP or the Extensible Authentication Protocol 12 00:00:40.500 --> 00:00:43.500 is a flexible authentication framework 13 00:00:43.500 --> 00:00:47.190 used within the 802.1X protocol 14 00:00:47.190 --> 00:00:50.160 that supports multiple authentication methods 15 00:00:50.160 --> 00:00:52.800 between a client, known as a supplicant, 16 00:00:52.800 --> 00:00:55.590 and the wireless enterprise network. 17 00:00:55.590 --> 00:01:00.420 Finally, SAE, or the Simultaneous Authentication of Equals 18 00:01:00.420 --> 00:01:04.500 is a secure password based key exchange protocol 19 00:01:04.500 --> 00:01:07.770 used in WPA3 authentication 20 00:01:07.770 --> 00:01:10.590 to provide a secure handshake process 21 00:01:10.590 --> 00:01:14.040 resistant to offline dictionary attacks. 22 00:01:14.040 --> 00:01:18.720 Let's learn more about IEEE 802.1X, 23 00:01:18.720 --> 00:01:21.360 the Extensible Authentication Protocol 24 00:01:21.360 --> 00:01:25.110 and the Simultaneous Authentication of Equals. 25 00:01:25.110 --> 00:01:29.856 First we have IEEE 802.1X. 26 00:01:29.856 --> 00:01:33.630 IEEE stands for the Institute of Electrical 27 00:01:33.630 --> 00:01:36.437 and Electronics Engineers. 28 00:01:36.437 --> 00:01:41.437 IEEE 802.1X is a network access control protocol 29 00:01:41.820 --> 00:01:45.510 that provides a framework for authenticating devices 30 00:01:45.510 --> 00:01:48.360 that try to connect to a network, ensuring 31 00:01:48.360 --> 00:01:52.500 that only authorized users are granted access. 32 00:01:52.500 --> 00:01:55.710 This process protects network resources 33 00:01:55.710 --> 00:01:58.950 and keeps unauthorized users out. 34 00:01:58.950 --> 00:02:03.510 802.1X uses an authentication server, 35 00:02:03.510 --> 00:02:05.100 such as a RADIUS 36 00:02:05.100 --> 00:02:09.840 or remote authentication dial in user service server 37 00:02:09.840 --> 00:02:12.840 to verify the identity of devices 38 00:02:12.840 --> 00:02:15.360 trying to connect to the network. 39 00:02:15.360 --> 00:02:17.880 When a device such as a laptop 40 00:02:17.880 --> 00:02:20.967 or smartphone tries to connect to the network, 41 00:02:20.967 --> 00:02:25.967 802.1X initiates an authentication process 42 00:02:26.100 --> 00:02:28.020 that checks whether the user 43 00:02:28.020 --> 00:02:30.690 is allowed to access the network. 44 00:02:30.690 --> 00:02:32.970 If the user's credentials are valid, 45 00:02:32.970 --> 00:02:34.680 they are granted access. 46 00:02:34.680 --> 00:02:36.660 If not, they are denied. 47 00:02:36.660 --> 00:02:41.660 To make this work, 802.1X relies on an important concept. 48 00:02:42.330 --> 00:02:46.920 The Extensible Authentication Protocol or EAP. 49 00:02:46.920 --> 00:02:51.060 EAP is not a single authentication method, 50 00:02:51.060 --> 00:02:54.690 but rather a framework of authentication methods 51 00:02:54.690 --> 00:02:57.720 that support various types of authentication, 52 00:02:57.720 --> 00:03:01.080 such as passwords and digital certificates. 53 00:03:01.080 --> 00:03:05.370 EAP is essential because when a new device, 54 00:03:05.370 --> 00:03:08.700 known as a supplicant, wants to join the network, 55 00:03:08.700 --> 00:03:12.450 it must establish a secure communication channel 56 00:03:12.450 --> 00:03:16.500 to pass its credentials to the network for validation. 57 00:03:16.500 --> 00:03:21.210 EAP provides the structure for these authentication methods, 58 00:03:21.210 --> 00:03:25.650 enabling secure and flexible credential exchanges. 59 00:03:25.650 --> 00:03:29.850 Once EAP sets up a secure communication channel, 60 00:03:29.850 --> 00:03:33.630 the next step involves the router or access point, 61 00:03:33.630 --> 00:03:37.650 also known as the RADIUS client in this process. 62 00:03:37.650 --> 00:03:40.980 Think of the router or access point as a mediator 63 00:03:40.980 --> 00:03:44.790 who helps pass information along the correct path. 64 00:03:44.790 --> 00:03:48.300 After the supplicant's credentials are securely collected 65 00:03:48.300 --> 00:03:52.620 via EAP, the RADIUS client forwards these credentials 66 00:03:52.620 --> 00:03:55.200 to the RADIUS servers securely. 67 00:03:55.200 --> 00:03:58.170 The RADIUS server is the final authority 68 00:03:58.170 --> 00:04:01.860 responsible for validating the user's identity. 69 00:04:01.860 --> 00:04:06.180 So the RADIUS server is like a security control room 70 00:04:06.180 --> 00:04:10.440 that performs a thorough check on the presented credentials. 71 00:04:10.440 --> 00:04:14.730 It uses its database or connects to other directories 72 00:04:14.730 --> 00:04:16.230 like active directory 73 00:04:16.230 --> 00:04:19.530 to validate that the username and password 74 00:04:19.530 --> 00:04:21.840 or certificate are correct. 75 00:04:21.840 --> 00:04:25.170 If the credentials are verified successfully, 76 00:04:25.170 --> 00:04:28.260 the RADIUS server sends an approval message 77 00:04:28.260 --> 00:04:30.030 back to the RADIUS client 78 00:04:30.030 --> 00:04:33.930 granting the supplicant access to the network. 79 00:04:33.930 --> 00:04:36.990 Once the RADIUS client receives this approval 80 00:04:36.990 --> 00:04:40.590 from the server, it informs the network components 81 00:04:40.590 --> 00:04:42.960 allowing the supplicant full access 82 00:04:42.960 --> 00:04:46.260 to the resources they are permitted to use. 83 00:04:46.260 --> 00:04:50.670 This final step ensures that only properly authenticated 84 00:04:50.670 --> 00:04:54.510 devices and users can connect to the network. 85 00:04:54.510 --> 00:04:57.510 This authentication process can occur 86 00:04:57.510 --> 00:05:01.350 both when a supplicant connects wirelessly to a network 87 00:05:01.350 --> 00:05:04.170 or connects to a wired network. 88 00:05:04.170 --> 00:05:08.640 Second, we have the Extensible Authentication Protocol 89 00:05:08.640 --> 00:05:12.990 or EAP, which we've already started to discuss. 90 00:05:12.990 --> 00:05:17.010 As a reminder, EAP is a flexible framework 91 00:05:17.010 --> 00:05:20.490 that supports multiple authentication methods between 92 00:05:20.490 --> 00:05:24.780 a supplicant and a RADIUS client wireless access point. 93 00:05:24.780 --> 00:05:29.760 EAP was developed to replace older, less secure methods 94 00:05:29.760 --> 00:05:32.760 like the Password Authentication Protocol 95 00:05:32.760 --> 00:05:35.940 and the Challenge-Handshake Authentication Protocol 96 00:05:35.940 --> 00:05:38.730 or CHAP, offering more robust 97 00:05:38.730 --> 00:05:43.500 and adaptable authentication solutions for modern networks. 98 00:05:43.500 --> 00:05:47.160 Before diving into EAP, it's important 99 00:05:47.160 --> 00:05:51.180 to understand those older protocols that it replaced. 100 00:05:51.180 --> 00:05:54.540 The Password Authentication Protocol or PAP 101 00:05:54.540 --> 00:05:56.760 is one of the earliest and simplest 102 00:05:56.760 --> 00:05:59.010 methods of authentication. 103 00:05:59.010 --> 00:06:02.370 PAP works by having the client connect to a server 104 00:06:02.370 --> 00:06:06.330 and transmit the username and password in plain text. 105 00:06:06.330 --> 00:06:09.000 The server then checks these credentials 106 00:06:09.000 --> 00:06:11.280 against its database and responds 107 00:06:11.280 --> 00:06:14.970 with either an acceptance or rejection message. 108 00:06:14.970 --> 00:06:18.810 The major flaw of the Password Authentication Protocol 109 00:06:18.810 --> 00:06:21.810 is that it sends credentials in plain text, 110 00:06:21.810 --> 00:06:26.520 making it vulnerable to interception and highly insecure. 111 00:06:26.520 --> 00:06:31.020 So to address Password Authentication Protocol shortcomings, 112 00:06:31.020 --> 00:06:33.960 the Challenge-Handshake Authentication Protocol 113 00:06:33.960 --> 00:06:36.120 or CHAP was developed. 114 00:06:36.120 --> 00:06:38.340 CHAP improves security 115 00:06:38.340 --> 00:06:41.370 by using a challenge and response mechanism. 116 00:06:41.370 --> 00:06:45.090 Instead of sending credentials in plain text. 117 00:06:45.090 --> 00:06:48.090 With CHAP the server sends a random 118 00:06:48.090 --> 00:06:50.610 challenge string to the client. 119 00:06:50.610 --> 00:06:53.070 The client encrypts this challenge string 120 00:06:53.070 --> 00:06:56.520 using a hash function combined with its password 121 00:06:56.520 --> 00:07:00.510 and sends the encrypted response back to the server. 122 00:07:00.510 --> 00:07:04.410 The server then performs the same hash operation 123 00:07:04.410 --> 00:07:07.890 using its stored version of the client's password 124 00:07:07.890 --> 00:07:09.870 and compares the results. 125 00:07:09.870 --> 00:07:13.920 If the results match, authentication is successful. 126 00:07:13.920 --> 00:07:16.530 This method enhances security 127 00:07:16.530 --> 00:07:20.340 by never sending the actual password over the network 128 00:07:20.340 --> 00:07:22.950 while still allowing authentication. 129 00:07:22.950 --> 00:07:26.370 Microsoft introduced a variant of CHAP 130 00:07:26.370 --> 00:07:28.410 called the Microsoft Challenge 131 00:07:28.410 --> 00:07:32.670 Handshake Authentication Protocol or MS-CHAP. 132 00:07:32.670 --> 00:07:36.960 MS-CHAP includes improvements like stronger encryption keys 133 00:07:36.960 --> 00:07:41.190 and mutual authentication capabilities where both the client 134 00:07:41.190 --> 00:07:45.000 and server verify each other's identities. 135 00:07:45.000 --> 00:07:49.590 However, both CHAP and MS-CHAP have been surpassed 136 00:07:49.590 --> 00:07:52.140 by the more flexible and secure 137 00:07:52.140 --> 00:07:55.080 Extensible Authentication Protocol. 138 00:07:55.080 --> 00:07:59.130 But the Extensible Authentication Protocol, or EAP, 139 00:07:59.130 --> 00:08:01.470 is not a standalone protocol, 140 00:08:01.470 --> 00:08:05.250 but rather a framework that supports a wide range 141 00:08:05.250 --> 00:08:08.700 of authentication methods, including passwords 142 00:08:08.700 --> 00:08:10.860 and digital certificates. 143 00:08:10.860 --> 00:08:13.800 It is designed to be highly adaptable, 144 00:08:13.800 --> 00:08:17.430 allowing for various authentication processes 145 00:08:17.430 --> 00:08:21.210 based on the specific security needs of the network. 146 00:08:21.210 --> 00:08:24.960 Here are five commonly used EAP types, 147 00:08:24.960 --> 00:08:29.190 each offering different features and security levels. 148 00:08:29.190 --> 00:08:34.140 The first EAP type is EAP-MD5 CHAP. 149 00:08:34.140 --> 00:08:38.280 This variant uses the CHAP challenge and response process 150 00:08:38.280 --> 00:08:40.410 within the EAP framework 151 00:08:40.410 --> 00:08:43.980 and relies on passwords for authentication. 152 00:08:43.980 --> 00:08:48.300 Although EAP-MD5 CHAP improves slightly 153 00:08:48.300 --> 00:08:52.530 upon the basic Challenge-Handshake Authentication Protocol, 154 00:08:52.530 --> 00:08:56.310 it still depends on simple password-based security, 155 00:08:56.310 --> 00:08:59.490 making it vulnerable to dictionary attacks 156 00:08:59.490 --> 00:09:02.130 if weak passwords are used. 157 00:09:02.130 --> 00:09:04.050 The second EAP type 158 00:09:04.050 --> 00:09:08.787 is EAP-Transport Layer Security, or EAP-TLS. 159 00:09:08.787 --> 00:09:13.787 EAP-TLS is one of the most secure forms of EAP 160 00:09:13.800 --> 00:09:18.240 using digital certificates installed on both the supplicant 161 00:09:18.240 --> 00:09:22.800 and server for authentication, it eliminates the use 162 00:09:22.800 --> 00:09:26.880 of passwords entirely providing robust mutual 163 00:09:26.880 --> 00:09:31.590 authentication through the exchange of digital certificates. 164 00:09:31.590 --> 00:09:33.540 The third EAP type 165 00:09:33.540 --> 00:09:38.540 is Protected Extensible Authentication Protocol or PEAP. 166 00:09:38.580 --> 00:09:41.550 PEAP establishes an encrypted tunnel 167 00:09:41.550 --> 00:09:45.210 between the supplicant and the authentication server. 168 00:09:45.210 --> 00:09:49.560 The server uses a digital certificate to authenticate itself 169 00:09:49.560 --> 00:09:51.630 forming the secure tunnel. 170 00:09:51.630 --> 00:09:55.050 Inside this tunnel, the user can authenticate 171 00:09:55.050 --> 00:10:00.050 using methods like CHAPv2 or one-time passwords. 172 00:10:00.390 --> 00:10:04.410 This layered approach helps protect against attacks 173 00:10:04.410 --> 00:10:09.300 such as sniffing, password guessing, and on-path attacks. 174 00:10:09.300 --> 00:10:11.790 Another variant of EAP 175 00:10:11.790 --> 00:10:16.563 is EAP Tunneled Transport Layer Security, or EAP-TTLS. 176 00:10:17.847 --> 00:10:21.480 EAP-TTLS is similar to PEAP, 177 00:10:21.480 --> 00:10:24.990 the Protected Extensible Authentication Protocol, 178 00:10:24.990 --> 00:10:27.540 but allows for greater flexibility 179 00:10:27.540 --> 00:10:31.560 in choosing the authentication method within the tunnel. 180 00:10:31.560 --> 00:10:34.620 It still requires a server certificate, 181 00:10:34.620 --> 00:10:37.950 but uses passwords for client authentication, 182 00:10:37.950 --> 00:10:41.250 making it less secure than EAP-TLS 183 00:10:41.250 --> 00:10:44.070 while still being a significant improvement 184 00:10:44.070 --> 00:10:47.640 over basic password authentication methods. 185 00:10:47.640 --> 00:10:52.640 The last EAP variant is EAP with Flexible Authentication 186 00:10:53.100 --> 00:10:56.790 via Secure Tunneling or EAP-FAST. 187 00:10:56.790 --> 00:11:01.050 EAP-FAST uses a protected access credential 188 00:11:01.050 --> 00:11:05.010 instead of a certificate to create the secure tunnel, 189 00:11:05.010 --> 00:11:08.370 making it faster and easier to implement. 190 00:11:08.370 --> 00:11:12.750 However, distributing these credentials can be challenging 191 00:11:12.750 --> 00:11:15.930 simply because the credential needs to be issued 192 00:11:15.930 --> 00:11:17.790 in a secure manner. 193 00:11:17.790 --> 00:11:21.690 So EAP-FAST is considered less secure 194 00:11:21.690 --> 00:11:25.713 than EAP-TLS, PEAP or EAP-TTLS. 195 00:11:27.270 --> 00:11:31.680 Overall, for the highest level of security, EAP-TLS 196 00:11:31.680 --> 00:11:35.970 with mutual certificate authentication is recommended. 197 00:11:35.970 --> 00:11:39.630 If implementing digital certificates is too costly 198 00:11:39.630 --> 00:11:44.630 or complex, PEAP or EAP-TTLS offer good alternatives 199 00:11:45.570 --> 00:11:48.690 that still provide good security features. 200 00:11:48.690 --> 00:11:51.060 Third and last, we have 201 00:11:51.060 --> 00:11:55.890 the Simultaneous Authentication of Equals or SAE. 202 00:11:55.890 --> 00:12:00.890 WPA3 or WiFi Protected Access 3 is a WiFi authentication 203 00:12:01.560 --> 00:12:03.990 protocol that includes a feature 204 00:12:03.990 --> 00:12:08.970 called the Simultaneous Authentication of Equals or SAE. 205 00:12:08.970 --> 00:12:12.420 SAE replaces the older four-way handshake 206 00:12:12.420 --> 00:12:15.420 authentication mechanism that was introduced 207 00:12:15.420 --> 00:12:20.420 with the original WPA and WPA2 protocol. 208 00:12:20.520 --> 00:12:24.810 The old handshake relied on the Diffie-Hellman key agreement 209 00:12:24.810 --> 00:12:27.300 to exchange a pre shared key 210 00:12:27.300 --> 00:12:29.760 between the client and access point. 211 00:12:29.760 --> 00:12:33.540 However, this method was vulnerable to interception, 212 00:12:33.540 --> 00:12:36.240 cracking and replay methods. 213 00:12:36.240 --> 00:12:41.240 So with WPA3, these vulnerabilities are addressed 214 00:12:41.250 --> 00:12:44.610 by eliminating the old key exchange process 215 00:12:44.610 --> 00:12:45.630 and replacing it 216 00:12:45.630 --> 00:12:49.260 with the Simultaneous Authentication of Equals. 217 00:12:49.260 --> 00:12:54.030 SAE is a secure password-based authentication method 218 00:12:54.030 --> 00:12:58.230 that relies on forward secrecy to protect its data. 219 00:12:58.230 --> 00:13:02.610 Forward secrecy, also known as perfect forward secrecy, 220 00:13:02.610 --> 00:13:07.170 ensures that even if long-term keys used in key exchanges 221 00:13:07.170 --> 00:13:10.590 are compromised, the session keys generated 222 00:13:10.590 --> 00:13:14.820 during each session remain secure and unique. 223 00:13:14.820 --> 00:13:18.420 This is significant because it prevents an attacker 224 00:13:18.420 --> 00:13:21.270 from decrypting past communications, 225 00:13:21.270 --> 00:13:23.310 even if they later gain access 226 00:13:23.310 --> 00:13:27.000 to the long-term secrets such as private keys. 227 00:13:27.000 --> 00:13:30.420 So SAE is a secure key exchange method 228 00:13:30.420 --> 00:13:32.700 that ensures forward secrecy. 229 00:13:32.700 --> 00:13:36.000 The process starts with mutual authentication 230 00:13:36.000 --> 00:13:40.080 between an access point and a client using passwords. 231 00:13:40.080 --> 00:13:43.050 Unlike traditional public key systems, 232 00:13:43.050 --> 00:13:47.100 SAE does not generate or store long-term keys, 233 00:13:47.100 --> 00:13:49.650 which means each session's security 234 00:13:49.650 --> 00:13:53.070 is independent of any previous secrets. 235 00:13:53.070 --> 00:13:55.770 The next step involves a key exchange 236 00:13:55.770 --> 00:13:58.290 using the Dragonfly algorithm, 237 00:13:58.290 --> 00:14:01.080 which is a password-authenticated key exchange 238 00:14:01.080 --> 00:14:03.300 protocol that is more secure 239 00:14:03.300 --> 00:14:06.270 than traditional methods like Diffie-Hellman. 240 00:14:06.270 --> 00:14:09.720 Dragonfly uses elliptic curve cryptography 241 00:14:09.720 --> 00:14:11.700 to create a shared secret, 242 00:14:11.700 --> 00:14:16.020 which is then used to generate a unique session key. 243 00:14:16.020 --> 00:14:18.420 Once the session key is established, 244 00:14:18.420 --> 00:14:21.330 it is used to encrypt all communication 245 00:14:21.330 --> 00:14:24.450 between the access point and the client. 246 00:14:24.450 --> 00:14:28.650 Each message in the session is encrypted using this key, 247 00:14:28.650 --> 00:14:31.950 ensuring that only the intended recipient 248 00:14:31.950 --> 00:14:34.050 can read the messages. 249 00:14:34.050 --> 00:14:37.020 This process maintains security 250 00:14:37.020 --> 00:14:40.260 even if some of the data is intercepted. 251 00:14:40.260 --> 00:14:42.990 The encryption and decryption of messages 252 00:14:42.990 --> 00:14:46.020 relies solely on the session key, 253 00:14:46.020 --> 00:14:50.310 and each session key is unique to that session. 254 00:14:50.310 --> 00:14:53.400 Importantly, a new session key is generated 255 00:14:53.400 --> 00:14:57.570 for every session which provides forward secrecy. 256 00:14:57.570 --> 00:15:01.440 This means that even if a session key is compromised, 257 00:15:01.440 --> 00:15:06.440 it does not affect the security of past or future sessions. 258 00:15:07.020 --> 00:15:12.020 SAE's continuous key rotation protects all communications, 259 00:15:12.030 --> 00:15:15.210 ensuring that each session remains secure, 260 00:15:15.210 --> 00:15:17.520 independent of the others. 261 00:15:17.520 --> 00:15:21.330 This makes WPA3 far more secure 262 00:15:21.330 --> 00:15:26.330 than previous protocols like WPA2, WPA and WEP, 263 00:15:27.630 --> 00:15:29.640 offering stronger protection 264 00:15:29.640 --> 00:15:34.620 for wireless communications on networks and mobile devices. 265 00:15:34.620 --> 00:15:38.550 So remember, WiFi authentication 266 00:15:38.550 --> 00:15:42.900 uses methods like IEEE 802.1X, 267 00:15:42.900 --> 00:15:46.677 the Extensible Authentication Protocol, or EAP, 268 00:15:46.677 --> 00:15:50.737 and the Simultaneous Authentication of Equals or SAE. 269 00:15:51.771 --> 00:15:56.771 802.1X acts as a gatekeeper, verifying device identities 270 00:15:57.720 --> 00:16:00.000 and controlling network access 271 00:16:00.000 --> 00:16:03.660 through an authentication server like RADIUS. 272 00:16:03.660 --> 00:16:08.660 EAP is a flexible framework within the 802.1X protocol 273 00:16:10.110 --> 00:16:13.410 that supports various authentication methods, 274 00:16:13.410 --> 00:16:17.880 enhancing security by securely exchanging credentials. 275 00:16:17.880 --> 00:16:22.080 Finally, SAE used in WPA3 276 00:16:22.080 --> 00:16:26.280 replaces older, less secure handshake protocols 277 00:16:26.280 --> 00:16:29.460 with a secure password-based key exchange 278 00:16:29.460 --> 00:16:31.860 that ensures forward secrecy. 279 00:16:31.860 --> 00:16:35.490 By frequently generating unique session keys 280 00:16:35.490 --> 00:16:39.330 SAE protects past and future communications 281 00:16:39.330 --> 00:16:43.020 even if the current session key is compromised. 282 00:16:43.020 --> 00:16:46.230 Together, these authentication concepts 283 00:16:46.230 --> 00:16:49.200 enhance WiFi security by providing 284 00:16:49.200 --> 00:16:52.533 robust adaptable authentication.