CWNP CWSP – Module 05 – Dynamic Encryption Key Generation Part 2

4. Management Frames & RSNIE (eNotes)

Alright? Management frames are very important for the robust security network and we call the information exchange information elements Ies. So I’m just going to refer to them as Ies. And we’re just going to take a look at, again, a basic security set where I have my single station, I have my access point, and one of the first things we said is that we needed to make sure that both sides can agree on what type of security they can support and whether or not they will support each other’s information. And so that information is sent back and forth as an information element inside of what we call management frames. Now, the information element is an optional field, it can be a variable length, but we do find it in what we call the 800 and 211 management frames.

So I’ll just kind of abbreviate that anyway, management frame and it is something that we use before we negotiate any type of association. Because as we said, if there’s no agreement on what we can do, then what’s the benefit for us to be able to do that. So what it starts off with basically you think about the access point. It’s unless you cloak it always sending out a beacon, an SSID of what it’s capable of doing. And you can see that because when you open up your network settings for your workstation on any of them, often it will not only show you the SSID, but it will often put like a little padlock picture next to it to let you know that it does have some requirements of security. So one of the things that happens is we’re sending this beacon out. For the life of me, I wish I could draw a straight line, but I think you’re all with me.

And part of that element is going to be the AP’s capabilities and again, we are going to hope that we can actually make that work between that the two can agree on. So maybe what you see is that it might say, hey, we’re using as part of what we do the CCMP with AES. It could say whip. Like I said, you’ll look and see when your computer recognizes a beacon, it’ll tell you if it’s locked or not. Maybe it also says it needs 802 one X authentication. Now, I want to just step back just a little bit before we get too far. This is really something we’re going to see a lot of in some enterprises that are very small. Again, we call them the small office, home Office. I’m going to just draw a little side note. There can be times in a real enterprise solution that these access points that you have in your network aren’t even going to worry about the type of authentication because what they’re going to do is redirect you to a wireless LAN controller that’s in charge of all of these access points. And in many enterprise solutions, what happens is that you, the user, make the connection. You get redirected to a web GUI, right, a little pop up that asks you for username and password. It has a little X if you want to close it. And so you’re getting authenticated and getting your security settings from the wireless LAN controller and basically creating an encrypted session from you to the wireless land controller rather than making the poor access point. Do all of that work. So this is a different type of thing when we talk about management frames because we’re really talking about the negotiation between the Station and the access point and not between the Station and a wireless land controller or some other type of setup. So that is an example of the Ie that might be carried in the beacon. And then of course, we’re going to have basically a probe request frame. Now in that probe request frame, again the Station is going to say basically, do you have an SSID, right? That’s of active, by the way, active scanning. But that’s not really a management. So either we hear the beacon because you’re not cloaking or the Station is doing a probe request. Maybe they had to manually type in the SSID to get there. And then if there is a response to it, again we’ll get that probe response.

And again in that probe response, it would contain similar information like I just put up here before with the AES and the 802 one X. So I guess what I’m saying is that those are two ways that you might be able to get the management information from the access point as you’re working with RSNs. And again, it’s important, but we’re not quite done yet. So now the station knows what is required. Maybe there’s other options, but it knows what’s required. And so one of the things that’s going to happen is if this machine is capable of supporting it, it’s going to send the association request frame and in that association request it’s going to send its Ie capabilities to let it know whether or not we’re capable of doing it.

And if we are, and we agree, then the access point is going to send back this association response frame and we hope that it’s going to say, yeah, not a problem, yes, we will do it, we’ll let you do the association. But we still have a couple of other things you have to get through, right? That means we still have to get through the process of creating keys, of maybe doing the authentication we talked about in an earlier part of our course. So we still have to be successful at setting that up. And again, that’s just examples of how we negotiate between the two stations hopefully kind of also explained why you see what you see when you’re maybe in Control Panel on Windows, looking at the available networks and how your computer knows that a network is locked or if it’s open.

5. RSN (Cont.)

So basically when we’re looking at the robust security network, all of the stations are going to basically share the same GroupWise transit key for multicast and broadcast traffic. And again, this is from the same access point. We haven’t got into that discussion about what happens when there is mobility. Remember that there is some backward compatibility. They could, when they look at the different types of keys, choose the lowest comedy denominator. If so, with CCMP, as we said, optionally, that could still be the temporal key, the TKIP. Now, the goal of the access point generally is going to try to use the AES key for unicast traffic. And we did say that was mandatory, but didn’t say it was really mandatory for the broadcast. So like I said, there is that backward compatibility if it’s enabled, where you might be able to still work with older systems and allow more than one negotiation. And remember I called that the transient security network, the TSN.

And that might be useful for you if the information element has that as an option for those older systems that might not support AES or some of the other things that make up the RSN.

6. Authentication and Key Management (AKM) Part1

All right, we have this other acronym. We have probably not near enough acronyms, do we? This one is the Authentication and Key Management or AKM, and it is also part of the 8211 I 2007 standard. And it’s basically a set of one or more algorithms that we use to provide authentication and key manage, whether there again, it’s individual or in combination with higher layer authentication and higher level key management algorithms. And those higher level ones are really kind of outside the scope of what we’re looking at here as well as looking at other vendor solutions. But what we’re really going to try to do is kind of focus on what we’re seeing for RSN, that is through the exchange of keys with EEP that far away handshake, the use of authentication, 802 one x more than we’re going to worry about, like I said, proprietary solutions or the pre shared key.

Now, in order to do this, remember the main goal of RSN is that we require both authentication and the generation and management of encryption keys. And what we’ve been talking about so far is that when these keys are created, at least what we’ve done so far is we had a pairwise transient key that is stored on the access point and the station and the access point had the group wise transient key that all of the other machines shared in common and every station would have their own PTK pairwise key. But that still deals with management.

And remember we said that a lot of that negotiation is going to occur through whatever authentication server we have through that four way handshake. And so we’re getting there. Now, it does sound like ATM says both authentication and generation and management of encryption keys, they might seem exclusive of each other, but they’re really not because they are different types of processes. One is proving who you are, the other is coming up with dynamic keys. And so that’s the process. It’s kind of a two step process.

Well, actually it’s going to be after authentication, it’s going to be a four step or four way handshake. And so our goal then is after the authentication and with the use of information and authentication is to talk about how these keys are going to be developed. And that’s where I keep saying that we’ll get into those and talk a little bit about it. Now let me just kind of draw a picture. If I were to look at the steps for authentication and key management, look at the steps of AKM, there’s a couple of steps that we’re going to go through. One of the first steps is that we’re going to have the discovery process and again, that may also occur from the information element.

Whether we’re doing active or passive, we’re trying to figure out what they support. So the second step then would be that information element that tells us what they’re doing like 802 one x e PSK, whatever the case is. And then we have to go through and create basically what we’re going to call a master key. That sounds awesome, right? Like you can do anything if you have the master key. And so that’s actually going to be as we get more into this, I’m just keeping it as a high level overview, is we’ll talk about these keys, the PMK and the GMK that are generated. But from that point we then go through. And step four is that four way handshake. So I’m not going to put four arrows there.

But the fourth step as an overview of AKM is to use the information that we have at the top and to then create that pairwise transient key and that group transient key. And then at that point, as long as we are authorized, we get authorized there and we open up that virtual channel. And then, of course, everybody has basically the idea of what it takes to do the encryption. Because again, this process is going to involve the access point remembering for each user that’s connected.