WEBVTT 0:00:02.880000 --> 0:00:07.680000 Welcome to this video titled, Wifi Security Authentication. 0:00:07.680000 --> 0:00:09.640000 Let's talk about the topics I'm going to cover. 0:00:09.640000 --> 0:00:15.380000 I'd like to do a quick review of how we associate to a Wifi SSID. 0:00:15.380000 --> 0:00:19.140000 What are the various methods of authentication that are available without 0:00:19.140000 --> 0:00:25.300000 encryption? And how would you visually identify an unsecured wireless 0:00:25.300000 --> 0:00:29.300000 LAN when you're looking at a list of available wireless LANs? 0:00:29.300000 --> 0:00:36.860000 Let's start with a review of how one associates to a wireless LAN. 0:00:36.860000 --> 0:00:41.660000 Starting with this, the client discovers the wireless LAN. 0:00:41.660000 --> 0:00:44.760000 That can be done in a couple of different ways. 0:00:44.760000 --> 0:00:49.660000 A lot of clients, what they'll do is they will continually send out special 0:00:49.660000 --> 0:00:53.660000 Wifi management frames called probe frames. 0:00:53.660000 --> 0:00:56.460000 In this case, it would be a probe request. 0:00:56.460000 --> 0:01:00.580000 A probe request is a way of saying, hey, what wireless LANs exist out 0:01:00.580000 --> 0:01:05.120000 here? Or if the Wifi client already knows of some previous wireless LANs, 0:01:05.120000 --> 0:01:07.860000 it might say, hey, does payroll exist around here? 0:01:07.860000 --> 0:01:10.040000 Does HR exist around here? 0:01:10.040000 --> 0:01:13.940000 And if an access point is within hearing range of those probe requests, 0:01:13.940000 --> 0:01:19.480000 it will send back a probe response. 0:01:19.480000 --> 0:01:23.240000 So that's one way that a client could end up seeing a listing of wireless 0:01:23.240000 --> 0:01:28.200000 LANs between this exchange of probe requests and probe responses. 0:01:28.200000 --> 0:01:33.720000 But even if the client does not implement probes, this access point, 10 0:01:33.720000 --> 0:01:37.960000 times a second, every 100 milliseconds, is sending out another type of 0:01:37.960000 --> 0:01:42.560000 management frame, which is called a beacon. 0:01:42.560000 --> 0:01:45.340000 And the beacon says, hey, here I am. 0:01:45.340000 --> 0:01:47.280000 Let me tell you about the wireless LAN I've got. 0:01:47.280000 --> 0:01:50.400000 Let me tell you about the name, the supported data rates, whether I'm 0:01:50.400000 --> 0:01:51.860000 using encryption or not. 0:01:51.860000 --> 0:01:55.600000 So that's another very quick and easy way that a client can discover the 0:01:55.600000 --> 0:01:59.460000 wireless LANs are available is simply by listening for those beacons. 0:01:59.460000 --> 0:02:02.780000 So that is step number one. 0:02:02.780000 --> 0:02:04.940000 The client discovers the wireless LAN. 0:02:04.940000 --> 0:02:07.600000 Step number two, so there we go. 0:02:07.600000 --> 0:02:08.720000 There's a beacon going out. 0:02:08.720000 --> 0:02:12.980000 And notice in this particular beacon, he's saying, hey, my SSID is corporate. 0:02:12.980000 --> 0:02:18.380000 And he says, by the way, I'm doing open authentication with AES and CCNP 0:02:18.380000 --> 0:02:24.180000 encryption. So we have just learned what type of authentication is in 0:02:24.180000 --> 0:02:30.220000 use. And with wireless LANs, there are two types of authentication. 0:02:30.220000 --> 0:02:34.500000 So the beacon could advertise something called pre-shared key or open 0:02:34.500000 --> 0:02:38.560000 authentication. Pre-shared key, you're not going to see that anymore. 0:02:38.560000 --> 0:02:43.920000 That was one of the available methods in the early, early 1997 initial 0:02:43.920000 --> 0:02:47.280000 implementation of the 802.11 standard. 0:02:47.280000 --> 0:02:51.120000 But it was very quickly determined that that was crackable, hackable, 0:02:51.120000 --> 0:02:54.040000 whatever word you want to use, very insecure. 0:02:54.040000 --> 0:02:56.480000 So nobody uses pre -shared key anymore. 0:02:56.480000 --> 0:02:59.440000 As a matter of fact, I don't think access points even support it in their 0:02:59.440000 --> 0:03:01.080000 configuration options anymore. 0:03:01.080000 --> 0:03:04.500000 So pretty much every wireless LAN you're going to see these days will 0:03:04.500000 --> 0:03:08.040000 be advertised with open authentication. 0:03:08.040000 --> 0:03:09.460000 Now, you might think, well, wait a second. 0:03:09.460000 --> 0:03:10.580000 Does that mean that? 0:03:10.580000 --> 0:03:11.580000 How does that make sense? 0:03:11.580000 --> 0:03:14.580000 Because every wireless LAN I connect to, I have to supply a password or 0:03:14.580000 --> 0:03:20.200000 passphrase. Well, in open authentication, all that saying is, hey, look, 0:03:20.200000 --> 0:03:24.320000 if I'm the access point and I'm saying, hey, we use open authentication, 0:03:24.320000 --> 0:03:29.220000 in my beacon, I will also say, hey, once you connect to me, after we connect 0:03:29.220000 --> 0:03:34.780000 to each other, then we're going to proceed on with security after that. 0:03:34.780000 --> 0:03:38.160000 And after that is where you're going to type in your passphrase or your 0:03:38.160000 --> 0:03:40.840000 pre-shared key or whatever you want to call it. 0:03:40.840000 --> 0:03:44.940000 So open authentication doesn't necessarily mean that there's no password 0:03:44.940000 --> 0:03:46.460000 involved at all. 0:03:46.460000 --> 0:03:51.320000 It just means that during the authentication phase, you see, connecting 0:03:51.320000 --> 0:03:55.660000 to a wireless LAN, you have to go through several pre-defined phases, 0:03:55.660000 --> 0:03:57.440000 discovering the wireless LAN. 0:03:57.440000 --> 0:04:04.020000 That's one. Then during the authentication phase, that's another. 0:04:04.020000 --> 0:04:07.340000 Well, during open authentication, we still have to proceed through the 0:04:07.340000 --> 0:04:09.080000 authentication phase. 0:04:09.080000 --> 0:04:10.640000 We're just not really doing anything. 0:04:10.640000 --> 0:04:11.740000 We're just saying, hey, you there? 0:04:11.740000 --> 0:04:12.580000 Can I authenticate? 0:04:12.580000 --> 0:04:13.620000 Yes, you can authenticate. 0:04:13.620000 --> 0:04:14.720000 You're in. Okay. 0:04:14.720000 --> 0:04:18.000000 Move on. And then you go to the next phase, which is called the association 0:04:18.000000 --> 0:04:21.800000 phase. And so that's what we see right here. 0:04:21.800000 --> 0:04:26.080000 So here we have an exchange of authentication request and response frames. 0:04:26.080000 --> 0:04:28.420000 So now we're in the authentication phase. 0:04:28.420000 --> 0:04:31.640000 But because it's open authentication, there's no exchange of passwords 0:04:31.640000 --> 0:04:33.300000 or anything like that. 0:04:33.300000 --> 0:04:36.580000 It does automatically go right through it. 0:04:36.580000 --> 0:04:42.500000 And then we move to the next phase, which is the association phase where 0:04:42.500000 --> 0:04:44.580000 we send an association request. 0:04:44.580000 --> 0:04:48.220000 And we get an association response. 0:04:48.220000 --> 0:04:52.520000 Now, you might ask, well, what's the purpose of this phase right here? 0:04:52.520000 --> 0:04:57.340000 At this phase, it's mostly for the benefit of the access point. 0:04:57.340000 --> 0:05:02.120000 You see, the access point might have some limitations, for example, on 0:05:02.120000 --> 0:05:04.440000 how many clients can connect to it. 0:05:04.440000 --> 0:05:07.520000 Maybe the network administrator set up this access point to have a maximum 0:05:07.520000 --> 0:05:10.820000 of 10 clients connected to it, and that's it. 0:05:10.820000 --> 0:05:15.120000 Well, he's not going to really enforce that until he gets to this phase 0:05:15.120000 --> 0:05:18.680000 right here. So you can go through the authentication phase, which we just 0:05:18.680000 --> 0:05:20.680000 saw in the access point and says, yep, you're good. 0:05:20.680000 --> 0:05:22.500000 You don't need to give me a pass or anything. 0:05:22.500000 --> 0:05:26.100000 But then when you get to the association request, if this access point 0:05:26.100000 --> 0:05:30.400000 already has the max amount of clients associated to it, now he might say, 0:05:30.400000 --> 0:05:33.080000 association, you know, response negative. 0:05:33.080000 --> 0:05:35.300000 I'm sorry, you can't associate to me. 0:05:35.300000 --> 0:05:41.200000 I'm maxed out. Once you've gone through the association phase like this, 0:05:41.200000 --> 0:05:46.760000 now, at this point, we start doing further authentication and encryption 0:05:46.760000 --> 0:05:50.040000 negotiations if that's actually going to take place. 0:05:50.040000 --> 0:05:52.160000 That would happen right here. 0:05:52.160000 --> 0:05:55.000000 So let me just show you really quickly here. 0:05:55.000000 --> 0:05:59.920000 Here is a wire shark capture of a whole bunch of Wi-Fi stuff. 0:05:59.920000 --> 0:06:03.080000 And the main thing I want to point out here is we're going to take a look 0:06:03.080000 --> 0:06:04.740000 at the beacon frame. 0:06:04.740000 --> 0:06:09.040000 So I mentioned that getting a beacon frame is how you learn about the 0:06:09.040000 --> 0:06:13.480000 wireless LAN. So let's go ahead and dig into that a little bit more here. 0:06:13.480000 --> 0:06:18.780000 So I've already got the beacon frame selected. 0:06:18.780000 --> 0:06:24.280000 And if we check on this right here, so for example, tag parameters, this 0:06:24.280000 --> 0:06:28.200000 is where we can see things like the SSID, like look at this one. 0:06:28.200000 --> 0:06:32.140000 This is an example of a wireless LAN where the SSID has been hidden from 0:06:32.140000 --> 0:06:34.460000 us because the SSID is blank. 0:06:34.460000 --> 0:06:37.220000 Normally, that's where you'd see the name of like corporate or payroll 0:06:37.220000 --> 0:06:39.740000 or guest or Starbucks or whatever. 0:06:39.740000 --> 0:06:43.120000 But the fact that it's empty right here means that this wireless LAN, 0:06:43.120000 --> 0:06:47.340000 whoever configured it, turned off that ability so we don't see the SSID. 0:06:47.340000 --> 0:06:48.940000 But here's the main thing I want to show you. 0:06:48.940000 --> 0:06:53.460000 If you scroll down to the very end, you'll see there's a tag called RSN 0:06:53.460000 --> 0:06:58.240000 information. That stands for robust security network. 0:06:58.240000 --> 0:07:01.780000 Not the 11 be asked about that, but that's what RSN stands for. 0:07:01.780000 --> 0:07:06.780000 And if we expand that a little bit, we can see here that says, oh, we're 0:07:06.780000 --> 0:07:09.440000 actually doing encryption on this wireless LAN. 0:07:09.440000 --> 0:07:11.440000 And we've got several different cipher suites. 0:07:11.440000 --> 0:07:15.700000 These are ways or methods of doing encryption that are available. 0:07:15.700000 --> 0:07:18.140000 Oh, we're also doing authentication. 0:07:18.140000 --> 0:07:20.940000 And we use pre-shared key right here. 0:07:20.940000 --> 0:07:23.460000 That's what the PSK stands for, pre-shared keys. 0:07:23.460000 --> 0:07:27.620000 So you can see before I even connect to this wireless LAN, I'm already 0:07:27.620000 --> 0:07:32.040000 told, hey, if you want to connect to me, you need to support this and 0:07:32.040000 --> 0:07:33.940000 you need to support pre-shared key. 0:07:33.940000 --> 0:07:37.980000 If the client doesn't support either one of those, it won't even try to 0:07:37.980000 --> 0:07:39.760000 connect to that wireless LAN. 0:07:39.760000 --> 0:07:42.740000 So I just want to emphasize that that right from the very beginning when 0:07:42.740000 --> 0:07:47.600000 that wireless LAN is advertised to you, you know what its security characteristics 0:07:47.600000 --> 0:07:55.020000 are. Or if it doesn't have security at all, you'll know that as well. 0:07:55.020000 --> 0:07:59.260000 So authentication in the context of Wi-Fi can be accomplished with or 0:07:59.260000 --> 0:08:01.480000 without encryption. 0:08:01.480000 --> 0:08:04.300000 And there are two ways of doing authentication. 0:08:04.300000 --> 0:08:06.380000 We could authenticate the user. 0:08:06.380000 --> 0:08:09.740000 So this would typically be the case where you as a human being have to 0:08:09.740000 --> 0:08:13.640000 type something in like a passphrase, maybe username and password, but 0:08:13.640000 --> 0:08:17.960000 there's some involvement of the human being behind the keyboard to provide 0:08:17.960000 --> 0:08:19.620000 some credentials. 0:08:19.620000 --> 0:08:22.580000 Or we could authenticate the device itself. 0:08:22.580000 --> 0:08:26.800000 Maybe we have a situation where, hey, just the device based on its MAC 0:08:26.800000 --> 0:08:30.080000 address or something simple like that will be all we need to verify that 0:08:30.080000 --> 0:08:34.800000 device is allowed to be authenticated on the wireless LAN or not. 0:08:34.800000 --> 0:08:41.420000 So this slide here is titled stand-alone authentication. 0:08:41.420000 --> 0:08:45.540000 What I really mean by that is there are wireless LANs that exist, many 0:08:45.540000 --> 0:08:49.980000 wireless LANs that exist, that require you to type in what's called a 0:08:49.980000 --> 0:08:53.080000 passphrase. You could think of this as like a password, but technically 0:08:53.080000 --> 0:08:55.180000 it's called a passphrase. 0:08:55.180000 --> 0:08:58.300000 And the passphrase authenticates you on the wireless LAN. 0:08:58.300000 --> 0:09:02.900000 Now remember, this is after the authentication phase, after the association 0:09:02.900000 --> 0:09:07.100000 phase, now is where you'd have to type in your password. 0:09:07.100000 --> 0:09:09.920000 But when I talk about a stand-alone authentication, I'm talking about 0:09:09.920000 --> 0:09:13.340000 a wireless LAN that has no encryption whatsoever. 0:09:13.340000 --> 0:09:17.820000 It's requiring a password of you, but once you authenticate and you're 0:09:17.820000 --> 0:09:20.280000 associated, it's not going to encrypt your data. 0:09:20.280000 --> 0:09:23.120000 Your data is still unsecured. 0:09:23.120000 --> 0:09:24.860000 Now what are some ways that we can do that? 0:09:24.860000 --> 0:09:28.140000 If we actually want to do that, how could we provide that type of authentication? 0:09:28.140000 --> 0:09:31.520000 Well, initially there was something called pre-shared key, not going to 0:09:31.520000 --> 0:09:35.140000 talk about that because that's been deprecated for decades. 0:09:35.140000 --> 0:09:39.760000 Very popular form of doing this, probably the most popular form, is what's 0:09:39.760000 --> 0:09:41.700000 called web authentication. 0:09:41.700000 --> 0:09:44.920000 Sometimes you'll also see this called captive portal. 0:09:44.920000 --> 0:09:46.320000 It means the same thing. 0:09:46.320000 --> 0:09:50.040000 Basically it means that, okay, well, after you connect to the wireless 0:09:50.040000 --> 0:09:54.920000 LAN and you bring up your web browser, you'll see a little web page there. 0:09:54.920000 --> 0:09:58.720000 They'll say, please type in your password, or please type in your last 0:09:58.720000 --> 0:10:01.760000 name and your hotel room number or something like that. 0:10:01.760000 --> 0:10:06.000000 That's what we mean by captive portal, where some web page will authenticate 0:10:06.000000 --> 0:10:09.320000 you before you're allowed to go any further onto the wireless LAN. 0:10:09.320000 --> 0:10:14.460000 Now, 802.1x could also be used, not used a lot. 0:10:14.460000 --> 0:10:17.480000 And what I mean by that is, when you see a wireless LAN that actually 0:10:17.480000 --> 0:10:22.820000 has 802.1x implemented, 99% of the time, they're using that because they 0:10:22.820000 --> 0:10:24.940000 also want to do encryption. 0:10:24.940000 --> 0:10:30.260000 So although 802.1x does have the ability to simply authenticate a user, 0:10:30.260000 --> 0:10:34.560000 and then that's it, no encryption provided, very rarely will you see 802 0:10:34.560000 --> 0:10:36.880000 .1x actually doing that. 0:10:36.880000 --> 0:10:40.620000 And then we could also do Mac authentication, where we simply just authenticate 0:10:40.620000 --> 0:10:43.300000 based on the Mac address of the client. 0:10:43.300000 --> 0:10:46.740000 Back in the early days of wireless LANs, you could actually go into an 0:10:46.740000 --> 0:10:51.140000 access point and type in manually the Mac addresses of every client if 0:10:51.140000 --> 0:10:54.840000 you knew them in advance that you would want to be authenticated onto 0:10:54.840000 --> 0:10:55.980000 your wireless LAN. 0:10:55.980000 --> 0:10:58.040000 These days, people don't really do that. 0:10:58.040000 --> 0:11:02.780000 They rely on something like an 802 .1x server to do that type of thing. 0:11:02.780000 --> 0:11:08.380000 And you can see here in this example that whenever a wireless LAN, like 0:11:08.380000 --> 0:11:12.720000 we see here under the security section of however your graphic displays 0:11:12.720000 --> 0:11:18.560000 on your laptop, if it says security is none, that simply means there's 0:11:18.560000 --> 0:11:22.520000 no encryption. You might still have to type in a password, but you're 0:11:22.520000 --> 0:11:26.380000 not going to get any encryption benefits connecting to that wireless LAN. 0:11:26.380000 --> 0:11:31.560000 So that's what I call an unsecured wireless LAN. 0:11:31.560000 --> 0:11:35.960000 Now, there's another way that you can identify wireless LANs as being 0:11:35.960000 --> 0:11:37.740000 secured or unsecured. 0:11:37.740000 --> 0:11:41.720000 And remember, unsecured means there's no data confidentiality. 0:11:41.720000 --> 0:11:45.200000 You might have to type in a password, and that's typically done via a 0:11:45.200000 --> 0:11:49.480000 captive portal, via some web page, but you're not going to get any encryption. 0:11:49.480000 --> 0:11:51.380000 And this is what you'd see, right? 0:11:51.380000 --> 0:11:53.140000 Look at the difference here between these two. 0:11:53.140000 --> 0:11:57.500000 A couple of these wireless LANs have a padlock next to them. 0:11:57.500000 --> 0:12:02.000000 So this is the operating system like macOS or Windows. 0:12:02.000000 --> 0:12:06.160000 You know, when it receives a beacon and the Wi-Fi beacon says, hey, I'm 0:12:06.160000 --> 0:12:07.040000 doing encryption. 0:12:07.040000 --> 0:12:10.280000 I'm doing AES or I'm doing T-kip or something. 0:12:10.280000 --> 0:12:13.320000 The operating system will say, okay, well, I'm going to put a little padlock 0:12:13.320000 --> 0:12:15.060000 right next to that wireless LAN. 0:12:15.060000 --> 0:12:17.380000 So that's how you know that that is doing encryption. 0:12:17.380000 --> 0:12:19.900000 That is a secured wireless LAN. 0:12:19.900000 --> 0:12:23.520000 However, cable Wi-Fi down there on the bottom, we don't see any padlock 0:12:23.520000 --> 0:12:26.460000 on that. So that is an unsecured wireless LAN. 0:12:26.460000 --> 0:12:29.480000 Now, does that require some sort of authentication or not? 0:12:29.480000 --> 0:12:31.360000 Well, let's take a look at the next slide. 0:12:31.360000 --> 0:12:35.520000 If I actually clicked on cable Wi-Fi and I connected to it, this is what 0:12:35.520000 --> 0:12:39.780000 I would see. Yes, it actually is doing some sort of authentication. 0:12:39.780000 --> 0:12:45.660000 It would require me to click on the provider that I'm using for my cable, 0:12:45.660000 --> 0:12:47.300000 Cox cable or Optimum cable. 0:12:47.300000 --> 0:12:52.360000 And then after that, it would most likely ask me to type in my Xfinity 0:12:52.360000 --> 0:12:55.540000 username and password and then it would allow me on. 0:12:55.540000 --> 0:12:58.400000 Now, remember, there was no padlock there. 0:12:58.400000 --> 0:13:02.180000 So they're going to force me to go through all these steps to authenticate. 0:13:02.180000 --> 0:13:04.500000 But I'm not really going to get any benefits of this wireless LAN because 0:13:04.500000 --> 0:13:07.380000 there's not going to be any encryption whatsoever. 0:13:07.380000 --> 0:13:12.100000 So that concludes this particular video and I hope it was useful to you.