1 00:00:00,140 --> 00:00:02,270 WPA3. 2 00:00:02,270 --> 00:00:06,010 In this lesson, we're going to talk about WPA3. 3 00:00:06,010 --> 00:00:10,330 Now, previously we've talked about WEP, WPA, and WPA2, 4 00:00:10,330 --> 00:00:14,250 but now, we're going to bring in the latest version, WPA3. 5 00:00:14,250 --> 00:00:15,810 Now, when we talk about WPA3, 6 00:00:15,810 --> 00:00:19,380 this is just known as Wi-Fi Protected Access 3, 7 00:00:19,380 --> 00:00:21,920 WPA3 is the shorten name for that. 8 00:00:21,920 --> 00:00:24,650 This was introduced back in 2018, and it was designed 9 00:00:24,650 --> 00:00:28,560 to strengthen the flaws that we found inside WPA2. 10 00:00:28,560 --> 00:00:32,010 Now, when we talk about WPA3, this is the latest and greatest 11 00:00:32,010 --> 00:00:34,340 incarnation of wireless security. 12 00:00:34,340 --> 00:00:38,100 If your access point supports it, you should be using WPA3, 13 00:00:38,100 --> 00:00:41,530 if it doesn't, then you're going to be stuck with WPA2. 14 00:00:41,530 --> 00:00:45,090 Now, WPA3 has an equivalent cryptographic strength 15 00:00:45,090 --> 00:00:49,160 of 192-bits when you're using it in Enterprise Mode, 16 00:00:49,160 --> 00:00:53,310 now, that means it is much stronger than we had in WPA2. 17 00:00:53,310 --> 00:00:55,070 Now, as we move into WPA3, 18 00:00:55,070 --> 00:00:56,350 we have two different modes, 19 00:00:56,350 --> 00:00:58,330 we have the Enterprise Mode mentioned here 20 00:00:58,330 --> 00:00:59,880 and we have Personal Mode. 21 00:00:59,880 --> 00:01:02,470 When we talk about WPA3-Enterprise Mode, 22 00:01:02,470 --> 00:01:04,950 we're talking about the business use case 23 00:01:04,950 --> 00:01:06,920 and this gives you additional security. 24 00:01:06,920 --> 00:01:11,080 It's going to use an AES algorithm with 256-bits of encryption 25 00:01:11,080 --> 00:01:15,060 and it's going to use a SHA-384 hash for integrity checking. 26 00:01:15,060 --> 00:01:17,580 Now, I know we haven't talked about cryptography yet, 27 00:01:17,580 --> 00:01:18,690 we're going to get there later 28 00:01:18,690 --> 00:01:20,920 but as you're going to see in the cryptography lesson, 29 00:01:20,920 --> 00:01:22,340 the larger these numbers are, 30 00:01:22,340 --> 00:01:24,740 that means the larger the bit size of the key, 31 00:01:24,740 --> 00:01:27,550 and that means it can be a stronger algorithm. 32 00:01:27,550 --> 00:01:29,120 Now, when you look at the Personal Mode, 33 00:01:29,120 --> 00:01:30,930 it's a little less strong. 34 00:01:30,930 --> 00:01:35,500 When you look at WPA3-Personal Mode, it uses CCMP-128 35 00:01:35,500 --> 00:01:38,090 and that means it's using a 128-bit key 36 00:01:38,090 --> 00:01:41,450 inside of an AES algorithm inside CCMP. 37 00:01:41,450 --> 00:01:43,360 Now, this is the minimum encryption required 38 00:01:43,360 --> 00:01:46,410 for secure connectivity within Personal Mode. 39 00:01:46,410 --> 00:01:48,460 There are some options to go higher than that 40 00:01:48,460 --> 00:01:52,090 but again, it's going to depend on your particular access point. 41 00:01:52,090 --> 00:01:54,380 Now, when we start talking about WPA3, 42 00:01:54,380 --> 00:01:56,930 what was really the big change here, 43 00:01:56,930 --> 00:01:58,860 besides increasing the cryptography a little bit 44 00:01:58,860 --> 00:02:00,430 by increasing those key sizes, 45 00:02:00,430 --> 00:02:02,730 there was one really big improvement 46 00:02:02,730 --> 00:02:05,810 and it's the removal of the Pre-Shared Key exchange. 47 00:02:05,810 --> 00:02:07,300 Now, if you remember when we talked about 48 00:02:07,300 --> 00:02:10,169 WEP and WPA and WPA2, we talked about the fact 49 00:02:10,169 --> 00:02:12,410 that they all had this Pre-Shared Key 50 00:02:12,410 --> 00:02:14,700 and when we exchange that key over the network, 51 00:02:14,700 --> 00:02:16,520 we could have a man-in-the-middle attack 52 00:02:16,520 --> 00:02:17,790 or somebody snooping 53 00:02:17,790 --> 00:02:20,190 and grab that key out and then crack it. 54 00:02:20,190 --> 00:02:23,030 Now, with WPA3, that's not possible 55 00:02:23,030 --> 00:02:25,080 because we've removed that key exchange, 56 00:02:25,080 --> 00:02:26,650 instead, we use what's known 57 00:02:26,650 --> 00:02:30,850 as a Simultaneous Authentication of Equals or SAE. 58 00:02:30,850 --> 00:02:33,130 This is a secure password-based authentication 59 00:02:33,130 --> 00:02:36,130 and password-authenticated key agreement method. 60 00:02:36,130 --> 00:02:38,430 Now, by doing this, what we end up doing 61 00:02:38,430 --> 00:02:41,440 is using this thing known as forward secrecy. 62 00:02:41,440 --> 00:02:43,440 Now, what is forward secrecy? 63 00:02:43,440 --> 00:02:47,030 Well, forward secrecy, also known as perfect forward secrecy, 64 00:02:47,030 --> 00:02:51,230 is a feature of a key agreement protocol, just like SAE has, 65 00:02:51,230 --> 00:02:53,240 that provides assurance that the session keys 66 00:02:53,240 --> 00:02:56,150 will not be compromised even if the long-term secrets 67 00:02:56,150 --> 00:02:59,250 used in the session key exchange have been compromised. 68 00:02:59,250 --> 00:03:03,140 Now, this is a really big deal because even if somebody gets 69 00:03:03,140 --> 00:03:05,920 the long-term password that you have for your network, 70 00:03:05,920 --> 00:03:09,450 they still can't go in and authenticate as you, 71 00:03:09,450 --> 00:03:13,000 this protocol, this forward secrecy, is going to prevent that. 72 00:03:13,000 --> 00:03:14,890 Now, the way forward secrecy works 73 00:03:14,890 --> 00:03:17,190 is it goes through a five-step process. 74 00:03:17,190 --> 00:03:19,440 The first step only happens once. 75 00:03:19,440 --> 00:03:21,280 This is when your access point and your client 76 00:03:21,280 --> 00:03:22,750 use a public key system 77 00:03:22,750 --> 00:03:25,420 to generate a pair of long-term keys. 78 00:03:25,420 --> 00:03:27,230 That is that long-term key I just mentioned 79 00:03:27,230 --> 00:03:28,930 that if this is compromised, 80 00:03:28,930 --> 00:03:31,170 the rest of the system isn't compromised 81 00:03:31,170 --> 00:03:34,120 and that's the big difference here with WPA3. 82 00:03:34,120 --> 00:03:36,670 Now, the second step is that the access point and the client 83 00:03:36,670 --> 00:03:39,320 are going to exchange a one-time-use session key. 84 00:03:39,320 --> 00:03:41,410 They're going to use some kind of a secure algorithm to do it, 85 00:03:41,410 --> 00:03:43,980 that might be something like Diffie-Hellman, for instance. 86 00:03:43,980 --> 00:03:44,930 Now, what am I talking about 87 00:03:44,930 --> 00:03:46,830 with this one-time use session key? 88 00:03:46,830 --> 00:03:49,320 Well, let's say you and I wanted to connect to each other, 89 00:03:49,320 --> 00:03:51,740 we want to make sure we talk to each other securely. 90 00:03:51,740 --> 00:03:54,080 Well, we want to send some encryption over that tunnel, 91 00:03:54,080 --> 00:03:56,420 to do that, we need to have a shared secret 92 00:03:56,420 --> 00:03:57,950 that we can encrypt that tunnel with. 93 00:03:57,950 --> 00:03:59,070 Well, here in step two, 94 00:03:59,070 --> 00:04:01,610 the access point is going to create this one-time session key 95 00:04:01,610 --> 00:04:03,200 by creating a random number. 96 00:04:03,200 --> 00:04:05,650 It's going to send it as part of the key exchange, 97 00:04:05,650 --> 00:04:08,430 using that long-term key from step one over to the client 98 00:04:08,430 --> 00:04:09,780 and do an authentication. 99 00:04:09,780 --> 00:04:12,530 Now, you know what the key is and I know what the key is 100 00:04:12,530 --> 00:04:15,200 and we can both use that to secure the tunnel. 101 00:04:15,200 --> 00:04:16,090 Then, we go on to step three 102 00:04:16,090 --> 00:04:17,960 and this is where the access point 103 00:04:17,960 --> 00:04:20,250 starts sending client messages and encrypts them 104 00:04:20,250 --> 00:04:22,950 individually using that session key created. 105 00:04:22,950 --> 00:04:25,140 So, we created this key in step two, 106 00:04:25,140 --> 00:04:27,310 we've done the key exchange using Diffie-Hellman, 107 00:04:27,310 --> 00:04:29,270 so you know what it is and I know it is, 108 00:04:29,270 --> 00:04:31,230 and now, every time I send a message, 109 00:04:31,230 --> 00:04:32,970 I'm going to encrypt it using that key, 110 00:04:32,970 --> 00:04:34,430 which means when you get that message, 111 00:04:34,430 --> 00:04:35,920 you can decrypt it on your side 112 00:04:35,920 --> 00:04:37,950 because you know what that key is. 113 00:04:37,950 --> 00:04:38,930 The fourth step 114 00:04:38,930 --> 00:04:40,970 is that the client is going to decrypt that message, 115 00:04:40,970 --> 00:04:43,130 they're going to do that with that one-time use session key 116 00:04:43,130 --> 00:04:44,250 that we just talked about. 117 00:04:44,250 --> 00:04:46,190 And then we move into our fifth step, 118 00:04:46,190 --> 00:04:49,090 which is where we repeat this process over and over again 119 00:04:49,090 --> 00:04:51,810 for every single message that's being sent. 120 00:04:51,810 --> 00:04:55,850 This way, we can do this using that one-time use session key 121 00:04:55,850 --> 00:04:57,570 over and over and over again. 122 00:04:57,570 --> 00:05:00,270 Now, how do we maintain forward secrecy, though? 123 00:05:00,270 --> 00:05:03,750 Well, notice I said, we're going to go back to step two, 124 00:05:03,750 --> 00:05:07,170 step two is where we create a new one-time use session key. 125 00:05:07,170 --> 00:05:10,230 So, we create a session key, we encrypt the message, 126 00:05:10,230 --> 00:05:12,250 I sent it to you, you decrypt the message 127 00:05:12,250 --> 00:05:13,740 and then we start over 128 00:05:13,740 --> 00:05:15,930 and we get another one-time use session key. 129 00:05:15,930 --> 00:05:19,340 So, even if you get the session key that I'm using right now, 130 00:05:19,340 --> 00:05:21,300 in a minute, it's not going to be valid anymore 131 00:05:21,300 --> 00:05:23,420 because we're constantly using new keys, 132 00:05:23,420 --> 00:05:26,460 that's the benefit of WPA3 over its predecessors 133 00:05:26,460 --> 00:05:29,250 and that's how it maintains perfect forward secrecy. 134 00:05:29,250 --> 00:05:31,730 Now, I know this may seem a little confusing 135 00:05:31,730 --> 00:05:33,980 because we're talking about some encryption techniques 136 00:05:33,980 --> 00:05:35,530 that you may not have heard of yet, 137 00:05:35,530 --> 00:05:37,810 don't worry, we're going to cover encryption in depth 138 00:05:37,810 --> 00:05:39,350 as we go through this course, 139 00:05:39,350 --> 00:05:41,250 but because we already talked about wireless networks, 140 00:05:41,250 --> 00:05:43,930 it made sense to talk about WPA3 here. 141 00:05:43,930 --> 00:05:45,430 Now, this concept that I just covered 142 00:05:45,430 --> 00:05:47,840 with the key exchange protocol and the way this works, 143 00:05:47,840 --> 00:05:50,150 this is actually a review from your Network+ studies. 144 00:05:50,150 --> 00:05:52,880 So, if you've jumped into Security+ before doing Network+, 145 00:05:52,880 --> 00:05:55,090 this may seem a little foreign to you. 146 00:05:55,090 --> 00:05:57,200 If you need to look up the information on this, 147 00:05:57,200 --> 00:05:59,670 go ahead and Google Diffie-Hellman key exchange 148 00:05:59,670 --> 00:06:01,390 and you'll get an idea of how this works 149 00:06:01,390 --> 00:06:03,830 or type in TLS key exchange 150 00:06:03,830 --> 00:06:06,130 and you can go more in depth that way as well.