It is important to understand the difference between authentication and encryption.
I will not explain the difference between WPA and WPA2 encryption, but as for IEEE WPA 1 has been deferred, in Meraki world if you were to choose it, you are also choosing to use TKIP.
This protocol is deferred because of how easy they are to decrypt nowadays. So please just use WPA2 which will also use AES. Nevertheless, in the level we are going to explain the subject it should be the same process.
Having said that, the following process will happen after association is complete, there is a difference on how we use encryption depending on our authentication method.
Both authentications will follow the 4-way handshake protocol:
But what does this mean?
Ok, so first let's establish what they are doing, what is the goal of this? Well, we need an encryption key that only the access point and the client know, so no one can understand the communication and maintain everything private.
For this the first step, before even beginning the 4-way handshake we already have a key we both know.
The PSK in this case, both the client and the access point already know this, so based on this key that from now on we will call PMK (Pair Master Key), we can start this process. It is important to mention this key is never transmitted over the air, adding more security to the encryption.
4-way Handshake:
The goal here to create the keys is to have the following information:
- PMK
- Anonce
- Snonce
- Access point MAC Address.
- Supplicant (client) MAC address.
Once either station or access point have these 5 values, they can generate the encryption key.
M-1.- Message 1, this is sent from the access point to the station (client) and it will include an Anonce, which is a code (Authenticator number used once) generated by the access point.
Once the station gets Anonce, it has all the information it needs to generate a key, since it already knew all other data. It will install this which is call PTK (pairwise transient key) and this will be used for all UNICAST communication.
M-2.- Message 2. In this message the station will send Snonce (supplicant number used once) and it will include a MIC (message integrity control) for the access point to verify the information has not been compromised.
Access Point will now have all required data to generate and install its own PTK, and with this key will decrypt MIC to verify it is correct. At this point we are ready to have all our unicast communication encrypted.
M-3.- Message 3, Both access point and station now have unicast keys, but we still need encryption for group communication, this is generated by the access point and sent to the station along with a MIC protection, since station already has its key it will be able to decrypt it.
Once received and decrypted the station will now install GTK too so both access point and station now have a PTK and GTK to be able to encrypt all necessary data.
M-4.- Message 4, Station will just say, ok I got it, we are good, let's talk!
Station and access point are good to talk at this point.
But wait, remember I told you about PMK and how based on authentication it will defer on how this works?
On 802.1x the only difference is that this 4-way handshake will happen after the eap process, PMK will be generated with the input of eap process. So, the flow will be different as you can see below, instead of going to 4-way handshake after association, it will go to eap process and then 4-way handshake.
The 4-way handshake remains the same.
As always here is some useful data, and I highly recommend watching this video.
Cheers!
