Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:04,349 --> 00:00:07,889
This is a free, complete course for the CCNA.
2
00:00:07,889 --> 00:00:11,899
If you like these videos, please subscribe\n
3
00:00:11,900 --> 00:00:16,769
Also, please like and leave a comment, and\n
4
00:00:19,649 --> 00:00:23,038
In this video we will look at wireless network\nsecurity.
5
00:00:23,039 --> 00:00:30,830
Specifically, exam topic 1.11.d, encryption,\n
6
00:00:35,250 --> 00:00:39,409
You’ve probably noticed by now that there\n
7
00:00:39,409 --> 00:00:43,018
learn to understand wireless networks.
8
00:00:43,018 --> 00:00:47,609
Wireless security is no exception, and this\n
9
00:00:48,609 --> 00:00:54,530
So, take notes and do extra research if you\n
10
00:00:54,530 --> 00:00:59,739
of the concepts introduced in this video before\n
11
00:01:02,149 --> 00:01:06,260
First I’ll give a brief introduction to\n
12
00:01:08,829 --> 00:01:13,780
Then I’ll introduce various authentication\n
13
00:01:13,780 --> 00:01:17,609
to the most secure methods used in modern\nnetworks.
14
00:01:17,609 --> 00:01:21,890
Then I’ll introduce various encryption and\nintegrity methods.
15
00:01:21,890 --> 00:01:25,960
Encryption plays a role in all kinds of networks,\n
16
00:01:25,959 --> 00:01:30,829
networks because a signal can be received\n
17
00:01:33,180 --> 00:01:38,180
And integrity means making sure that messages\n
18
00:01:40,019 --> 00:01:46,099
Finally we’ll look at Wi-Fi Protected Access,\n
19
00:01:46,099 --> 00:01:50,478
to provide standard sets of wireless network\nsecurity protocols.
20
00:01:50,478 --> 00:01:54,489
Watch until the end of the video for a bonus\n
21
00:01:54,489 --> 00:02:01,390
ExSim for CCNA, the best practice exams for\nthe CCNA.
22
00:02:01,390 --> 00:02:04,120
As you know, security is important in all\nnetworks.
23
00:02:04,120 --> 00:02:08,219
However, it’s even more essential in wireless\nnetworks.
24
00:02:08,219 --> 00:02:13,050
The main reason for that is: because wireless\n
25
00:02:13,050 --> 00:02:17,019
device within range of the signal can receive\nthe traffic.
26
00:02:17,020 --> 00:02:22,469
In wired networks, traffic is often only encrypted\n
27
00:02:23,469 --> 00:02:28,310
You usually don’t encrypt wired traffic\n
28
00:02:28,310 --> 00:02:33,009
But in wireless networks, it is very important\n
29
00:02:34,180 --> 00:02:39,920
That’s because, as I said before, any device\n
30
00:02:39,919 --> 00:02:44,509
traffic, but we want to ensure that only the\n
31
00:02:45,509 --> 00:02:51,299
So, in this video we will cover three main\n
32
00:02:52,300 --> 00:02:56,969
You’ve heard these terms before, but let’s\n
33
00:02:56,969 --> 00:03:01,509
We’ll look at these in more depth later\n
34
00:03:05,830 --> 00:03:10,700
As mentioned in the previous video, all clients\n
35
00:03:13,259 --> 00:03:18,139
Authentication just means verifying the identity\n
36
00:03:18,139 --> 00:03:22,568
In a corporate setting, only trusted users\n
37
00:03:23,568 --> 00:03:28,789
However, a separate SSID which doesn’t have\n
38
00:03:31,580 --> 00:03:37,020
Those guest SSIDs have less strict authentication\n
39
00:03:37,020 --> 00:03:41,810
to the Internet, not to internal company resources.
40
00:03:41,810 --> 00:03:47,080
Not only should the AP authenticate the identity\n
41
00:03:47,080 --> 00:03:52,270
authenticate the AP to avoid associating with\na malicious AP.
42
00:03:52,270 --> 00:03:57,269
A malicious AP could trick users into associating\n
43
00:03:57,269 --> 00:04:00,360
such as a man-in-the-middle attack.
44
00:04:00,360 --> 00:04:05,250
There are multiple ways that authentication\n
45
00:04:05,250 --> 00:04:12,189
a username and password combination, or with\n
46
00:04:12,189 --> 00:04:17,310
For review, remember that before associating\n
47
00:04:17,310 --> 00:04:19,649
an authentication process like this.
48
00:04:19,649 --> 00:04:24,748
Okay, we’ll look at authentication in more\n
49
00:04:30,149 --> 00:04:35,348
Traffic sent between clients and APs, so any\n
50
00:04:35,348 --> 00:04:39,728
it can’t be read by anyone except the AP\nand the client.
51
00:04:39,728 --> 00:04:44,008
You should know this already, but encryption\n
52
00:04:44,009 --> 00:04:47,910
the sender and the intended recipient can\nread it.
53
00:04:47,910 --> 00:04:51,840
There are many possible protocols that can\n
54
00:04:51,839 --> 00:04:56,848
It’s important that the sender and recipient\n
55
00:04:56,848 --> 00:04:59,389
like they are speaking different languages.
56
00:04:59,389 --> 00:05:04,110
The recipient wouldn’t be able to decrypt\nthe sender’s messages.
57
00:05:04,110 --> 00:05:08,980
Note that all devices on the wireless LAN\n
58
00:05:08,980 --> 00:05:13,949
each client will use a unique encryption and\n
59
00:05:16,019 --> 00:05:20,719
Only the AP will have the appropriate key\n
60
00:05:20,720 --> 00:05:25,080
clients won’t be able to decrypt it because\n
61
00:05:25,079 --> 00:05:29,550
However there is also a ‘group key’ which\n
62
00:05:32,180 --> 00:05:36,689
All of those clients keep a copy of that group\n
63
00:05:36,689 --> 00:05:41,560
Again, we’ll look at wireless encryption\n
64
00:05:41,560 --> 00:05:47,240
that let’s introduce the final concept,\nintegrity.
65
00:05:47,240 --> 00:05:51,509
As explained in the security fundamentals\n
66
00:05:51,509 --> 00:05:55,680
a message is not modified by a third party,\n
67
00:05:55,680 --> 00:06:00,939
So, the message that is sent by the source\n
68
00:06:00,939 --> 00:06:04,080
is received by the destination host.
69
00:06:04,079 --> 00:06:10,120
To ensure that, a MIC, message integrity check,\n
70
00:06:11,478 --> 00:06:16,329
To demonstrate how it works, let’s say the\n
71
00:06:17,329 --> 00:06:23,139
First, the sender calculates a MIC for the\n
72
00:06:23,139 --> 00:06:27,038
Just like encryption, there are many different\n
73
00:06:27,038 --> 00:06:31,490
MIC, and it’s important that the sender\n
74
00:06:31,490 --> 00:06:36,788
Then the sender encrypts the message and MIC,\n
75
00:06:36,788 --> 00:06:41,930
The recipient decrypts the message, and then\n
76
00:06:41,930 --> 00:06:44,709
using the same protocol as the sender.
77
00:06:44,709 --> 00:06:49,638
It compares the two MICs, and if the MIC calculated\n
78
00:06:49,639 --> 00:06:55,240
recipient are the same, the recipient assumes\n
79
00:06:55,240 --> 00:06:58,908
Note that if the two MICs aren’t the same,\n
80
00:06:59,908 --> 00:07:05,028
So, instead of saying a MIC helps to protect\n
81
00:07:05,028 --> 00:07:09,899
accurate to say that it helps to identify\n
82
00:07:11,249 --> 00:07:15,159
If the integrity has been compromised, the\n
83
00:07:15,158 --> 00:07:20,829
Now let’s move on to look at various wireless\n
84
00:07:20,829 --> 00:07:25,908
This will just be an overview of various authentication\n
85
00:07:25,908 --> 00:07:28,288
However, we will be covering a lot of them.
86
00:07:28,288 --> 00:07:31,288
Here they are, 7 different methods.
87
00:07:31,288 --> 00:07:34,658
The good news is you don’t need know to\nany of them in depth.
88
00:07:34,658 --> 00:07:37,370
Just a basic understanding of each is fine.
89
00:07:39,249 --> 00:07:44,189
Even though you only need a basic understanding,\n
90
00:07:44,189 --> 00:07:47,189
methods when first learning them.
91
00:07:47,189 --> 00:07:52,300
The original 802.11 standard included two\n
92
00:07:52,300 --> 00:07:55,968
The first one is open authentication, which\nis very simple.
93
00:07:55,968 --> 00:08:00,399
The client sends an authentication request,\n
94
00:08:00,399 --> 00:08:03,378
No questions asked, no credentials required.
95
00:08:03,379 --> 00:08:07,039
So, this is clearly not a secure authentication\nmethod.
96
00:08:07,038 --> 00:08:10,188
The AP just accepts all authentication requests.
97
00:08:10,189 --> 00:08:16,000
However, it is still used today in combination\n
98
00:08:16,000 --> 00:08:20,689
After the client is authenticated and associated\n
99
00:08:20,689 --> 00:08:26,050
user to authenticate via other methods before\n
100
00:08:26,050 --> 00:08:29,619
Think about Starbucks WiFi, or other public\nWiFi.
101
00:08:29,619 --> 00:08:34,470
You might be free to associate your device\n
102
00:08:34,470 --> 00:08:40,460
but then you are probably required to login\n
103
00:08:40,460 --> 00:08:44,889
After that authentication, your device is\n
104
00:08:44,889 --> 00:08:50,019
So, open authentication itself is not secure\n
105
00:08:51,909 --> 00:08:58,319
Then the second method in the 802.11 standard\n
106
00:08:58,320 --> 00:09:03,330
Actually WEP is not just an authentication\n
107
00:09:03,330 --> 00:09:06,889
For encryption, it uses the RC4 algorithm.
108
00:09:06,889 --> 00:09:11,769
If you’re curious about RC4 try reading\n
109
00:09:14,210 --> 00:09:19,050
WEP is a shared-key protocol, it requires\n
110
00:09:21,149 --> 00:09:26,399
Those WEP keys can be 40 bits or 104 bits\nin length.
111
00:09:26,399 --> 00:09:31,139
However those above keys are combined with\n
112
00:09:31,139 --> 00:09:34,699
total length to 64 bits or 128 bits.
113
00:09:34,700 --> 00:09:39,379
Again, read up on wikipedia if you’re curious\n
114
00:09:39,379 --> 00:09:42,529
but you don’t have to know it for the CCNA.
115
00:09:42,529 --> 00:09:48,829
Now, usually longer key lengths are more secure,\n
116
00:09:50,840 --> 00:09:54,220
You definitely should not use WEP on modern\nwireless networks.
117
00:09:54,220 --> 00:09:59,680
So, that’s WEP encryption, but how can WEP\n
118
00:10:01,399 --> 00:10:05,129
First, the AP sends a ‘challenge phrase’.
119
00:10:05,129 --> 00:10:09,070
This is just a series of bits, the actual\ncontents don’t matter.
120
00:10:09,070 --> 00:10:14,440
The client then encrypts the challenge phrase\n
121
00:10:14,440 --> 00:10:19,000
Finally the AP takes the client’s encrypted\n
122
00:10:20,610 --> 00:10:26,139
If they match, it means the AP and client\n
123
00:10:26,139 --> 00:10:28,539
the authentication is successful.
124
00:10:28,539 --> 00:10:34,000
Basically, the AP is just testing if the client\n
125
00:10:34,000 --> 00:10:38,309
Note that WEP can be used just to provide\n
126
00:10:40,440 --> 00:10:45,640
If WEP authentication is not used, open authentication\n
127
00:10:46,659 --> 00:10:53,209
Okay, I just covered the first two options\n
128
00:10:53,210 --> 00:10:58,160
However, open authentication on its own is\n
129
00:10:58,159 --> 00:11:01,539
either as an encryption method or an authentication\nmethod.
130
00:11:01,539 --> 00:11:04,870
So, new wireless authentication methods were\nneeded.
131
00:11:04,870 --> 00:11:10,230
Now let’s look at those more secure methods,\n
132
00:11:12,230 --> 00:11:17,259
EAP itself isn’t a single authentication\n
133
00:11:17,259 --> 00:11:25,580
other protocols, called EAP methods, are based\n
134
00:11:28,730 --> 00:11:31,100
It is an authentication framework.
135
00:11:31,100 --> 00:11:35,930
It defines a standard set of authentication\n
136
00:11:36,929 --> 00:11:44,929
We will look at four of those methods: LEAP,\n
137
00:11:44,929 --> 00:11:50,799
Note that EAP is integrated with a protocol\n
138
00:11:54,259 --> 00:12:00,179
802.1X is used to limit network access for\n
139
00:12:04,570 --> 00:12:07,070
There are three main entities in 802.1X.
140
00:12:09,820 --> 00:12:13,470
This is the device that wants to connect to\nthe network.
141
00:12:13,470 --> 00:12:15,460
Then there is the authenticator.
142
00:12:15,460 --> 00:12:18,250
This is the device that provides access to\nthe network.
143
00:12:18,250 --> 00:12:21,340
Finally, the authentication server.
144
00:12:21,340 --> 00:12:26,910
This is the device that receives client credentials\n
145
00:12:26,909 --> 00:12:33,189
802.1X is used in all kinds of networks, both\n
146
00:12:33,190 --> 00:12:39,710
know these three definitions, supplicant,\n
147
00:12:39,710 --> 00:12:44,200
In an 802.11 wireless LAN, the supplicant\n
148
00:12:47,399 --> 00:12:52,709
The authenticator is the device that provides\n
149
00:12:52,710 --> 00:12:56,879
But actually, in a split-MAC architecture\n
150
00:12:56,879 --> 00:13:00,639
the authentication, not the AP itself.
151
00:13:00,639 --> 00:13:03,669
And the authentication server is usually a\nRADIUS server.
152
00:13:06,470 --> 00:13:13,389
The 802.11 wireless authentication required\n
153
00:13:15,059 --> 00:13:19,289
However, it does not yet have full access\nto the network.
154
00:13:19,289 --> 00:13:24,620
The only traffic allowed from the client is\n
155
00:13:24,620 --> 00:13:28,750
And it is the authentication server that will\n
156
00:13:28,750 --> 00:13:32,419
to permit access or deny access to the network.
157
00:13:32,419 --> 00:13:37,709
So, the WLC is now a middle-man in the authentication\nprocess.
158
00:13:37,710 --> 00:13:42,900
The 802.11 authentication required to simply\n
159
00:13:42,899 --> 00:13:48,120
is the additional step of EAP authentication\n
160
00:13:48,120 --> 00:13:54,960
So, let’s look at some different EAP authentication\n
161
00:13:54,960 --> 00:13:58,460
The first is LEAP, lightweight EAP.
162
00:13:58,460 --> 00:14:01,560
It was developed by Cisco as an improvement\nover WEP.
163
00:14:03,590 --> 00:14:07,680
Clients must provide a username and password\nto authenticate.
164
00:14:07,679 --> 00:14:12,859
But in addition to that, mutual authentication\n
165
00:14:12,860 --> 00:14:14,850
sending a challenge phrase to each other.
166
00:14:14,850 --> 00:14:21,620
In WEP, only the server sent a challenge phrase,\n
167
00:14:22,620 --> 00:14:28,759
So, first challenge phrases are exchanged,\n
168
00:14:28,759 --> 00:14:33,669
phrase and sends it back, and they use that\n
169
00:14:33,669 --> 00:14:38,479
To further improve the security, dynamic WEP\nkeys are used.
170
00:14:38,480 --> 00:14:42,590
These are WEP keys that automatically change\n
171
00:14:43,740 --> 00:14:49,730
However, like WEP, LEAP is considered vulnerable\n
172
00:14:49,730 --> 00:14:54,389
Instead, you should use one of the next methods.
173
00:14:54,389 --> 00:15:00,759
The next method is EAP-FAST, EAP flexible\n
174
00:15:00,759 --> 00:15:02,909
This was also developed by Cisco.
175
00:15:05,500 --> 00:15:11,059
First, a PAC, protected access credential,\n
176
00:15:13,539 --> 00:15:18,870
This PAC is like a shared key and is used\n
177
00:15:18,870 --> 00:15:22,289
tunnel between the client and authentication\nserver.
178
00:15:22,289 --> 00:15:28,789
So, now there is a secure tunnel established\n
179
00:15:28,789 --> 00:15:32,719
The final step is that the client is authenticated\n
180
00:15:34,339 --> 00:15:42,920
The last two methods are similar to EAP-FAST,\n
181
00:15:46,500 --> 00:15:52,740
Like EAP-FAST, it involves establishing a\n
182
00:15:52,740 --> 00:15:56,690
But instead of a PAC, the server has a digital\ncertificate.
183
00:15:56,690 --> 00:16:01,710
It will show its digital certificate to the\n
184
00:16:03,370 --> 00:16:07,399
This certificate is also used to establish\n
185
00:16:07,399 --> 00:16:12,480
And because only the server provides a certificate\n
186
00:16:12,480 --> 00:16:15,730
be authenticated within the secure tunnel.
187
00:16:15,730 --> 00:16:21,879
One protocol that can be used for that authentication\n
188
00:16:26,480 --> 00:16:32,980
Remember that EAP-FAST uses a PAC, but PEAP\n
189
00:16:32,980 --> 00:16:36,830
However both involve establishing a secure\n
190
00:16:40,559 --> 00:16:46,919
And finally the last authentication method\n
191
00:16:46,919 --> 00:16:53,809
Whereas PEAP only requires the AS, authentication\n
192
00:16:53,809 --> 00:16:57,559
a certificate on the AS and on every single\nclient.
193
00:16:57,559 --> 00:17:02,838
It is considered the most secure authentication\n
194
00:17:02,839 --> 00:17:07,490
than PEAP because every client device needs\na certificate.
195
00:17:07,490 --> 00:17:10,709
That can add a lot of complexity, time, and\neffort.
196
00:17:10,709 --> 00:17:15,740
Because the client and server authenticate\n
197
00:17:15,740 --> 00:17:19,118
is no need to authenticate the client within\nthe TLS tunnel.
198
00:17:19,118 --> 00:17:24,798
However, the TLS tunnel is still used to exchange\n
199
00:17:24,798 --> 00:17:28,009
talking about different encryption methods\nnext.
200
00:17:28,009 --> 00:17:35,230
To summarize, EAP-TLS is the most secure authentication\n
201
00:17:35,230 --> 00:17:39,470
so many enterprises might prefer PEAP instead.
202
00:17:39,470 --> 00:17:45,009
So, those are the authentication methods you\n
203
00:17:45,009 --> 00:17:49,109
To really understand these protocols you will\n
204
00:17:50,798 --> 00:17:56,129
But the goal of this video is just to give\n
205
00:17:56,130 --> 00:18:01,929
And remember, authentication refers to verifying\n
206
00:18:01,929 --> 00:18:05,788
Although I did mention encryption throughout\n
207
00:18:05,788 --> 00:18:11,190
talk about specific encryption methods used\n
208
00:18:11,190 --> 00:18:17,100
So, these are the encryption methods, in addition\n
209
00:18:20,398 --> 00:18:26,648
We could include WEP in this list too, but\n
210
00:18:26,648 --> 00:18:31,378
As I said before, encryption of wireless traffic\n
211
00:18:31,378 --> 00:18:35,769
have a basic understanding of these encryption\nmethods.
212
00:18:35,769 --> 00:18:39,019
First up, TKIP, temporal key integrity protocol.
213
00:18:39,019 --> 00:18:44,490
As I said before, WEP was found to be vulnerable,\n
214
00:18:46,079 --> 00:18:51,138
So, a temporary solution based on WEP was\n
215
00:18:53,190 --> 00:18:55,400
That temporary solution was TKIP.
216
00:18:55,400 --> 00:18:58,919
It’s based on WEP but adds various security\nfeatures.
217
00:18:58,919 --> 00:19:03,999
Now, I’m going to give you a list here but\n
218
00:19:03,999 --> 00:19:07,808
Just understand that TKIP is like a more secure\nversion of WEP.
219
00:19:07,808 --> 00:19:12,740
So, TKIP uses a MIC to protect the integrity\nof messages.
220
00:19:12,740 --> 00:19:16,839
Hopefully you remember what a MIC is from\nearlier in the video.
221
00:19:16,839 --> 00:19:22,278
Also a key mixing algorithm is used to create\n
222
00:19:22,278 --> 00:19:24,650
of each frame using the same key.
223
00:19:24,650 --> 00:19:27,759
This makes it harder to crack the encryption.
224
00:19:27,759 --> 00:19:33,808
The initialization vector, which I mentioned\n
225
00:19:33,808 --> 00:19:38,460
which makes brute-force attacks to crack the\n
226
00:19:38,460 --> 00:19:44,329
The MIC includes the sender MAC address, used\n
227
00:19:44,329 --> 00:19:49,210
Also a timestamp is added, so attackers can’t\n
228
00:19:49,210 --> 00:19:53,139
Replay attacks involve re-sending frames that\n
229
00:19:53,138 --> 00:19:56,769
Check wikipedia if you want to get an overview\n
230
00:19:56,769 --> 00:20:03,230
Similarly, a TKIP sequence number keeps track\n
231
00:20:03,230 --> 00:20:08,329
This also protects against replay attacks,\n
232
00:20:09,919 --> 00:20:14,809
As I said, you probably don’t have to memorize\n
233
00:20:14,808 --> 00:20:19,889
Just know that TKIP was developed as a more-secure\n
234
00:20:21,480 --> 00:20:27,419
And know that TKIP is used in WPA, WiFi Protected\n
235
00:20:30,839 --> 00:20:35,359
Next up is CCMP, counter/CBC-MAC protocol.
236
00:20:35,359 --> 00:20:39,089
It was developed after TKIP and is more secure.
237
00:20:39,089 --> 00:20:45,149
It is used in WPA2, and again I will explain\n
238
00:20:45,150 --> 00:20:50,538
Note that for a device to use CCMP, it must\n
239
00:20:50,538 --> 00:20:56,369
Old hardware built only to use WEP or TKIP\ncannot use CCMP.
240
00:20:56,369 --> 00:21:01,038
It consists of two different algorithms to\n
241
00:21:02,499 --> 00:21:05,600
For encryption, it uses AES counter mode.
242
00:21:05,599 --> 00:21:10,859
AES is the most secure encryption protocol\n
243
00:21:10,859 --> 00:21:14,638
world by corporations, governments, etc.
244
00:21:14,638 --> 00:21:20,359
There are multiple modes of operation for\n
245
00:21:20,359 --> 00:21:23,769
mode’ because it offers high performance,\nhigh speed.
246
00:21:23,769 --> 00:21:30,519
Then it uses CBC-MAC, cipher block chaining\n
247
00:21:30,519 --> 00:21:34,470
integrity check to ensure the integrity of\nmessages.
248
00:21:34,470 --> 00:21:39,110
You don’t have to know exactly how CBC-MAC\n
249
00:21:39,109 --> 00:21:45,418
So, that’s how CCMP provides encryption\nand integrity.
250
00:21:45,419 --> 00:21:49,580
Finally there is GCMP, galois counter mode\nprotocol.
251
00:21:49,579 --> 00:21:54,439
It is more secure and more efficient than\n
252
00:21:57,259 --> 00:22:00,980
It is used in WiFi Protected Access 3.
253
00:22:00,980 --> 00:22:04,048
Like CCMP, it consists of two algorithms.
254
00:22:04,048 --> 00:22:07,408
First, AES counter mode encryption.
255
00:22:07,409 --> 00:22:12,460
And then GMAC, Galois Message Authentication\n
256
00:22:14,089 --> 00:22:20,259
Again, don’t worry about exactly how GMAC\n
257
00:22:20,259 --> 00:22:23,868
So, those are the encryption methods you need\nto know.
258
00:22:23,868 --> 00:22:29,119
Again, remember that I also introduced WEP\n
259
00:22:29,119 --> 00:22:33,058
I’ve added some basic notes about each protocol\nbelow.
260
00:22:33,058 --> 00:22:37,298
So far we’ve covered a lot of different\n
261
00:22:37,298 --> 00:22:41,569
Make sure you have taken notes on each and\n
262
00:22:41,569 --> 00:22:47,009
Now, with so many different authentication,\n
263
00:22:48,480 --> 00:22:51,528
Which combinations work together and which\ndon’t?
264
00:22:51,528 --> 00:22:54,548
And how can we know which hardware supports\nwhich standards?
265
00:22:54,548 --> 00:22:59,808
To simplify things and create standard sets\n
266
00:22:59,808 --> 00:23:05,278
developed the WPA, WiFi Protected Access,\n
267
00:23:08,849 --> 00:23:15,548
The Wi-Fi alliance has developed three WPA\n
268
00:23:18,710 --> 00:23:23,340
Note that the first one is just called WPA,\nnot WPA1.
269
00:23:23,339 --> 00:23:28,959
For a device to be WPA certified, it must\n
270
00:23:28,960 --> 00:23:35,190
This is just like how the Wi-Fi alliance certifies\n
271
00:23:35,190 --> 00:23:41,320
They also certify devices for WPA, WPA2, and\nWPA3 security.
272
00:23:41,319 --> 00:23:45,608
All three of the WPAs support two different\n
273
00:23:45,608 --> 00:23:51,618
First is personal mode, in which a pre-shared\n
274
00:23:51,618 --> 00:23:57,339
For example, when you connect to a home wifi\n
275
00:23:58,720 --> 00:24:03,009
It’s common in small networks, such as SOHO\nnetworks.
276
00:24:03,009 --> 00:24:08,319
Note that for security purposes, the PSK itself\n
277
00:24:08,319 --> 00:24:14,558
A four-way handshake is used for the authentication,\n
278
00:24:15,690 --> 00:24:20,038
If the devices use the same PSK to generate\n
279
00:24:20,038 --> 00:24:24,230
decrypt each other’s traffic, meaning that\n
280
00:24:26,669 --> 00:24:30,049
In addition to personal mode, there is enterprise\nmode.
281
00:24:30,048 --> 00:24:35,058
This is the mode that uses 802.1X with an\nauthentication server.
282
00:24:35,058 --> 00:24:40,329
I introduced a few EAP methods and they are\n
283
00:24:42,388 --> 00:24:47,459
So, all EAP methods are supported, such as\nPEAP or EAP-TLS.
284
00:24:47,460 --> 00:24:53,808
Now let’s look at WPA, WPA2, and WPA3.
285
00:24:53,808 --> 00:24:58,730
The first WPA certification was developed\n
286
00:24:58,730 --> 00:25:01,099
it includes the following protocols.
287
00:25:01,099 --> 00:25:07,089
TKIP, which as you know is based on WEP, provides\n
288
00:25:07,089 --> 00:25:13,269
Authentication can be provided by 802.1X and\n
289
00:25:15,369 --> 00:25:18,268
But WPA didn’t last very long.
290
00:25:18,269 --> 00:25:23,450
After more secure protocols and hardware were\n
291
00:25:25,739 --> 00:25:29,409
CCMP is used to provide encryption and MIC.
292
00:25:29,409 --> 00:25:36,240
And again, authentication can be done via\n
293
00:25:36,240 --> 00:25:39,769
And finally in 2018 WPA3 was released.
294
00:25:39,769 --> 00:25:44,009
It uses GCMP for encryption and integrity.
295
00:25:44,009 --> 00:25:49,339
And once again supports 802.1X based or PSK\n
296
00:25:49,339 --> 00:25:55,839
In addition to that, it offers several additional\n
297
00:25:55,839 --> 00:25:59,878
There is a feature called PMF, protected management\nframes.
298
00:25:59,878 --> 00:26:05,329
It protects 802.11 management frames from\n
299
00:26:05,329 --> 00:26:11,939
Actually this was available as an optional\n
300
00:26:11,940 --> 00:26:16,788
Also, SAE, simultaneous authentication of\nequals.
301
00:26:16,788 --> 00:26:20,749
It protects the four-way handshake when using\n
302
00:26:20,749 --> 00:26:24,999
The last example I’ll give is forward secrecy.
303
00:26:24,999 --> 00:26:30,120
It prevents data from being decrypted after\n
304
00:26:30,119 --> 00:26:34,439
This protects against attacks in which an\n
305
00:26:34,440 --> 00:26:37,080
tries to decrypt them later to read the contents.
306
00:26:37,079 --> 00:26:41,189
Okay, that’s all I’ll say about the WPA\ncertifications.
307
00:26:41,190 --> 00:26:46,690
Basically, they take the various security\n
308
00:26:46,690 --> 00:26:49,778
those protocols into standard sets.
309
00:26:49,778 --> 00:26:54,038
Hardware is then tested and certified to make\n
310
00:26:54,038 --> 00:26:57,569
Okay, here’s what we covered in this video.
311
00:26:57,569 --> 00:27:01,819
I’d say the content of this video was quite\nwide but shallow.
312
00:27:01,819 --> 00:27:06,099
You got a general overview of a lot of different\n
313
00:27:06,099 --> 00:27:14,548
Make sure you know the difference between\n
314
00:27:14,548 --> 00:27:20,658
Also know which protocols are included in\nWPA, WPA2, and WPA3.
315
00:27:20,659 --> 00:27:24,549
And make sure to watch until the end of the\n
316
00:27:24,548 --> 00:27:29,599
Software’s ExSim for CCNA, the best practice\nexams for the CCNA.
317
00:27:29,599 --> 00:27:35,079
Now let’s go to quiz question 1.
318
00:27:35,079 --> 00:27:38,678
What does GMAC provide to a secure wireless\nconnection?
319
00:27:38,679 --> 00:27:42,990
Pause the video now to select the best answer.
320
00:27:42,990 --> 00:27:49,868
Okay, the best answer is B, MIC, message integrity\ncheck.
321
00:27:49,868 --> 00:27:56,250
GMAC is used as part of the GCMP protocol\n
322
00:27:57,608 --> 00:28:00,599
GCMP is part of the WPA3 certification.
323
00:28:00,599 --> 00:28:06,009
Okay, let’s go to quiz question 2.
324
00:28:06,009 --> 00:28:10,069
Which of the following are part of the 802.1X\n
325
00:28:10,069 --> 00:28:19,108
(select three) Okay, pause the video now to\n
326
00:28:19,108 --> 00:28:21,349
The answers are A, supplicant.
327
00:28:21,349 --> 00:28:25,478
D, authenticator, and E, authentication server.
328
00:28:25,479 --> 00:28:31,210
These are the three entities involved in 802.1X\nauthentication.
329
00:28:31,210 --> 00:28:36,990
In an 802.11 wireless network, the wireless\n
330
00:28:36,990 --> 00:28:42,378
the authenticator, and a server such as a\n
331
00:28:42,378 --> 00:28:47,019
Okay, let’s go to question 3.
332
00:28:47,019 --> 00:28:51,710
Which of the following encryption and integrity\n
333
00:28:51,710 --> 00:28:56,249
Pause the video now to select the best answer.
334
00:29:02,358 --> 00:29:09,329
These protocols were developed in the order\n
335
00:29:11,118 --> 00:29:15,278
If your hardware supports it, it is recommended\n
336
00:29:15,278 --> 00:29:19,700
Okay, let’s go to question 4.
337
00:29:19,700 --> 00:29:24,120
Which of the following AES methods requires\n
338
00:29:25,440 --> 00:29:29,288
Pause the video now to select the best answer.
339
00:29:29,288 --> 00:29:34,980
Okay, the answer is D, EAP-TLS.
340
00:29:34,980 --> 00:29:42,239
Both PEAP and EAP-TLS involve digital certificates\n
341
00:29:42,239 --> 00:29:44,519
that the AS has a certificate.
342
00:29:44,519 --> 00:29:50,470
EAP-TLS, on the other, uses certificates to\n
343
00:29:50,470 --> 00:29:52,058
so they both need a certificate.
344
00:29:52,058 --> 00:29:57,808
Okay, let’s go to question 5.
345
00:29:57,808 --> 00:30:02,868
Which of the following WPA3 security features\n
346
00:30:02,868 --> 00:30:05,249
personal mode authentication?
347
00:30:05,249 --> 00:30:09,319
Pause the video now to select the best answer.
348
00:30:14,038 --> 00:30:20,398
SAE is simultaneous authentication of equals,\n
349
00:30:20,398 --> 00:30:22,699
during authentication using personal mode.
350
00:30:22,700 --> 00:30:24,759
Okay, that’s all for the quiz.
351
00:30:24,759 --> 00:30:32,967
Now let’s try a bonus question from Boson\n
29086
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.