Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:04,349 --> 00:00:07,889 This is a free, complete course for the CCNA. 2 00:00:07,889 --> 00:00:11,899 If you like these videos, please subscribe\n 3 00:00:11,900 --> 00:00:16,769 Also, please like and leave a comment, and\n 4 00:00:19,649 --> 00:00:23,038 In this video we will look at wireless network\nsecurity. 5 00:00:23,039 --> 00:00:30,830 Specifically, exam topic 1.11.d, encryption,\n 6 00:00:35,250 --> 00:00:39,409 You’ve probably noticed by now that there\n 7 00:00:39,409 --> 00:00:43,018 learn to understand wireless networks. 8 00:00:43,018 --> 00:00:47,609 Wireless security is no exception, and this\n 9 00:00:48,609 --> 00:00:54,530 So, take notes and do extra research if you\n 10 00:00:54,530 --> 00:00:59,739 of the concepts introduced in this video before\n 11 00:01:02,149 --> 00:01:06,260 First I’ll give a brief introduction to\n 12 00:01:08,829 --> 00:01:13,780 Then I’ll introduce various authentication\n 13 00:01:13,780 --> 00:01:17,609 to the most secure methods used in modern\nnetworks. 14 00:01:17,609 --> 00:01:21,890 Then I’ll introduce various encryption and\nintegrity methods. 15 00:01:21,890 --> 00:01:25,960 Encryption plays a role in all kinds of networks,\n 16 00:01:25,959 --> 00:01:30,829 networks because a signal can be received\n 17 00:01:33,180 --> 00:01:38,180 And integrity means making sure that messages\n 18 00:01:40,019 --> 00:01:46,099 Finally we’ll look at Wi-Fi Protected Access,\n 19 00:01:46,099 --> 00:01:50,478 to provide standard sets of wireless network\nsecurity protocols. 20 00:01:50,478 --> 00:01:54,489 Watch until the end of the video for a bonus\n 21 00:01:54,489 --> 00:02:01,390 ExSim for CCNA, the best practice exams for\nthe CCNA. 22 00:02:01,390 --> 00:02:04,120 As you know, security is important in all\nnetworks. 23 00:02:04,120 --> 00:02:08,219 However, it’s even more essential in wireless\nnetworks. 24 00:02:08,219 --> 00:02:13,050 The main reason for that is: because wireless\n 25 00:02:13,050 --> 00:02:17,019 device within range of the signal can receive\nthe traffic. 26 00:02:17,020 --> 00:02:22,469 In wired networks, traffic is often only encrypted\n 27 00:02:23,469 --> 00:02:28,310 You usually don’t encrypt wired traffic\n 28 00:02:28,310 --> 00:02:33,009 But in wireless networks, it is very important\n 29 00:02:34,180 --> 00:02:39,920 That’s because, as I said before, any device\n 30 00:02:39,919 --> 00:02:44,509 traffic, but we want to ensure that only the\n 31 00:02:45,509 --> 00:02:51,299 So, in this video we will cover three main\n 32 00:02:52,300 --> 00:02:56,969 You’ve heard these terms before, but let’s\n 33 00:02:56,969 --> 00:03:01,509 We’ll look at these in more depth later\n 34 00:03:05,830 --> 00:03:10,700 As mentioned in the previous video, all clients\n 35 00:03:13,259 --> 00:03:18,139 Authentication just means verifying the identity\n 36 00:03:18,139 --> 00:03:22,568 In a corporate setting, only trusted users\n 37 00:03:23,568 --> 00:03:28,789 However, a separate SSID which doesn’t have\n 38 00:03:31,580 --> 00:03:37,020 Those guest SSIDs have less strict authentication\n 39 00:03:37,020 --> 00:03:41,810 to the Internet, not to internal company resources. 40 00:03:41,810 --> 00:03:47,080 Not only should the AP authenticate the identity\n 41 00:03:47,080 --> 00:03:52,270 authenticate the AP to avoid associating with\na malicious AP. 42 00:03:52,270 --> 00:03:57,269 A malicious AP could trick users into associating\n 43 00:03:57,269 --> 00:04:00,360 such as a man-in-the-middle attack. 44 00:04:00,360 --> 00:04:05,250 There are multiple ways that authentication\n 45 00:04:05,250 --> 00:04:12,189 a username and password combination, or with\n 46 00:04:12,189 --> 00:04:17,310 For review, remember that before associating\n 47 00:04:17,310 --> 00:04:19,649 an authentication process like this. 48 00:04:19,649 --> 00:04:24,748 Okay, we’ll look at authentication in more\n 49 00:04:30,149 --> 00:04:35,348 Traffic sent between clients and APs, so any\n 50 00:04:35,348 --> 00:04:39,728 it can’t be read by anyone except the AP\nand the client. 51 00:04:39,728 --> 00:04:44,008 You should know this already, but encryption\n 52 00:04:44,009 --> 00:04:47,910 the sender and the intended recipient can\nread it. 53 00:04:47,910 --> 00:04:51,840 There are many possible protocols that can\n 54 00:04:51,839 --> 00:04:56,848 It’s important that the sender and recipient\n 55 00:04:56,848 --> 00:04:59,389 like they are speaking different languages. 56 00:04:59,389 --> 00:05:04,110 The recipient wouldn’t be able to decrypt\nthe sender’s messages. 57 00:05:04,110 --> 00:05:08,980 Note that all devices on the wireless LAN\n 58 00:05:08,980 --> 00:05:13,949 each client will use a unique encryption and\n 59 00:05:16,019 --> 00:05:20,719 Only the AP will have the appropriate key\n 60 00:05:20,720 --> 00:05:25,080 clients won’t be able to decrypt it because\n 61 00:05:25,079 --> 00:05:29,550 However there is also a ‘group key’ which\n 62 00:05:32,180 --> 00:05:36,689 All of those clients keep a copy of that group\n 63 00:05:36,689 --> 00:05:41,560 Again, we’ll look at wireless encryption\n 64 00:05:41,560 --> 00:05:47,240 that let’s introduce the final concept,\nintegrity. 65 00:05:47,240 --> 00:05:51,509 As explained in the security fundamentals\n 66 00:05:51,509 --> 00:05:55,680 a message is not modified by a third party,\n 67 00:05:55,680 --> 00:06:00,939 So, the message that is sent by the source\n 68 00:06:00,939 --> 00:06:04,080 is received by the destination host. 69 00:06:04,079 --> 00:06:10,120 To ensure that, a MIC, message integrity check,\n 70 00:06:11,478 --> 00:06:16,329 To demonstrate how it works, let’s say the\n 71 00:06:17,329 --> 00:06:23,139 First, the sender calculates a MIC for the\n 72 00:06:23,139 --> 00:06:27,038 Just like encryption, there are many different\n 73 00:06:27,038 --> 00:06:31,490 MIC, and it’s important that the sender\n 74 00:06:31,490 --> 00:06:36,788 Then the sender encrypts the message and MIC,\n 75 00:06:36,788 --> 00:06:41,930 The recipient decrypts the message, and then\n 76 00:06:41,930 --> 00:06:44,709 using the same protocol as the sender. 77 00:06:44,709 --> 00:06:49,638 It compares the two MICs, and if the MIC calculated\n 78 00:06:49,639 --> 00:06:55,240 recipient are the same, the recipient assumes\n 79 00:06:55,240 --> 00:06:58,908 Note that if the two MICs aren’t the same,\n 80 00:06:59,908 --> 00:07:05,028 So, instead of saying a MIC helps to protect\n 81 00:07:05,028 --> 00:07:09,899 accurate to say that it helps to identify\n 82 00:07:11,249 --> 00:07:15,159 If the integrity has been compromised, the\n 83 00:07:15,158 --> 00:07:20,829 Now let’s move on to look at various wireless\n 84 00:07:20,829 --> 00:07:25,908 This will just be an overview of various authentication\n 85 00:07:25,908 --> 00:07:28,288 However, we will be covering a lot of them. 86 00:07:28,288 --> 00:07:31,288 Here they are, 7 different methods. 87 00:07:31,288 --> 00:07:34,658 The good news is you don’t need know to\nany of them in depth. 88 00:07:34,658 --> 00:07:37,370 Just a basic understanding of each is fine. 89 00:07:39,249 --> 00:07:44,189 Even though you only need a basic understanding,\n 90 00:07:44,189 --> 00:07:47,189 methods when first learning them. 91 00:07:47,189 --> 00:07:52,300 The original 802.11 standard included two\n 92 00:07:52,300 --> 00:07:55,968 The first one is open authentication, which\nis very simple. 93 00:07:55,968 --> 00:08:00,399 The client sends an authentication request,\n 94 00:08:00,399 --> 00:08:03,378 No questions asked, no credentials required. 95 00:08:03,379 --> 00:08:07,039 So, this is clearly not a secure authentication\nmethod. 96 00:08:07,038 --> 00:08:10,188 The AP just accepts all authentication requests. 97 00:08:10,189 --> 00:08:16,000 However, it is still used today in combination\n 98 00:08:16,000 --> 00:08:20,689 After the client is authenticated and associated\n 99 00:08:20,689 --> 00:08:26,050 user to authenticate via other methods before\n 100 00:08:26,050 --> 00:08:29,619 Think about Starbucks WiFi, or other public\nWiFi. 101 00:08:29,619 --> 00:08:34,470 You might be free to associate your device\n 102 00:08:34,470 --> 00:08:40,460 but then you are probably required to login\n 103 00:08:40,460 --> 00:08:44,889 After that authentication, your device is\n 104 00:08:44,889 --> 00:08:50,019 So, open authentication itself is not secure\n 105 00:08:51,909 --> 00:08:58,319 Then the second method in the 802.11 standard\n 106 00:08:58,320 --> 00:09:03,330 Actually WEP is not just an authentication\n 107 00:09:03,330 --> 00:09:06,889 For encryption, it uses the RC4 algorithm. 108 00:09:06,889 --> 00:09:11,769 If you’re curious about RC4 try reading\n 109 00:09:14,210 --> 00:09:19,050 WEP is a shared-key protocol, it requires\n 110 00:09:21,149 --> 00:09:26,399 Those WEP keys can be 40 bits or 104 bits\nin length. 111 00:09:26,399 --> 00:09:31,139 However those above keys are combined with\n 112 00:09:31,139 --> 00:09:34,699 total length to 64 bits or 128 bits. 113 00:09:34,700 --> 00:09:39,379 Again, read up on wikipedia if you’re curious\n 114 00:09:39,379 --> 00:09:42,529 but you don’t have to know it for the CCNA. 115 00:09:42,529 --> 00:09:48,829 Now, usually longer key lengths are more secure,\n 116 00:09:50,840 --> 00:09:54,220 You definitely should not use WEP on modern\nwireless networks. 117 00:09:54,220 --> 00:09:59,680 So, that’s WEP encryption, but how can WEP\n 118 00:10:01,399 --> 00:10:05,129 First, the AP sends a ‘challenge phrase’. 119 00:10:05,129 --> 00:10:09,070 This is just a series of bits, the actual\ncontents don’t matter. 120 00:10:09,070 --> 00:10:14,440 The client then encrypts the challenge phrase\n 121 00:10:14,440 --> 00:10:19,000 Finally the AP takes the client’s encrypted\n 122 00:10:20,610 --> 00:10:26,139 If they match, it means the AP and client\n 123 00:10:26,139 --> 00:10:28,539 the authentication is successful. 124 00:10:28,539 --> 00:10:34,000 Basically, the AP is just testing if the client\n 125 00:10:34,000 --> 00:10:38,309 Note that WEP can be used just to provide\n 126 00:10:40,440 --> 00:10:45,640 If WEP authentication is not used, open authentication\n 127 00:10:46,659 --> 00:10:53,209 Okay, I just covered the first two options\n 128 00:10:53,210 --> 00:10:58,160 However, open authentication on its own is\n 129 00:10:58,159 --> 00:11:01,539 either as an encryption method or an authentication\nmethod. 130 00:11:01,539 --> 00:11:04,870 So, new wireless authentication methods were\nneeded. 131 00:11:04,870 --> 00:11:10,230 Now let’s look at those more secure methods,\n 132 00:11:12,230 --> 00:11:17,259 EAP itself isn’t a single authentication\n 133 00:11:17,259 --> 00:11:25,580 other protocols, called EAP methods, are based\n 134 00:11:28,730 --> 00:11:31,100 It is an authentication framework. 135 00:11:31,100 --> 00:11:35,930 It defines a standard set of authentication\n 136 00:11:36,929 --> 00:11:44,929 We will look at four of those methods: LEAP,\n 137 00:11:44,929 --> 00:11:50,799 Note that EAP is integrated with a protocol\n 138 00:11:54,259 --> 00:12:00,179 802.1X is used to limit network access for\n 139 00:12:04,570 --> 00:12:07,070 There are three main entities in 802.1X. 140 00:12:09,820 --> 00:12:13,470 This is the device that wants to connect to\nthe network. 141 00:12:13,470 --> 00:12:15,460 Then there is the authenticator. 142 00:12:15,460 --> 00:12:18,250 This is the device that provides access to\nthe network. 143 00:12:18,250 --> 00:12:21,340 Finally, the authentication server. 144 00:12:21,340 --> 00:12:26,910 This is the device that receives client credentials\n 145 00:12:26,909 --> 00:12:33,189 802.1X is used in all kinds of networks, both\n 146 00:12:33,190 --> 00:12:39,710 know these three definitions, supplicant,\n 147 00:12:39,710 --> 00:12:44,200 In an 802.11 wireless LAN, the supplicant\n 148 00:12:47,399 --> 00:12:52,709 The authenticator is the device that provides\n 149 00:12:52,710 --> 00:12:56,879 But actually, in a split-MAC architecture\n 150 00:12:56,879 --> 00:13:00,639 the authentication, not the AP itself. 151 00:13:00,639 --> 00:13:03,669 And the authentication server is usually a\nRADIUS server. 152 00:13:06,470 --> 00:13:13,389 The 802.11 wireless authentication required\n 153 00:13:15,059 --> 00:13:19,289 However, it does not yet have full access\nto the network. 154 00:13:19,289 --> 00:13:24,620 The only traffic allowed from the client is\n 155 00:13:24,620 --> 00:13:28,750 And it is the authentication server that will\n 156 00:13:28,750 --> 00:13:32,419 to permit access or deny access to the network. 157 00:13:32,419 --> 00:13:37,709 So, the WLC is now a middle-man in the authentication\nprocess. 158 00:13:37,710 --> 00:13:42,900 The 802.11 authentication required to simply\n 159 00:13:42,899 --> 00:13:48,120 is the additional step of EAP authentication\n 160 00:13:48,120 --> 00:13:54,960 So, let’s look at some different EAP authentication\n 161 00:13:54,960 --> 00:13:58,460 The first is LEAP, lightweight EAP. 162 00:13:58,460 --> 00:14:01,560 It was developed by Cisco as an improvement\nover WEP. 163 00:14:03,590 --> 00:14:07,680 Clients must provide a username and password\nto authenticate. 164 00:14:07,679 --> 00:14:12,859 But in addition to that, mutual authentication\n 165 00:14:12,860 --> 00:14:14,850 sending a challenge phrase to each other. 166 00:14:14,850 --> 00:14:21,620 In WEP, only the server sent a challenge phrase,\n 167 00:14:22,620 --> 00:14:28,759 So, first challenge phrases are exchanged,\n 168 00:14:28,759 --> 00:14:33,669 phrase and sends it back, and they use that\n 169 00:14:33,669 --> 00:14:38,479 To further improve the security, dynamic WEP\nkeys are used. 170 00:14:38,480 --> 00:14:42,590 These are WEP keys that automatically change\n 171 00:14:43,740 --> 00:14:49,730 However, like WEP, LEAP is considered vulnerable\n 172 00:14:49,730 --> 00:14:54,389 Instead, you should use one of the next methods. 173 00:14:54,389 --> 00:15:00,759 The next method is EAP-FAST, EAP flexible\n 174 00:15:00,759 --> 00:15:02,909 This was also developed by Cisco. 175 00:15:05,500 --> 00:15:11,059 First, a PAC, protected access credential,\n 176 00:15:13,539 --> 00:15:18,870 This PAC is like a shared key and is used\n 177 00:15:18,870 --> 00:15:22,289 tunnel between the client and authentication\nserver. 178 00:15:22,289 --> 00:15:28,789 So, now there is a secure tunnel established\n 179 00:15:28,789 --> 00:15:32,719 The final step is that the client is authenticated\n 180 00:15:34,339 --> 00:15:42,920 The last two methods are similar to EAP-FAST,\n 181 00:15:46,500 --> 00:15:52,740 Like EAP-FAST, it involves establishing a\n 182 00:15:52,740 --> 00:15:56,690 But instead of a PAC, the server has a digital\ncertificate. 183 00:15:56,690 --> 00:16:01,710 It will show its digital certificate to the\n 184 00:16:03,370 --> 00:16:07,399 This certificate is also used to establish\n 185 00:16:07,399 --> 00:16:12,480 And because only the server provides a certificate\n 186 00:16:12,480 --> 00:16:15,730 be authenticated within the secure tunnel. 187 00:16:15,730 --> 00:16:21,879 One protocol that can be used for that authentication\n 188 00:16:26,480 --> 00:16:32,980 Remember that EAP-FAST uses a PAC, but PEAP\n 189 00:16:32,980 --> 00:16:36,830 However both involve establishing a secure\n 190 00:16:40,559 --> 00:16:46,919 And finally the last authentication method\n 191 00:16:46,919 --> 00:16:53,809 Whereas PEAP only requires the AS, authentication\n 192 00:16:53,809 --> 00:16:57,559 a certificate on the AS and on every single\nclient. 193 00:16:57,559 --> 00:17:02,838 It is considered the most secure authentication\n 194 00:17:02,839 --> 00:17:07,490 than PEAP because every client device needs\na certificate. 195 00:17:07,490 --> 00:17:10,709 That can add a lot of complexity, time, and\neffort. 196 00:17:10,709 --> 00:17:15,740 Because the client and server authenticate\n 197 00:17:15,740 --> 00:17:19,118 is no need to authenticate the client within\nthe TLS tunnel. 198 00:17:19,118 --> 00:17:24,798 However, the TLS tunnel is still used to exchange\n 199 00:17:24,798 --> 00:17:28,009 talking about different encryption methods\nnext. 200 00:17:28,009 --> 00:17:35,230 To summarize, EAP-TLS is the most secure authentication\n 201 00:17:35,230 --> 00:17:39,470 so many enterprises might prefer PEAP instead. 202 00:17:39,470 --> 00:17:45,009 So, those are the authentication methods you\n 203 00:17:45,009 --> 00:17:49,109 To really understand these protocols you will\n 204 00:17:50,798 --> 00:17:56,129 But the goal of this video is just to give\n 205 00:17:56,130 --> 00:18:01,929 And remember, authentication refers to verifying\n 206 00:18:01,929 --> 00:18:05,788 Although I did mention encryption throughout\n 207 00:18:05,788 --> 00:18:11,190 talk about specific encryption methods used\n 208 00:18:11,190 --> 00:18:17,100 So, these are the encryption methods, in addition\n 209 00:18:20,398 --> 00:18:26,648 We could include WEP in this list too, but\n 210 00:18:26,648 --> 00:18:31,378 As I said before, encryption of wireless traffic\n 211 00:18:31,378 --> 00:18:35,769 have a basic understanding of these encryption\nmethods. 212 00:18:35,769 --> 00:18:39,019 First up, TKIP, temporal key integrity protocol. 213 00:18:39,019 --> 00:18:44,490 As I said before, WEP was found to be vulnerable,\n 214 00:18:46,079 --> 00:18:51,138 So, a temporary solution based on WEP was\n 215 00:18:53,190 --> 00:18:55,400 That temporary solution was TKIP. 216 00:18:55,400 --> 00:18:58,919 It’s based on WEP but adds various security\nfeatures. 217 00:18:58,919 --> 00:19:03,999 Now, I’m going to give you a list here but\n 218 00:19:03,999 --> 00:19:07,808 Just understand that TKIP is like a more secure\nversion of WEP. 219 00:19:07,808 --> 00:19:12,740 So, TKIP uses a MIC to protect the integrity\nof messages. 220 00:19:12,740 --> 00:19:16,839 Hopefully you remember what a MIC is from\nearlier in the video. 221 00:19:16,839 --> 00:19:22,278 Also a key mixing algorithm is used to create\n 222 00:19:22,278 --> 00:19:24,650 of each frame using the same key. 223 00:19:24,650 --> 00:19:27,759 This makes it harder to crack the encryption. 224 00:19:27,759 --> 00:19:33,808 The initialization vector, which I mentioned\n 225 00:19:33,808 --> 00:19:38,460 which makes brute-force attacks to crack the\n 226 00:19:38,460 --> 00:19:44,329 The MIC includes the sender MAC address, used\n 227 00:19:44,329 --> 00:19:49,210 Also a timestamp is added, so attackers can’t\n 228 00:19:49,210 --> 00:19:53,139 Replay attacks involve re-sending frames that\n 229 00:19:53,138 --> 00:19:56,769 Check wikipedia if you want to get an overview\n 230 00:19:56,769 --> 00:20:03,230 Similarly, a TKIP sequence number keeps track\n 231 00:20:03,230 --> 00:20:08,329 This also protects against replay attacks,\n 232 00:20:09,919 --> 00:20:14,809 As I said, you probably don’t have to memorize\n 233 00:20:14,808 --> 00:20:19,889 Just know that TKIP was developed as a more-secure\n 234 00:20:21,480 --> 00:20:27,419 And know that TKIP is used in WPA, WiFi Protected\n 235 00:20:30,839 --> 00:20:35,359 Next up is CCMP, counter/CBC-MAC protocol. 236 00:20:35,359 --> 00:20:39,089 It was developed after TKIP and is more secure. 237 00:20:39,089 --> 00:20:45,149 It is used in WPA2, and again I will explain\n 238 00:20:45,150 --> 00:20:50,538 Note that for a device to use CCMP, it must\n 239 00:20:50,538 --> 00:20:56,369 Old hardware built only to use WEP or TKIP\ncannot use CCMP. 240 00:20:56,369 --> 00:21:01,038 It consists of two different algorithms to\n 241 00:21:02,499 --> 00:21:05,600 For encryption, it uses AES counter mode. 242 00:21:05,599 --> 00:21:10,859 AES is the most secure encryption protocol\n 243 00:21:10,859 --> 00:21:14,638 world by corporations, governments, etc. 244 00:21:14,638 --> 00:21:20,359 There are multiple modes of operation for\n 245 00:21:20,359 --> 00:21:23,769 mode’ because it offers high performance,\nhigh speed. 246 00:21:23,769 --> 00:21:30,519 Then it uses CBC-MAC, cipher block chaining\n 247 00:21:30,519 --> 00:21:34,470 integrity check to ensure the integrity of\nmessages. 248 00:21:34,470 --> 00:21:39,110 You don’t have to know exactly how CBC-MAC\n 249 00:21:39,109 --> 00:21:45,418 So, that’s how CCMP provides encryption\nand integrity. 250 00:21:45,419 --> 00:21:49,580 Finally there is GCMP, galois counter mode\nprotocol. 251 00:21:49,579 --> 00:21:54,439 It is more secure and more efficient than\n 252 00:21:57,259 --> 00:22:00,980 It is used in WiFi Protected Access 3. 253 00:22:00,980 --> 00:22:04,048 Like CCMP, it consists of two algorithms. 254 00:22:04,048 --> 00:22:07,408 First, AES counter mode encryption. 255 00:22:07,409 --> 00:22:12,460 And then GMAC, Galois Message Authentication\n 256 00:22:14,089 --> 00:22:20,259 Again, don’t worry about exactly how GMAC\n 257 00:22:20,259 --> 00:22:23,868 So, those are the encryption methods you need\nto know. 258 00:22:23,868 --> 00:22:29,119 Again, remember that I also introduced WEP\n 259 00:22:29,119 --> 00:22:33,058 I’ve added some basic notes about each protocol\nbelow. 260 00:22:33,058 --> 00:22:37,298 So far we’ve covered a lot of different\n 261 00:22:37,298 --> 00:22:41,569 Make sure you have taken notes on each and\n 262 00:22:41,569 --> 00:22:47,009 Now, with so many different authentication,\n 263 00:22:48,480 --> 00:22:51,528 Which combinations work together and which\ndon’t? 264 00:22:51,528 --> 00:22:54,548 And how can we know which hardware supports\nwhich standards? 265 00:22:54,548 --> 00:22:59,808 To simplify things and create standard sets\n 266 00:22:59,808 --> 00:23:05,278 developed the WPA, WiFi Protected Access,\n 267 00:23:08,849 --> 00:23:15,548 The Wi-Fi alliance has developed three WPA\n 268 00:23:18,710 --> 00:23:23,340 Note that the first one is just called WPA,\nnot WPA1. 269 00:23:23,339 --> 00:23:28,959 For a device to be WPA certified, it must\n 270 00:23:28,960 --> 00:23:35,190 This is just like how the Wi-Fi alliance certifies\n 271 00:23:35,190 --> 00:23:41,320 They also certify devices for WPA, WPA2, and\nWPA3 security. 272 00:23:41,319 --> 00:23:45,608 All three of the WPAs support two different\n 273 00:23:45,608 --> 00:23:51,618 First is personal mode, in which a pre-shared\n 274 00:23:51,618 --> 00:23:57,339 For example, when you connect to a home wifi\n 275 00:23:58,720 --> 00:24:03,009 It’s common in small networks, such as SOHO\nnetworks. 276 00:24:03,009 --> 00:24:08,319 Note that for security purposes, the PSK itself\n 277 00:24:08,319 --> 00:24:14,558 A four-way handshake is used for the authentication,\n 278 00:24:15,690 --> 00:24:20,038 If the devices use the same PSK to generate\n 279 00:24:20,038 --> 00:24:24,230 decrypt each other’s traffic, meaning that\n 280 00:24:26,669 --> 00:24:30,049 In addition to personal mode, there is enterprise\nmode. 281 00:24:30,048 --> 00:24:35,058 This is the mode that uses 802.1X with an\nauthentication server. 282 00:24:35,058 --> 00:24:40,329 I introduced a few EAP methods and they are\n 283 00:24:42,388 --> 00:24:47,459 So, all EAP methods are supported, such as\nPEAP or EAP-TLS. 284 00:24:47,460 --> 00:24:53,808 Now let’s look at WPA, WPA2, and WPA3. 285 00:24:53,808 --> 00:24:58,730 The first WPA certification was developed\n 286 00:24:58,730 --> 00:25:01,099 it includes the following protocols. 287 00:25:01,099 --> 00:25:07,089 TKIP, which as you know is based on WEP, provides\n 288 00:25:07,089 --> 00:25:13,269 Authentication can be provided by 802.1X and\n 289 00:25:15,369 --> 00:25:18,268 But WPA didn’t last very long. 290 00:25:18,269 --> 00:25:23,450 After more secure protocols and hardware were\n 291 00:25:25,739 --> 00:25:29,409 CCMP is used to provide encryption and MIC. 292 00:25:29,409 --> 00:25:36,240 And again, authentication can be done via\n 293 00:25:36,240 --> 00:25:39,769 And finally in 2018 WPA3 was released. 294 00:25:39,769 --> 00:25:44,009 It uses GCMP for encryption and integrity. 295 00:25:44,009 --> 00:25:49,339 And once again supports 802.1X based or PSK\n 296 00:25:49,339 --> 00:25:55,839 In addition to that, it offers several additional\n 297 00:25:55,839 --> 00:25:59,878 There is a feature called PMF, protected management\nframes. 298 00:25:59,878 --> 00:26:05,329 It protects 802.11 management frames from\n 299 00:26:05,329 --> 00:26:11,939 Actually this was available as an optional\n 300 00:26:11,940 --> 00:26:16,788 Also, SAE, simultaneous authentication of\nequals. 301 00:26:16,788 --> 00:26:20,749 It protects the four-way handshake when using\n 302 00:26:20,749 --> 00:26:24,999 The last example I’ll give is forward secrecy. 303 00:26:24,999 --> 00:26:30,120 It prevents data from being decrypted after\n 304 00:26:30,119 --> 00:26:34,439 This protects against attacks in which an\n 305 00:26:34,440 --> 00:26:37,080 tries to decrypt them later to read the contents. 306 00:26:37,079 --> 00:26:41,189 Okay, that’s all I’ll say about the WPA\ncertifications. 307 00:26:41,190 --> 00:26:46,690 Basically, they take the various security\n 308 00:26:46,690 --> 00:26:49,778 those protocols into standard sets. 309 00:26:49,778 --> 00:26:54,038 Hardware is then tested and certified to make\n 310 00:26:54,038 --> 00:26:57,569 Okay, here’s what we covered in this video. 311 00:26:57,569 --> 00:27:01,819 I’d say the content of this video was quite\nwide but shallow. 312 00:27:01,819 --> 00:27:06,099 You got a general overview of a lot of different\n 313 00:27:06,099 --> 00:27:14,548 Make sure you know the difference between\n 314 00:27:14,548 --> 00:27:20,658 Also know which protocols are included in\nWPA, WPA2, and WPA3. 315 00:27:20,659 --> 00:27:24,549 And make sure to watch until the end of the\n 316 00:27:24,548 --> 00:27:29,599 Software’s ExSim for CCNA, the best practice\nexams for the CCNA. 317 00:27:29,599 --> 00:27:35,079 Now let’s go to quiz question 1. 318 00:27:35,079 --> 00:27:38,678 What does GMAC provide to a secure wireless\nconnection? 319 00:27:38,679 --> 00:27:42,990 Pause the video now to select the best answer. 320 00:27:42,990 --> 00:27:49,868 Okay, the best answer is B, MIC, message integrity\ncheck. 321 00:27:49,868 --> 00:27:56,250 GMAC is used as part of the GCMP protocol\n 322 00:27:57,608 --> 00:28:00,599 GCMP is part of the WPA3 certification. 323 00:28:00,599 --> 00:28:06,009 Okay, let’s go to quiz question 2. 324 00:28:06,009 --> 00:28:10,069 Which of the following are part of the 802.1X\n 325 00:28:10,069 --> 00:28:19,108 (select three) Okay, pause the video now to\n 326 00:28:19,108 --> 00:28:21,349 The answers are A, supplicant. 327 00:28:21,349 --> 00:28:25,478 D, authenticator, and E, authentication server. 328 00:28:25,479 --> 00:28:31,210 These are the three entities involved in 802.1X\nauthentication. 329 00:28:31,210 --> 00:28:36,990 In an 802.11 wireless network, the wireless\n 330 00:28:36,990 --> 00:28:42,378 the authenticator, and a server such as a\n 331 00:28:42,378 --> 00:28:47,019 Okay, let’s go to question 3. 332 00:28:47,019 --> 00:28:51,710 Which of the following encryption and integrity\n 333 00:28:51,710 --> 00:28:56,249 Pause the video now to select the best answer. 334 00:29:02,358 --> 00:29:09,329 These protocols were developed in the order\n 335 00:29:11,118 --> 00:29:15,278 If your hardware supports it, it is recommended\n 336 00:29:15,278 --> 00:29:19,700 Okay, let’s go to question 4. 337 00:29:19,700 --> 00:29:24,120 Which of the following AES methods requires\n 338 00:29:25,440 --> 00:29:29,288 Pause the video now to select the best answer. 339 00:29:29,288 --> 00:29:34,980 Okay, the answer is D, EAP-TLS. 340 00:29:34,980 --> 00:29:42,239 Both PEAP and EAP-TLS involve digital certificates\n 341 00:29:42,239 --> 00:29:44,519 that the AS has a certificate. 342 00:29:44,519 --> 00:29:50,470 EAP-TLS, on the other, uses certificates to\n 343 00:29:50,470 --> 00:29:52,058 so they both need a certificate. 344 00:29:52,058 --> 00:29:57,808 Okay, let’s go to question 5. 345 00:29:57,808 --> 00:30:02,868 Which of the following WPA3 security features\n 346 00:30:02,868 --> 00:30:05,249 personal mode authentication? 347 00:30:05,249 --> 00:30:09,319 Pause the video now to select the best answer. 348 00:30:14,038 --> 00:30:20,398 SAE is simultaneous authentication of equals,\n 349 00:30:20,398 --> 00:30:22,699 during authentication using personal mode. 350 00:30:22,700 --> 00:30:24,759 Okay, that’s all for the quiz. 351 00:30:24,759 --> 00:30:32,967 Now let’s try a bonus question from Boson\n 29086