Understanding WPA-2 Enterprise Authentication and Encryption – An analogy of Military Communications.
During my journey through the CWNP certification studies, I struggled for a long time to understand the authentication and encryption process covered in the Wi-Fi Alliance WPA-2 Enterprise Security policy. I studied the CWSP book enough to get through the test, but I was still a bit unclear. I read Devin Akin’s white paper,
802.11i Authentication and Key Management, and it helped some, although I had a hard time relating to the chicken farm analogy. It was only when I was able to relate my experience in the military, to the Generic EAP Exchange that I was able to understand the process.
Personal background:
In 1982 I received a commission as a 2ndLieutenant in the Army through the Officer Candidate School in Ft Benning, GA. I was selected for OCS after serving five years as an NCO, primarily in Germany, where I patrolled the border in what was then known as the Fulda Gap. Our patrols went along the fence separating East and West Germany. At that time, the Fulda Gap was considered the primary route the Soviet forces would use to conduct a tank attack. In a strategy called “brinkmanship” each side would continually show force stronger than the other. In our intel briefings our battle plan for the scouts on the border was basically to duck and then fight our way back through the Soviet lines. Thank God we never had to employ those plans because it was more a “we don’t have a plan, plan.”
After receiving my commission from OCS, I went through further training and eventually was assigned to my new duty station; Camp Casey, Korea. The unit that I was assigned to also patrolled the border, but this time it was between North and South Korea. The area that we patrolled is called the DMZ, or Demilitarized Zone.
This analogy compares the 13 step EAP exchange and the 4 Way Handshake to the radio communication security procedures we used while out on patrol in the DMZ.
In 1983 the 2ndInfantry Division had the responsibility of defending the border in the sector just north of Seoul. Our battalion conducted operations along the border including running nightly patrols with a squad of 15 soldiers in full battle gear.
Every day, prior to conducting a patrol, we would have a briefing given by the Intel Officer, known as the S-2. He would apprise us of any North Korean activity, not just in our area, but all along the border. Another officer in the briefing was the Communication Officer. The Comm’s Officer was responsible for secure communications within the DMZ. He gave us the codes that we were to use for the 24-hour period we were on patrol. This always included two days of codes because our patrols were out over midnight, which is when the codes changed for the day.
The Comm’s Officer also gave us four small plastic devices that were keys that we used to encrypt our radio communications; 2 were for direct communication with the Tactical Operations Center (TOC) which monitored all patrols. The other two were for emergency broadcast messages in the event that we had to get word out to everyone quickly (i.e. the shit had hit the fan). We had two of each because of the midnight change-over.
Unbeknownst to me, at the very same time I was getting my predeployment briefing, my counterpart in North Korea was also receiving his briefing. A member of the Korean People’s Army, Special Operations Force, Reconnaissance Brigade, Lieutenant Pak was anxious to prove his worth in disrupting the operations of an American fighting force.
In 1980, Kim Il-sung’s son had been “elected” president and heir-apparent to the supreme leadership. Kim Jung-il was eager to demonstrate his resolve, and during the next few years after 1980, activity along the DMZ increased significantly.
That night, LT Pak was attempting to complete the final phase of what American soldiers called Pucan (North Korean) Ranger school. If he could penetrate our line and cause disruption or get us to fire our weapons, he would be successful. If he could steal anything, especially our radio encryption keys, he would be a hero of the People’s Army.
Every day a representative of the United Nations would sit in a meeting with US, South Korean, and North Korean representatives. If any shots were fired, the North Koreans would claim that we were acting in aggression and that they should somehow be compensated for this violation of “trust.” Lt Pak had plenty of motivation to disrupt my patrol. Fortunately for me, I came to this occasion well prepared.
After our intel and comms briefing we had time to review the maps and prepare for the patrol. Then, prior to going out, the Battalion Commander conducted a thorough inspection of the squad. He wanted to make sure that all members of the team had their identification, knew their equipment thoroughly, to include memorizing the serial numbers of our weapons, and that we had everything that we were supposed to take with us. In other words; something we were, something we had, and something we knew.
The Battalion Commander was tough. The squad was called into a long tent and we stood in one long row, at parade rest, with all our equipment in our ruck sacks and our rifles at our sides. I was very nervous. I had only been in country for five days, and here I was, about to lead a squad into an area, I knew very little about. Actually, I was more afraid of screwing up the inspection than I was about leading a patrol into the DMZ. The Platoon Leader before me had been relieved of his duty by the BC, for compromising his position over the radio. His squad had been probed and they got spooked, fired off some rounds, and then broke from their position and moved to an alternate location. They had not used the cipher codes to encode their coordinates. It was a clear win for the Pucan and our BC had no intention of allowing another incident like that to take place. He spent a full hour drilling us to ensure that we all knew exactly what we were supposed to do on our patrol.
As I said, at the beginning of the inspection I was very nervous. The BC tried to intimidate me with rapid-fire questions to see if he could trip me up. At one point he got me confused about the rules of engagement. I didn’t know the code word that the TOC would use to give us permission to fire. Fortunately for me, my Platoon Sergeant blurted out the code word while I was getting grilled. I didn’t know how the BC was going to respond. He stared at the Platoon Sergeant for a good long while, then he turned and walked over in front of SFC Briggs. He came so close to him that the brim of his hat was almost touching SFC Briggs hat, and then he said in a low voice, but loud enough for me to hear, “Sergeant Briggs, do me a favor, just make sure LT Weber doesn’t get anybody killed.”
“Yes sir!”
Then he did an about face and marched out two paces, turned and addressed the squad, “I pronounce this squad prepared for duty. Commence operations,” and he turned and marched out of the tent, leaving me pissed off at his arrogance and a bit embarrassed in front of my men, but highly thankful that SFC Briggs had stepped in and saved my ass.
An hour later our squad was debarking from a 2.5-ton truck deep inside the DMZ, and we started our patrol. Our mission was to move about two miles into the DMZ from our drop-off spot. We were given specific coordinates to setup operations which included making radio connection with the TOC and deploying a defensive line along a low running ridge that gave us a good view of the valley below.
At this point we started our Communication Security procedures that you can see, closely mirror the 13 Step Generic EAP exchange, and the Four Way Handshake used in WPA-2 Enterprise security
Step 1 of the EAP Exchange: The 802.11 client (supplicant) associates with the AP and joins the BSS. Both the controlled and uncontrolled ports are blocked on the authenticator.
When we got off the truck, the RTO (Radio Transmission Operator) did a radio check and established connection with the Communications team. We were too far from the TOC to communicate directly.
In this scenario, the Comms Team is the authenticator. They are between the TOC, which is similar to the Authentication Server.
“Tango-six, this is Tango-niner, radio check over.”
The call came back, “Tango-niner, this is Tango-six. I read you Lima Charlie,” (Loud and Clear).
We made our way to our destination and then created our perimeter defensive line. SFC Briggs inspected the line to make sure we were deployed in a way that took advantage of the terrain while I worked with the RTO to establish communication with the TOC.
2. The supplicant initiates the EAP authentication process by sending an 802.11 EAPOL-Start frame to the authenticator. This is an optional frame and may not be used by different types of EAP.
We had to verify who we were and authenticate prior to receiving secure communications from the TOC so we went through a predefined set of requests and responses to establish secure communications.
After doing another radio check, we were clear to move to a predetermined channel for authentication. We were not allowed to communicate on any other channel until our authentication process was complete on this controlled frequency.
3. The authenticator sends an 802.11 EAP request frame requesting the identity of the supplicant. EAP request identity frame is always a required frame.
Upon turning our radio to the selected frequency, we received a message from the Communications team; “Tango-niner, authenticate Bravo Sierra.” This was a challenge to which I had to respond using the Cryptographic book I was carrying. The book had been given to me at the inspection. It was a rather thick book of cryptography that held the codes that we used to decode and encode messages at a given date. We used a Julian calendar for some stupid reason. It’s a lot like SSID hiding in that, if someone has the book, it wouldn’t be too hard to figure out the date.
4. The supplicant sends an EAP response frame with the supplicant’s identity in clear text. The username is always in clear text in the EAP response identity frame. At this point, the uncontrolled port opens to allow EAP traffic through. All other traffic remains blocked by the control port.
After looking at the matrix for the date and finding the corresponding values for Bravo Sierra, I call the Comms Team back and say; “Tango-six, I authenticate Charlie Zulu.”
5. The authenticator encapsulates the EAP response frame in a RADIUS packet and forwards it to the authentication server.
At the communication station, the Comms Team had installed a land-line back to the TOC. This was an actual telephone that ran on wire that was laid out between the Communication station that was up on the side of a hill, and the TOC which was behind the hill. The Commo team rang the TOC on the field telephone and announced that my team had arrived at our first observation site.
6. The AS looks at the supplicant’s name and checks the database of users and passwords. The AS will then send a password challenge to the supplicant encapsulated in a RADIUS packet.
The TOC would then send its own challenge back to the Comm’s station and the Comm’s station would relay that to me. This challenge was separate from the authentication I had done with the Comm’s team previously. It was something that I had to memorize (although I noticed that SFC Briggs had written it down on the back of his map). It went something like this; “Challenge is Tiger,” and I responded, “Whisper.”
7. The authenticator forwards the password challenge to the supplicant in an 802.11 EAP frame.
See above
8. The supplicant takes the password and hashes it with a hash algorithm. The supplicant then sends the hash response in and EAP form back to the authentication server.
I guess we could equate my memorizing the password response to hashing, but I know it’s a bit of a stretch. Still, the process is being followed in a direct manner.
9. The authenticator forwards the challenge response in a RADIUS packet to the authentication server.
The Commo team relayed my response back to the TOC.
10. The authentication server runs an identical hash and checks to see if the response is correct. The authentication server will then send either a success or failure message back to the supplicant.
After receiving my response, the TOC validated it and sent a message back to the Commo team to allow me to communicate with them. If I had sent an incorrect response I would have been directed to send a runner to the Comm’s location to receive the new password.
11. The authenticator forwards the authentication server message to the supplicant in an EAP success frame. The supplicant has now been authenticated.
The EAP success frame for me that day, came in the form of a response from the Comms team to commence operations. “Tango-niner, you are confirmed at 0415 Zulu. Be advised that radio checks should be conducted intermittently every hour.”
12. The final step is the four-way handshake negotiation between the authenticator and the supplicant. This is a complex process used to generate dynamic encryption keys.
At this point the Comms team would establish direct wireless communication between me and the TOC (in essence, a tunnel). They would open up a relay between the TOC and me, using a high-powered antenna that could relay the signal without them having to verbally relay the message for us over the land-line. In order for us to do that we had to insert the two keys that we had been given, into our radio; one for unicast messages that were directly between me and the TOC, and one for Broadcast messages, those between the TOC and all patrols operating in the area (the area equates to an ESS). The Comms team had a much more complex radio system, but in order for the TOC to be able to decrypt our messages they had to have the matching keys.
The keys did two things; they created a frequency hopping pattern similar to how Bluetooth works today. The keys would have to synchronize the timing of hops, otherwise the link wouldn’t work. Secondly, they used a randomized encryption algorithm to encrypt and decrypt messages.
This is similar to the 4 Way Handshake, in that once the keys were inserted, the Comms radio would send a timing message to our radio. You could hear it make a beep on our radio when the initial message came in. Once that was successful, the keys would mutually create the algorithm that was to be used to encrypt and decrypt messages, just as the temporal keys are used in today’s Authentication and Key management sequence.
13. Once the supplicant has completed layer to EAP authentication and created dynamic encryption keys, the control port is unblocked. The supplicant is then authorized to use network resources.
Finally, with authentication accomplished and encryption keys installed, the Comm’s team could hang up the land-line and let us talk directly to the TOC over the air.
As Lt Pak conducted his reconnaissance in an effort to pinpoint my squad’s location he could not rely on unsecure radio communications to help him. The first secure communication I received once authentication and encryption had been established, was to move to a different location.
I think Lt Pak did find us that night. It was very early in the morning around 4:00 am. One of our team spotted something moving along a line parallel to our front. One of the soldiers thought it was a wild boar because they thought they heard snorting. SFC Briggs wasn’t so sure. Then, several others reported seeing something moving to our front. I called into the TOC and reported that we were seeing movement to our front. The Officer in Charge (OIC) that night wasn’t willing to risk contact. He didn’t know what it was that we were seeing, but he decided to pull us back to an open area and pack it in tight. Quietly we started moving squad members off the line to a rally point about 500 yards back.
One of the deadlier weapons that a scout platoon carries in the DMZ are Claymore mines. They are explosive devices that are packed with C4 explosives and small sharp pellets. They have a kill zone of 50 meters in a 60-degree arc. The Claymore mine is command-detonated meaning that it is fired by remote control via a wire and a clacker. The person detonating the claymore generates a spark along the wire by pressing down on the clacker. When we went into our position for the night we had placed our Claymore’s at each end of our line to protect our flanks from being breached.
When we received the order to fall back that morning, SFC Briggs and another soldier went to retrieve the Claymores. After a few minutes SFC Briggs called me and said, “I have something you need to see. Come out to the end of line.” When I got there, he pointed to the Claymore and when I saw it a chill went down my spine. The front of every Claymore is curved out, and on the front is stamped the words, “FRONT TOWARD ENEMY.” It’s pretty basic instruction, but you can’t fail to get the message, however, this one was facing us.
To this day I don’t know if Lt Pak got so close to us that he turned that mine around, or if one of my squad members was just trying to get a rise out of the LT. There’s no telling what might have happened if we had stayed in position and he had enticed us into firing. I don’t even know his real name. I just gave him that name as I thought about who it could be. But I do know that secure communication with the TOC that night ensured us of not getting into a sticky situation with LT Pak, or any other People’s Democratic bastards.
