All CWNP CWSP-206 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the CWSP-206 CWSP Certified Wireless Security Professional practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

Module 02 - Legacy Security

6. More About WEP Part1

Okay, so let's talk about Web a little more. And again, we're just getting an idea of where we want to go. So use what we call the "rivercipher" for the RC4 encryption algorithm. You know, back in the day, we had a lot of different symmetric types of encryption, and we're going to be talking more about these encryption models versus asymmetric. Remember, I said symmetric had a single key that both sides had to know, and that's why a pre-shared key was kind of the idea, whereas this was a key pair. And I'm going to try to explain those when we get into a little bit more detail about encryption in general.

But again, in those days, RC-4 was still a fine protocol, but it wasn't as strong as some of these others. We also had one called DES, the Data Encryption Standard, which was also deprecated. In 2004, we had a "triple D," which meant we did D three times and is still in use today. And then AES was the standard that we liked to use. So we don't see AES. Now, the reason we like to use AES is because this one's keys can start out at 128 bit key. And, as I previously stated, the longer the key, the stronger the key. So it can now operate at 256-bit keys. Some systems can do 512.

And so it's a key length that continues to grow. And this is significant because, when comparing the processing power of today's average tablet to that of a laptop ten years ago, You have more processing power in that little tablet than you did in your laptop or even your desktop station back then. And so, as processing power continues to increase, so does the speed at which we can decrypt or crack these encryption methods. And so RC-4-D are considered ones that we just don't really want to use. Not to say that RC Four is a bad game, but the development is. It has a very small key.

However, the better the encryption, the better the situation. So simply because we've moved on from an older type of algorithm doesn't mean it was bad or bad for its time; it simply means we're moving on. But that was part of the Web. Again, it did encrypt the layers through seven of the frame. Technically, part of layer two was the link layer control, which, like I said, was one of the sublayers of layer two. But it didn't contain the Mac addresses. That was the list of addresses we needed to keep safe. Now, that encrypted part of it is what we call the MSDU, or Mac Service Data Unit. And the goal of that is to basically say that if I were to draw a picture, and you might see one here soon, I believe.

Like I said, we had two layers of information. And then we had the MSDU, which is everything that's encrypted. And then at the end of every frame, we still have what's called a frame check sequence. That was a way of ensuring that none of the data in the rest of the frame had changed. It's not deliberate to be able to change a frame. It could just be interference—plain old interference—from a microwave oven, or if it's on a wired network, the same thing. Any type of electrical noise might alter a frame.

And we just didn't want to pass on garbage. So the FCS was our way of just making sure that it was okay. Now, most crypto systems, including Web, had basically three main goals, and we often looked at those goals kind of like a triangle where I can talk to the CIA. I just like saying that acronym because it means I'm getting into the spy world now. And of course, we were trying to protect the data that was inside of this triangle. And so one side of this was confidentiality. Confidentiality is the goal of encryption. Now, as a side note, I certainly believe in the idea that all information should be encrypted while in motion and at rest. We're talking about it being in motion at the moment.

Being transmitted at rest would mean that if you stored information on your hard drive and it's important to you, you should encrypt it because if somebody steals your hard drive, they have your data. But that's another security issue. The I represented integrity. And again, the integrity was designed to make sure that the data was not purposefully or accidentally changed, or even a part of this.

To ensure that everything looked good, the FCS was a part of that integrity. And the letter "A" gets a lot of different uses. Here, they're calling it access control. We're controlling who has access to the actual access point, right, to make sure you're there. Some people may also indicate their availability. So maybe you want to think of access control as being able to get there because your network connections are available; sometimes we even use the word authentication. But that's another thing that we were just talking about in some aspects.

With some of these legacy systems, we are also adding authentication. Now, the only problem we have is that the reason they did this as a triangle was to kind of say that if you moved away from or added too much confidentiality, too much encryption, you might be moving further away from being available. I mean, there is sometimes an aspect of too much security where no one can get in and nothing is available or there is no access control.

So it's just a matter of moving away from yet another position as you move up one side or down another side, you're moving away from yet another position. So there's a sweet spot somewhere where you can get the best access to each of these. as we're coming up with our security systems. And again, we're talking about water. But I'm also throwing in some of the foundations for the idea of security.

7. More About WEP Part2

Alright, we're still talking about the web. I already mentioned that we used RC-4, the Rivest cipher, or "version 4" as you might call it. But one of the things and Rivist, along with another person named Shamir and Edelman, founded a company called RSA, which is now owned by a storage company, but their technology for providing encryption and authentication is still available. Some of you have probably heard about this. So, this guy Rivets, and this guy over here, and one of the things they did with their Cypresses was never publish the actual algorithm. They didn't want people to have access to it, but at the same time, they wanted people to use it.

And so sometimes it is said that it used Arca or RC Four. And what that means is that the A stood for "assumed"; it was assumed it was the same, and it literally was the same. But yeah, I guess we couldn't verify it. So we usually just say RC-4. Okay, so we started out as a 64-bit version, which they dubbed Windows 40. And you might say, "Well, wait a second, 40, 64, what's that all about?" Well, one of the things we're going to talk about is that they used what they called an "initialization vector" with the key. And that initialization vector was a 24-bit value, which would be added to the plus 40-bit key. And so together, that would be 64 bits. But technically, the web key was only 40 bits in size.

So 40 was the name we gave it. And then it improved again. Remember, the shorter the key, the easier it is to crack. And think about it this way: if any of you ever play any of the lotteries in the United States, as an example, we have two big ones: Powerball and Mega Millions. And they tell you that you could probably get struck by lightning ten times in your life before you'd ever win any one of them. But that's because they have so many combinations of numbers. So, the more number combinations you have to choose from, the more difficult it is to win. If there were less, there's another lottery game called Pick Three. And you know, lots of people win a little bit of money at that one, I guess. I don't know; I've never played it. But nonetheless, the shorter it is, the easier it is to be able to win the lottery.

The shorter the key, the easier it is to crack it. And so in today's world, even if it were a true 64-bit key, most of your laptops and most systems can crack that. And literally, we can be cracked in about five minutes. By today's standards, it's not that hard to do. So they did increase it to 128. Again, take off the 24-bit IV; we called it WEP-104, but it was harder to crack. But then we're going to find that And again, in today's world, because of the way in which WEP used that initialization vector, it didn't take us long, maybe longer than the five minutes for 64-bit WEP, but still, it doesn't take much time. And you might say, "Well, Ken, you just told me AES was great with 128 bits." Well, it's a true 128-bit key in AES instead of 104.

And there are a lot of other things going on that make it even more difficult to crack. All right, so here's the problem. 24 of those bits that are used as your encryption key are sent in clear text. That was significant because it meant I now knew a third of the key on Web 40 and, perhaps, a fifth of the key on Web 128 or Web 104. As a result, we already knew whether or not we could intercept it. We already kind of had an idea of how to start. In fact, if I can draw it out here, I'll walk you through an example of what would happen. OK. If you don't know what hexadecimal is, it's still a hexadecimal value. It's just a number system that's called base 16. That means we use base ten, right?

We count from one to ten, then go to the next column and go from ten to 100, and keep going down the columns. So their digits are zero to nine, and then they use ABCDE and F. So A would be ten, and B would be eleven. If you were to turn it into decimals all the way up to F, it would be 15. So we're just borrowing some letters from the alphabet to use his digits, rather than making a whole new symbol for our account in base 16. All right, so like I said, usually when we initialise a web, we get four different keys. And that's why I said I had keys one, two, three, and four. I talked about those keys, and as long as you had one of them, we were able to basically help you realise that you are supposed to be associated with us.

And we would already have the keys on both sides to be able to do encryption. Depending on the administrator, they might give the first key to maybe ten different people, and maybe, you know, 15 people on the second key, however they wanted to distribute it. Most often, though, I think everybody has written down the first key and everybody uses the same key. Nonetheless, that's what it did for us. So there are not a lot of options for keys. Also, we would run the cyclic redundancy check. All right, so what is that? That is the same thing I just wrote down when I wrote that little picture of a frame, right? And I had layers two, three, four, and seven. And I said there's a frame-check sequence at the end.

Some people also call it a CRC, a cyclic redundancy check. Same concept: we would run that on the plaintext data and then append the integrity check value to that as a part of again verifying that no noise, damage, or other interference came about. So basically, we had this 40-bit key, right, one of these keys over here, and we'd add the clear text, a 24-bit IV, and that would be the seed or key that we'd use to the RC4 algorithm. And so, whatever that came out to in this case, they put in 10 one.But keep in mind that there are a lot more bits there; they're just a little bit shorter. And we do what's called an exclusive order. And after the exclusive ore was done with the plain text, what was left was the ciphertext. So, call this one a truth table, and the idea was that if the first thing was true, the second thing was true, and you added them together, the result was true. And a one was usually used to represent truth. And then any other combination of truth, falsehood, or both would be all false. False, false, and false were typically assigned a value of zero.

So basically, we're saying that for a statement, a logical statement, to be true, both sides had to be true; otherwise, the condition was not going to be true. So, if we did the same thing with an exclusive ore, which we're now going to investigate, the idea behind an exclusive ore is that an exclusive meant that maybe I should have done an or table over here. If I did an or table, the only time everything was false was if both sides were false on an or statement. Otherwise, the statement would evaluate true if one of the two sides was true. But exclusivity says only one can be true. Let me get that f out of there.

So true, true, true, false, false, true, false, true, false. Exclusive means that only one side can be true, but neither can be true. So if both sides were true, we would get a false answer or a zero. If either one were true, but not both, we get an answer of "one." If both were false, we get an answer of "two." And, of course, there's no way for it to ever be true, so it'd be a zero.

And so that's what they're doing then: they take that key stream and they take the first bit of your plain text, and we just do the math. exclusive or false, right? Both perspectives are correct and equal. "False" on both sides equals "False." Right? Again, one side is correct and the other is incorrect. So we have a true statement, but it is the ciphertext. And the idea was that if you're trying to basically beat this algorithm, you should try to figure out what the original message was. If you didn't know what the key stream was, you wouldn't know how the logic was done in the manner in which they encrypted that traffic. So those were some of the advantages of what RC Four was doing for us.

8. Attacks Against WEP

Alright, so before I go and hit you with the attacks against Web, you probably all, if you've been doing this for a while, have gone to YouTube and looked up how to crack WEP keys. The basic idea was that there's someone over here within radio range who will make them that hacker who's listening to this access point's transmissions and associating with this guy over there as they talked back and forth. And we already know that there is that special IV, that initialization vector, that we would want to capture. And the hope was that as people associated, we would capture the entire key stream, so that whatever the key stream was, they would catch it.

Well, I'm just going to use words instead of trying to use hexadecimal. So just imagine the word "password" is the key, the stuff that's hidden, and we added some randomness, some 24 bits to it, and I'm just going to make it This is not quite exactly the way it would work, but let's say that these ACE are part of what we had as the initialization vector. And the initialization vector for each person that connects could be different. So this could be called A, and this is B. And so maybe the other one was B plus H and I. So there's the initialization vector. So there was some randomness to the initialization vector. Now, if you think about it, that's 24 bits in size. If you do the math to the 24th power, that's some 16 million initialization vectors that we could potentially see. But we didn't have to get all of those.

Remember when these guys were broadcasting? I should do my radio frequency more circularly like this. because this guy over here is just listening for those IVs or the IV exchange. And often, what they would do is capture these in a file and then replay them against the access point, hoping to get more of that IV traffic to come in. And with each one, as they would replay it, they would keep recapturing it. And if you think about it, if I captured like ten of these and replayed ten of them, I'm going to get ten more. And then now I have 20, and I can replay all 20 against you. Then there are the 40 or so that were going through.

And the idea was that I didn't need to get 16 million of them; I just needed to be able to get enough of these IVs so that I could run a cracking program. And what that cracking programme would try to do is find out what was common among all of them, which would include the web key. And they claimed that you only needed about 100 of them. And some people would say you need less, and some people wouldn't say you need more. But let me just say that if you replay these and keep replaying them, you can get up to 50, 600, or more of these in minutes, depending on how fast you can generate them. Then you simply let the cracking programme run, and before you knew it, you had the actual key.

So what I actually just described would be this first one, the IV collision attack. Again, because it's clear text and there's a new one generated for every frame, at some point, those 16 million IVs would be forced to repeat themselves, and we didn't need to repeat all of them, as I just said, but it would allow us to be able to get that. So I'll just say the C-diagram I just drew at the bottom. So, like I said, it didn't take very long to do that. The attack on the weak key So RC4 uses a scheduling algorithm, and weak IVs are generated. And like I said, as long as you knew the weak IV key, then it made it easier to be able to attack again. I think I talked about reinjection hacker tools that you could use to implement the reinjection and accelerate the collection of these weak IVs. So that's what it was designed to do.

If you were to go look at that YouTube video, there are a million of them. One of the tools on Linux was called "air replay." And so that's what it would do. It would just replay all those IVs. The ICV data integrity check was also considered weak. So we could actually attack the web's encryption. We could tamper with those by just doing some bit-flipping.

And it all depends on how you do the integrity checks. You know, the idea was that the ICV would be some value, like 011-0100, one, or whatever this value was. Let me just give you an example of how weak some things can be. If we know that after we calculate this ICV, and remember that the goal was to say that we didn't want to verify that anything had changed, And in some of these CRCs, some of the older ones (I'm describing an older one), just to give you an analogy, we might just say that as long as we had an even number of ones or an odd number of ones, then we'd have some value depending on whether they were even or odd.

So what would happen if I changed that to a one and then changed one of the ones to a zero? Now that I've changed your data, I still have an odd number of ones; I didn't even count to see if I had an odd number of ones. Oh, I did. Okay, now I do anyway, or I did before, but anyway, you get the idea that the value would still come out to be true, saying, "Oh, must not have changed because the number of months in that message are still even in the count." Again, that's just an example of a very weak type of redundancy check. But that's kind of the idea of what bit-flipping would do for you.

9. VPNs Part1

Now another early solution for protecting your data. And by the way, it's a good solution because it provided very strong protection where WebP was very weak: through the use of what we called a VPN, a virtual private network. Now, I want to say right out of the gate that when you think VPN, 99% of us probably think of encryption because that's what you're used to using. When you're sitting at home and you're reconnecting to work, you create this VPN, and it uses a type of encryption. But there are a number of types of VPNs that have nothing to do with encryption.

So I bring that up so that most of you who are watching this, if you're that 1%, who know about the layer two and layer three VPs and all those things, don't look at me and say, "He doesn't know what he's talking about." So I told you, I do know what I'm talking about. But for the purposes of our discussions in this course on security, when I do mention VPN, we are assuming—or I'm assuming you believe or think encryption is strong. It was a way of protecting data where we were weak. But it's not on our recommended list of solutions. And you might say, "Well, why not?" Well, the reason for saying not is because of how much work on the overhead side it took to be able to create this type of solution.

Now, VPNs are great for remote access. If you're sitting at home, you're going across the Internet to connect to work. VPN is without a doubt the best solution you have. But, between where you are and the access point, we should consider a different type of encryption as a possible solution. You don't have to; it's just a thought. Anyway, VPN is still very good. There are two types of VPNs. I'm going to draw these out for you and give you kind of a high-level view of what's going on inside these VPNs. However, one is usually router to router. All right? So that's not the best term.

I like site-to-site, business-to-business, and other types of sites because one side might be a firewall, one side might be a router, or they might both be firewalls. But layering three devices on top of each other is fine. Another type is client-server. And that server doesn't necessarily mean a PC running an operating system. The server could also be a router, a firewall, or a VPN concentrator. But again, I'll describe what's going on there. Now, VPNs are usually associated with the tunnelling protocol, meaning we take the encrypted information in the IP packet, or at least from the original IP packet, encrypt that information, and put it inside another IP packet. And that's why I want to draw it out so you get a better picture of what's happening.

Now, there are a number of different types of protocols. One of the earlier ones was the point-to-point tunnelling protocol PPTP, which we don't use all that often. Maybe if you're using a fully Microsoft solution, because they're more or less the ones that came up with that idea. There's also IP security. Now. IP Security. what people call IPsec. That's the one we generally associate with VPNs as the best of the encryption methods. Then there was L2-TP, a layer-two tunnelling protocol that we'll get to later. didn't actually do encryption, but generally it would put IPSC inside of an L2TP tunnel. But like I said, my goal here is to show you some pictures to kind of give you an idea of what these VPNs are supposed to do for us.

10. VPNs Part2

So when we look at our network, whether it's router-to-router or client-to-server, whatever the case may be, we're still going to have kind of the same idea. You are a client server, as are all other VPNs. So let's just take it router-to-router or firewall-to-firewall. The idea is that maybe this is your home. Maybe this is a branch office, a remote office, or a branch office, and this is headquarters over here. And we're travelling across the Internet to get to you.

And we actually had a couple of problems. One that is irrelevant to our current discussion is that we frequently used private IP addresses over here, which we called a part of RFC 1918. And those were addresses that cannot be routed over the Internet. As a result, we have the same problem: IP addresses that were created in 1918. So we needed a tunnelling protocol just because you at home couldn't connect to a server over here at work because there's no way you could reach its IP address across the World Wide Web. Again, this was true at least for non-routable Internet addresses. So that's where the concept of tunnelling came from. In fact, let me just do tunneling, and then we'll add the IPsec.

And so what we did was have these two routers with public addresses. Let's say this one's address is 1234 and this one's is 5678. And because they were public addresses, they were reachable on the Internet. And so those two routers could talk to each other. But this guy at home with a private address couldn't talk to that server with the private address. And so what these two would do is create what's called a tunnel. And what they would do is they'd say, "Okay, look, we have your original, let's say private address one and private address two." So one source is one's destination, and that's part of layer three. Then there was your layer for stuff, and then your layer seven, which was the data. And these addresses, as I just said, were not routine. So these two would negotiate so that they would create a tunnel.

They basically pinned their source and destination addresses to 123-4567-08. As a result, this would be analogous to adding new addresses. And the reason that works now is because all of the routers that you have to go through—from your service provider to other service providers—would be routing on these public addresses. Your traffic would get from point A to point B. And so when the traffic came into the router, it would add on this tunnel header. And when it got to the other side, it would take that tunnel header off. And then we had the original addresses, so we could deliver it to our destination. So that was the idea of it being a tunnel and a tunnelling protocol. Now, strictly speaking, I did not discuss encryption at that time. So now let's talk about these two routers creating an IPsec tunnel.

So one of the things that they have to do with an IPsec tunnel is come up with a proposal set. That means we have to choose the type of encryption. Maybe AES and integrity Protocol. like Message Digest Five or Sha One. And of course, by the way, they would also have gone through a dynamic exchange of keys through an asymmetric protocol called Diffie-Hellman. And as long as both sides agreed to the same set of proposals, they would create what's called a security association. So let's say the Security Association According to one source, we're reusing an Es, an MD5, and whatever our key is.

And this guy over here creates a security association. We'll call it the Security Association, too. But these two security associations work together. And the reason this is important is that if this were headquarters over here, there might be another tunnel coming in that might be using a different set of protocols for encryption hashing and a different key. And so it would create a security association. Three. And one of the components of these security associations is the SPI SecurityParameter Index, which uniquely identifies all senders. So this one might be using AES. Shaw obviously has a different key, the SPI number.

So, when both parties agree and have the same key, and you're sitting at home and you send your data into this router and it encrypts that information, it creates that tunnel header, right, your public addresses that I mentioned earlier, like 123-4567-80. Then it has what's called an "encapsulated security protocol," or ESP, that's going to contain the SPI number. And then it'll have all this encrypted stuff, including the original address and all your data and that sort of thing, just to give you a higher-level overview. And so now I send my traffic into this tunnel, and when headquarters receives it, it looks up the SPInumber so we can see, "Do I decrypt it this way or do I decrypt it this way?" Well, this is the one that matched. So then it uses this information in the security association to decrypt the traffic. And then, once unencrypted or decrypted, it can send it off to the actual destination.

Like I said, there's a lot more that goes into this. The whole Internet key exchange, phases one and two, are things that are way outside the scope of what we're wanting to talk about here. But that was one of the things that made it so strong: it used strong encryption, hashing, and a secure method of generating a dynamic key exchange. And the keys had a lifetime warranty. So after 60 minutes, they'd come up with a new key for each other. So all of that worked out very well. For us. But like I said, if you think about all this work that I just talked about, that's a lot of overhead. And that's why it wasn't one of the preferred methods, but it was certainly one of the strongest and longest methods—and still is today—for keeping your traffic secret.

CWNP CWSP-206 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass CWSP-206 CWSP Certified Wireless Security Professional certification exam dumps & practice test questions and answers are to help students.