0 / 10 flipped
Concept
What are the three security objectives that wireless configuration must address?
Answer
1. Confidentiality: Encrypt wireless frames so intercepted traffic cannot be read by unauthorized parties.
2. Authentication: Verify the identity of devices and users before granting network access β prevent unauthorized connections.
3. Integrity: Detect whether frames have been modified in transit β implemented via a Message Integrity Check (MIC) on each frame. WPA3 provides MIC through GMAC (part of GCMP).
2. Authentication: Verify the identity of devices and users before granting network access β prevent unauthorized connections.
3. Integrity: Detect whether frames have been modified in transit β implemented via a Message Integrity Check (MIC) on each frame. WPA3 provides MIC through GMAC (part of GCMP).
Concept
What is the fundamental vulnerability in WPA2 PSK, and why can't it be fixed within WPA2?
Answer
WPA2 PSK's four-way handshake transmits a hash derived from the pre-shared key and a nonce. An attacker passively captures this handshake and performs offline brute-force β guessing passphrases at GPU speeds with no rate limiting, no lockout, and no network interaction required after capture.
This cannot be fixed within WPA2 because transmitting the hash is fundamental to how the four-way handshake establishes the session key. The fix required a new handshake mechanism β SAE in WPA3, which derives the session key via Diffie-Hellman and never transmits the hash at all.
Additionally, WPA2 PSK has no forward secrecy: compromise of the PSK exposes all previously captured sessions.
This cannot be fixed within WPA2 because transmitting the hash is fundamental to how the four-way handshake establishes the session key. The fix required a new handshake mechanism β SAE in WPA3, which derives the session key via Diffie-Hellman and never transmits the hash at all.
Additionally, WPA2 PSK has no forward secrecy: compromise of the PSK exposes all previously captured sessions.
Term
GCMP (Galois/Counter Mode Protocol)
Definition
The encryption and integrity algorithm used in WPA3. GCMP combines two functions in a single algorithm:
β’ AES encryption (Counter Mode): provides data confidentiality
β’ GMAC (Galois Message Authentication Code): provides the Message Integrity Check (MIC) β detects frame tampering
Having both confidentiality and integrity in one efficient algorithm is an improvement over WPA2's CCMP. GCMP is stronger and more computationally efficient, benefiting both security and battery life on mobile devices.
β’ AES encryption (Counter Mode): provides data confidentiality
β’ GMAC (Galois Message Authentication Code): provides the Message Integrity Check (MIC) β detects frame tampering
Having both confidentiality and integrity in one efficient algorithm is an improvement over WPA2's CCMP. GCMP is stronger and more computationally efficient, benefiting both security and battery life on mobile devices.
Term
SAE β Simultaneous Authentication of Equals
Definition
The authentication handshake used in WPA3-Personal, replacing WPA2's four-way handshake. SAE is based on Diffie-Hellman key derivation:
β’ Both client and AP independently derive the session key from the passphrase β the key is never transmitted
β’ Both sides prove knowledge of the passphrase without revealing it β mutual authentication
β’ Each connection generates a unique session key β enables forward secrecy
β’ No hash is transmitted across the network β no offline brute-force possible
Also called the dragonfly handshake in IEEE 802.11 standards. Eliminates the root cause of WPA2 PSK's crackability.
β’ Both client and AP independently derive the session key from the passphrase β the key is never transmitted
β’ Both sides prove knowledge of the passphrase without revealing it β mutual authentication
β’ Each connection generates a unique session key β enables forward secrecy
β’ No hash is transmitted across the network β no offline brute-force possible
Also called the dragonfly handshake in IEEE 802.11 standards. Eliminates the root cause of WPA2 PSK's crackability.
Concept
What is forward secrecy? Why does WPA3 provide it but WPA2 PSK does not?
Answer
Forward secrecy means that compromise of a long-term secret (the passphrase) does not expose previously recorded encrypted sessions.
WPA2 PSK lacks it: All WPA2 sessions derive their encryption keys from the same static PSK. An attacker who records encrypted sessions and later obtains the PSK can derive all session keys retroactively and decrypt all recorded traffic.
WPA3 provides it: SAE generates a unique session key for every connection via Diffie-Hellman. That session key is derived independently by both sides and never stored or transmitted. Once the session ends, the key is gone. Even if the passphrase is later compromised, there are no session keys to recover β each session's key is independently derived and ephemeral.
WPA2 PSK lacks it: All WPA2 sessions derive their encryption keys from the same static PSK. An attacker who records encrypted sessions and later obtains the PSK can derive all session keys retroactively and decrypt all recorded traffic.
WPA3 provides it: SAE generates a unique session key for every connection via Diffie-Hellman. That session key is derived independently by both sides and never stored or transmitted. Once the session ends, the key is gone. Even if the passphrase is later compromised, there are no session keys to recover β each session's key is independently derived and ephemeral.
Concept
What are the three wireless security modes? When is each appropriate?
Answer
Open System: No authentication, no encryption. Used for intentionally public access (hotels, airports). Users must rely on HTTPS and VPN for protection.
WPA3-Personal (PSK): Shared 256-bit passphrase; SAE protects the handshake. Appropriate for homes, small offices without RADIUS infrastructure. All users share one key β no per-user audit trails or individual revocation.
WPA3-Enterprise (802.1X): Individual authentication through RADIUS. Each user has unique credentials. Supports per-user access control, VLAN assignment, audit logging, and individual revocation. Required for corporate environments with accountability requirements. Needs RADIUS infrastructure.
WPA3-Personal (PSK): Shared 256-bit passphrase; SAE protects the handshake. Appropriate for homes, small offices without RADIUS infrastructure. All users share one key β no per-user audit trails or individual revocation.
WPA3-Enterprise (802.1X): Individual authentication through RADIUS. Each user has unique credentials. Supports per-user access control, VLAN assignment, audit logging, and individual revocation. Required for corporate environments with accountability requirements. Needs RADIUS infrastructure.
Term
AAA Framework β four steps
Definition
A security framework controlling network access through four steps:
Identification: User presents an identity (username). A claim, not proof.
Authentication: User proves the claimed identity (password, certificate, MFA). RADIUS validates against a directory.
Authorization: System determines what the authenticated user is allowed to access. RADIUS returns attributes: VLAN assignment, permitted resources, bandwidth limits, session time.
Accounting: System records what the user did β login time, logout time, duration, data volume. Creates the audit trail for compliance, billing, and anomaly detection.
Identification: User presents an identity (username). A claim, not proof.
Authentication: User proves the claimed identity (password, certificate, MFA). RADIUS validates against a directory.
Authorization: System determines what the authenticated user is allowed to access. RADIUS returns attributes: VLAN assignment, permitted resources, bandwidth limits, session time.
Accounting: System records what the user did β login time, logout time, duration, data volume. Creates the audit trail for compliance, billing, and anomaly detection.
Term
RADIUS
Definition
Remote Authentication Dial-In User Service β the most widely deployed AAA protocol. A centralized authentication server used by WPA3-Enterprise wireless, VPN gateways, switch consoles, and other network access devices.
RADIUS receives authentication requests from network devices (APs, switches, VPN concentrators), validates credentials against a directory (AD, LDAP), and returns Access-Accept or Access-Reject β optionally including authorization attributes (VLAN, session limits).
Operational security benefit: credentials are stored once; revoking a user's access in AD immediately blocks that user across all RADIUS-integrated systems β no individual device reconfiguration required.
RADIUS receives authentication requests from network devices (APs, switches, VPN concentrators), validates credentials against a directory (AD, LDAP), and returns Access-Accept or Access-Reject β optionally including authorization attributes (VLAN, session limits).
Operational security benefit: credentials are stored once; revoking a user's access in AD immediately blocks that user across all RADIUS-integrated systems β no individual device reconfiguration required.
Term
802.1X β Port-Based Network Access Control
Definition
An IEEE standard that blocks all network access at a port until successful authentication. Three roles:
β’ Supplicant β client device; presents credentials
β’ Authenticator β AP or switch; enforces access control; relays EAP messages; does NOT validate credentials
β’ Authentication Server β RADIUS; validates credentials; returns Access-Accept/Reject
Works on both wired (physical switch ports) and wireless (logical 802.11 association). Integrates with RADIUS, LDAP, and TACACS+. EAP is the authentication framework running within 802.1X.
β’ Supplicant β client device; presents credentials
β’ Authenticator β AP or switch; enforces access control; relays EAP messages; does NOT validate credentials
β’ Authentication Server β RADIUS; validates credentials; returns Access-Accept/Reject
Works on both wired (physical switch ports) and wireless (logical 802.11 association). Integrates with RADIUS, LDAP, and TACACS+. EAP is the authentication framework running within 802.1X.
Concept
In an 802.1X exchange, which component actually validates credentials? What is the authenticator's specific role?
Answer
The Authentication Server (RADIUS) validates credentials β not the authenticator.
The Authenticator (the AP or switch) is a policy enforcement point. It:
β’ Blocks all traffic until it receives an Access-Accept from the authentication server
β’ Passes EAP messages between the supplicant and the authentication server (relay function)
β’ Opens the port when Access-Accept arrives; keeps it blocked on Access-Reject
The authenticator does NOT inspect, validate, or make decisions about credentials β it simply enforces what the RADIUS server decides. This distinction β that the AP is an enforcer, not a validator β is frequently tested on the exam.
The Authenticator (the AP or switch) is a policy enforcement point. It:
β’ Blocks all traffic until it receives an Access-Accept from the authentication server
β’ Passes EAP messages between the supplicant and the authentication server (relay function)
β’ Opens the port when Access-Accept arrives; keeps it blocked on Access-Reject
The authenticator does NOT inspect, validate, or make decisions about credentials β it simply enforces what the RADIUS server decides. This distinction β that the AP is an enforcer, not a validator β is frequently tested on the exam.