Nt1310 Unit 3

For a smaller setup – say an office or a home, a AAA radius server is not deployed in the infrastructure. The secret key in this case is usually stored on an access point. In such environment setup, the authentication takes place between the station and the access point. To secure the network setup, WPA2 can be used along with the optional Pre-Shared Key (PSK) for authentication. To encrypt the network with WPA2-PSK, the router is configured not with an encryption key but rather plain paraphrase. TKIP(for Temporal Key Integrity Protocol) is used along with the network SSID for generating unique encryption key for the wireless clients. 4-way handshake can be leveraged here, for authentication in the aforementioned setup. In this mechanism, the access point starts by sending the EAPoL (Extensible Authentication Protocol (EAP) over LAN) message which contains the AP Nonce (Access Point Nonce), where Nonce is just a random sequence. The station leverages this information along with the MAC address and PSK, and creates a pairwise transient key. The generated STA Nonce (Station Nonce) is protected with the MIC (Message Integrity Code) created from the pairwise transient key. The message formed is then sent to the access point.

If it proves to be from a legitimate source, then the source must have the valid Pre-Shared Key and hence the communicating station is authenticated. The access point then sends back the EAPoL message comprising of Group Transient Key, which is protected by the MIC as well as the Pairwise Transient