Keys, Keys, and Even More Keys!

I thought I had a good understanding of how the WPA/WPA2 encryption key generation process worked, that was, until I read Chapter 5 of the CWSP (Certified Wireless Security Professional) Study Guide. I was definitely amazed and a little confused of what all happens in the background when a client authenticates and the encryption keys are created. Dealing mostly with personal or small office wireless environments I took a special interest in the process to generate the encryption keys in small office home office (SOHO) networks. I’m a firm believer that a strong passphrase is mandatory when using WPA/WPA2 Personal, and part of writing this blog was not only my way to fully understand the encryption key creation process, but at the same time to stress how important it is to select a completely random WPA/WPA2 passphrase. An easily guessed passphrase or a common dictionary word can expose your wireless network and connected devices to hacking or decryption of the data. The passphrase will not only authenticate clients to the access point, but it is also the initial seeding material to create the master keys that are then used to create the transient and temporal keys that encrypt the unicast data frames and broadcast and multicast frames.


Let’s start by defining the alphabet soup of letters and give some quick definitions to the important terms being used in the article.

WPA/WPA2 Passphrase: Selected by the network owner and entered as a simple ASCII character string from 8 to 63 characters. The passphrase is configured on the access point and manually entered on the client devices that will join the APs wireless network.

Authenticator: In a SOHO network this will be the access point.

Supplicant: Any device wanting to join an access points service set.

Pre-Shared key (PSK): The result when the passphrase goes through the passphrase to PSK mapping formula.

PMK (Pairwise Master Key): Is the highest order key and derived from the pre-shared key (PSK).

GMK (Group Master Key): Generated by the authenticator (access point) and is the seeding material for the group temporal key.

4-Way Handshake: Uses the pseudo-random function to create and distribute the dynamic encryption keys.

Nonce: A randomly generated value only used once.

PTK (Pairwise Transient Key): Final encryption key used to encrypt unicast data traffic.

GTK (Group Temporal Key): Final encryption key used to encrypt broadcast and multicast traffic.

Selecting the Passphrase

The first step is to choose the passphrase and enter it in the security section of the wireless routers management interface. Notice I did not say select a password! As mentioned before avoid using common dictionary words, and don’t use your name, address, phone number, pet’s names, favorite sports team name, etc… It is recommended to select a completely random passphrase and using a passphrase generator is the best option to select a random passphrase. For help on selecting a highly secure passphrase read my earlier blog post on creating a secure WPA/WPA2 passphrase.

WPA/WPA2 passphrases are static and susceptible to offline dictionary attacks, and it will become very clear why this passphrase be absolutely random for maximum security of the wireless network.

The graphic below shows the encryption key generation process and can be referenced throughout the article.

WPA/WPA2 Encryption Key Generation

WPA/WPA2 Encryption Key Generation

Passphrase to PSK Mapping

Manually enter the passphrase on the client devices that will be joining the wireless network. The passphrase authenticates the device to the APs wireless network, and behind the scenes the passphrase will go through the “passphrase to PSK mapping” function to transform it into the 256-bit Pre-Shared Key (PSK).

Here is the formula to convert a passphrase to the PSK.

PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)

The whole point of the passphrase to PSK mapping formula is to simplify configuration for the average home network user. Anyone can remember an 8 to 63 character passphrase compared to a 256-bit PSK.

Master Keys

The PSK will become the Pairwise Master Key (PMK), so basically the PSK is equal to the PMK.

The authenticator (access point) generates the Group Master Key (GMK). The GMK is derived by the authenticator and used to create the Group Temporal Key (GTK). The GTK will be used by the AP and all the authenticated clients to encrypt multicast and broadcast traffic.

4-Way Handshake

The graphic below is from Chapter 5 of the CWSP Study Guide to further explain the 4-way handshake process.


The 4-way handshake is a 4 frame exchange (not including acknowledgements) between the supplicant and the authenticator. Using a pseudo-random function (PRF) the 4-way handshake will create the Pairwise Transient Key (PTK) by combining the PMK, an authenticator nonce, a supplicant nonce, the authenticator’s MAC address (AA), and the supplicant’s MAC address (SPA).

Here is the pseudo-random function formula and below the formula is a brief description for the 4 frames exchanged during the 4-way handshake.

PTK = PRF (PMK + ANonce + SNonce + AA + SPA)

Message 1: The authenticator sends its ANonce to the supplicant. The supplicant now has all the information needed to generate the PTK using the pseudo-random function. The PTK protects the unicast data traffic.

Message 2: The supplicant will send its SNonce to the authenticator. The authenticator now has all the information needed to generate a matching PTK using the pseudo-random function.

Message 3: The authenticator generates the GTK from the GMK and transfers the GTK to the supplicant. The GTK is encrypted using the PTK and a secure exchange takes place. The GTK protects the broadcast and multicast traffic.

Message 4: An acknowledgement that the client has successfully installed the PTK and GTK.

The client is now authenticated and possesses the dynamic encryption keys and can securely send and receive traffic through the access point.


In a SOHO network the passphrase is not only used for keeping unwanted devices from joining the network, but also the seeding material to create the transient and temporal encryption keys. If an attacker obtains the passphrase they could not only join the wireless network, but they could crack the PTK encryption key. If an attacker captures a 4-way handshake exchange between a client and the access point, and with possession of the passphrase the attacker has all the variables needed to duplicate the PTK. With the PTK the attacker can decrypt any unicast encrypted data frames between the individual client and the AP. Passphrase secrecy and having a passphrase that is not susceptible to dictionary cracking methods is vital for the security of any network using WPA/WPA2 Personal.

Extra Security Note: Having one person control the passphrase is probably a harder thing to do in a home network, but in a small office environment ideally one person should know the passphrase and enter it on the devices needing to connect to the wireless network. The less people who know the passphrase the more secure the network will be!

Visualize Wi-Fi Networks Using Vistumbler and Google Earth

Vistumbler is an excellent free tool that scans for nearby wireless networks within range of your wi-fi adapter. Once Vistumbler finds a wireless network it will display the networks SSID, signal strength, encryption being used, mac address, the networks channel, access point manufacturer, and much more.

If you download and install the Google Earth application and have a GPS device you can use the most advanced feature of the program. You will be able to map the nearby wireless networks Vistumbler finds onto a map of Google Earth.

Below are the steps to install the necessary programs and how to configure them and a GPS unit to capture the networks and place them onto a Google Earth map.

1. Download and install the Vistumbler program.

  • Vistumbler will only run on Windows Vista and Windows 7. Windows XP users will need to check out a similar scanning program called Netstumbler.

2. Download and install Google Earth.

3. Open the Vistumbler program and configure it to work with the on board wireless adapter.

  • Disable any third-party wireless configuration utilities and disconnect from any wireless networks you are connected to.
  • Click the Interface menu option and from the list of available interfaces select your wireless adapter.

  • One nice thing about Vistumbler is it works with a wide variety of adapters including USB wireless adapters. As seen below a USB adapter is plugged into the laptop and is listed as one of the available interfaces.

4. Plug the USB GPS unit into the laptop.

  • For this tutorial I’m using a Globalsat BU-353 mouse receiver unit. A Globalsat BU-353 USB GPS unit can be purchased on Ebay or Amazon for 30 to 35 dollars.
  • Install the drivers that come with the Globalsat GPS unit and run the GPS utility that also came with it to first establish the current GPS position.

5. Right click on the My Computer desktop icon and select Properties from the pop up menu, then select Device Manager and expand the Ports section.

  • Verify the COM port that the Prolific USB-to-Serial Comm Port is assigned. This is the port that the Globalsat BU-353 GPS unit is using and it will need to be set in the Vistumbler program.

6. Go back to Vistumbler and click on the Settings menu option and select GPS Settings.

  • In the Com settings select the port number that was found in the step 5.
  • The rest of the default settings can be accepted.

7. Click Settings again and select Auto KML/Auto Sort.

  • Adjust the path to your Google Earth installation.
  • An optional setting is to check the Automatically Open KML Network Link box. This setting will open Google Earth showing real-time visualization while a scan is in progress.

8. With everything setup and in place it is time to start the scan.

  • On the main screen for Vistumbler hit the Scan APs and the Use GPS buttons.

9. The Vistumbler window will start filling up with the wireless networks it finds.

  • If the GPS is working correctly the Latitude and Longitude fields will be filled in with coordinates (not shown in the screen shot below, verify with your own scanning).

10. If Google Earth was not set up to open automatically (see step 7) when scanning click on the Extra menu option and select Open KML NetworkLink.

11. When done scanning click the Stop and Stop GPS buttons.

12. Another nice feature of Vistumbler is any number of filters can be set up and applied to live scans or saved scans.

  • Select the View menu option and select Filters, and then Add/Remove Filters to open the filter designer window.
  • Any saved filter will be listed below the Add/Remove Filters option and can be turned on or off by clicking on the filter name in the list.

13. Save the scan to a Vistumbler VSZ file format.

  • Click the File menu option and select Export to VSZ, and then select All APs.

14. Export the scan results to a Google Maps KML file.

  • Click the File menu option and select Export to KML, and then select All APs.

15. Open the Google Maps program and load the exported KML file.

  • Select File and Open and browse to the KML file exported in step 14 from Vistumbler.
  • Networks with no encryption will be shown with a green circle, WEP encrypted networks are orange, and networks utilizing WPA or WPA2 are red. Clicking on a network will display the networks information.

  • With the scanned networks loaded in Google Earth, you can use all the tools available in Google Earth to mark up the scan, and any changes can be saved back to the original KML file. You can transfer the KML file and load it on any OS you have Google Earth installed on.

Thanks for reading and happy scanning! Please post any comments or ask any questions you might have about any of the steps listed here or about the Vistumbler program.

Kindle Fire Security Tips

Set a Password on the Device

Password protect your Kindle Fire from unauthorized access.

From the home screen:

1. Tap the Settings icon in the upper right-hand corner (it’s the small gear icon next to the Wi-Fi symbol).





2. From the drop-down menu touch More.




3. Touch Security.



4. Turn ON Lock Screen Password.





5. Enter whatever password you would like to set for the device and tap the Finish button.

This means that when you turn on the device or if the screen goes black when not in use for more than 5 minutes (5 minutes is the default), you will have to enter the password to unlock your Kindle Fire.





Password Protect Wi-Fi

This is a separate password then the one used to join an encrypted password protected network. This password will unlock and enable the Wi-Fi. I have heard this described as a way to prevent your kids from surfing the internet when using the device or if you lend the Kindle to a friend and don’t want them connecting to any wireless networks. Instead of reinventing the wheel the following article explains how to quickly and very easily set this up.

Kindle Fire: Password Protect WiFi

Accelerate Web Page Loading & Enable Encryption

I use these settings when I connect my Kindle Fire to a wireless hot spot. Since most public free Wi-Fi hot spots provide very little security creating this encrypted connection from my device to the Amazon server is the equivalent of an encrypted VPN connection. When I’m on my WPA2 protected home wireless network I will disable these settings.

Depending on what side of the privacy fence your on you may want to read the Amazon usage agreement on how they collect plus how long they store your browsing history when you go through their server using the accelerate page loading setting.

After opening the Silk browser follow the instructions below to enable the accelerate page loading and encryption.

1. On the bottom of the screen tap the icon that looks like a piece of paper with writing on it.

2. When the menu of icons appear tap on Settings.






3. Scroll done the Settings page and find the Accelerate page loading setting.

4. Tap the check box to enable the Accelerate page loading, and you can also enable the Optional Encryption setting. You can only use the encryption setting when the accelerate page loading is enabled.





Don’t Have the Browser Remember Passwords

This one of the settings that brothers me no matter what device or browser people use and I always recommend to never have a browser remember passwords. If the device is lost or stolen and the browser is set to remember passwords it could be the equivalent of running into the local grocery store and leaving your car in the parking lot with the keys in it and the engine running.

1. Follow the instructions above to access the Silk browser settings.

2. On the settings page verify the Remember passwords setting is not checked.



3. Below the Remember passwords setting is the Clear passwords settings. If you did have the browser remember any passwords you can click that to clear out any passwords the browser is storing.

This is just some of the security settings that can be setup on the Kindle Fire. Leave a comment or question, or let me know if you’re using any of these security settings or if there is any other security features you find help protect your Kindle device.

Is Your WPA2 Protected Wireless Network Really Secure

You’ve set up a wireless network in your home or small office and configured it with the highest level of encryption using a WPA2 passphrase. But is that WPA2 passphrase strong enough to protect the wireless network? A weak WPA2 passphrase could be hacked allowing an unauthorized person to use the wireless network. Even worse this unauthorized person could decrypt the communications revealing emails you send, web sites you visit, and passwords you use for access to websites.

You’re probably saying to yourself if WPA2 encryption could be broken on my wireless network is there anything I can do to improve security for the network? Yes, with a couple of safe guards WPA2 can provide the required security, and I will describe how to apply these safe guards by always changing the factory default network SSID, and how the WPA2 passphrase should be a completely random string of characters.

All small office home office routers ship from the factory with a default SSID assigned to the wireless network name. It might be Dlink, Linksys, or something else the vendor selected. You should always change this SSID to something of your choosing, but avoid a network SSID that might identify who owns the network, or something found in the top 1000 SSID names. Along with the WPA2 passphrase, the SSID is used to create the key to encrypt the wireless communications. Even though the SSID name can easily be found, if you’re using the factory default SSID or a common SSID name you make the job of the hacker that much easier.

With the SSID changed let’s move on to WPA2 passphrase. The WPA2 passphrase should be a completely random string of letters and numbers. Don’t use common dictionary words, names, a famous quote, the name of your favorite sports team, etc… At a minimum the WPA2 passphrase should be 25 characters, and you can bang on the keyboard until you get something with 25 characters or use a password generator web site. I like to use the password generator on the website. If you use this site scroll down to the bottom of the page and look for the WPA Password Generator section, and use the “Better” option to generate a random 32 character passphrase.

WPA Password Generator

WPA Password Generator

After getting WPA2 passphrase entered into the wireless management interface on the router you should copy it into a Notepad file and save that to a USB storage drive. You can plug the USB drive into the other wireless devices and open the file to copy and paste the WPA2 passphrase into those devices to quickly add them to the network. Some devices may not have USB ports, and may require you to manually type in the passphrase, but this will be a onetime entry since the devices will save the passphrase.

The two suggestions above will increase the security of your wireless network and make it harder for a potential hacker to break. Making your wireless network a difficult target will more than likely cause a hacker to move on to an easier one.

Additional Reading:

To learn more about passphrases check out the Wikipedia page.

If you’re looking for more security tips when setting up a home wireless network check out my earlier blog post.

Is Hiding the Wireless SSID All the Network Security You Need

Every wireless network has a service set identifier or SSID, which is the name given to the wireless network. The SSID is used to distinguish wireless networks from one another. Small office home office (SOHO) routers come from the factory with a default SSID and owners of the SOHO router should always change this default SSID name to something of their choosing.

Along with changing the SSID name another very popular setting for individuals to enable on the router is to not have it broadcast the SSID or wireless network name. Hiding the SSID requires more overhead by the network owner to manually configure any wireless devices that need to be part of the network. Many network owners believe hiding the presence of the wireless network and configuring the devices that join it as a great way to secure the network, but this is providing a false sense of security. You’re not really hiding the network you are just hiding the network from advertising itself. A moderately skilled hacker with the right utilities can still find hidden wireless networks, and if there is no other security defined on the router you open your network up to several attacks.

Anyone with knowledge of wireless networks can use free utilities downloaded from the internet to scan the airwaves and capture specific communication frames to discover hidden networks. Once the hidden network name is discovered, and assuming no other security is setup an intruder could connect to the wireless network and use it for free internet access.

If an unauthorized person connects to the wireless network this would expose the other computers connected to the network. Any shared folders setup on your computers could then be browsed by the intruder and the data in them downloaded.

Hiding the SSID has one attack method that most people are not aware of. When you take your wireless device to a Wi-Fi hot spot the device will try to search for your hidden network. Basically the device will be announcing the name of the hidden SSID to anyone that may be listening. If a bad guy is at the hot spot he could create a fake access point with the SSID that your device is searching for and then try to trick you or force your device to connect to his “evil twin” access point. If the bad guy can get you to connect to the fake AP it can open up your device to numerous attacks. This may not sound like a big risk, and so many people feel the public Wi-Fi network at their local coffee shop or cafe is safe, but I always recommend when you’re using a free wireless hot spot to treat that network as unfriendly. What I mean by unfriendly is free wireless hot spots usually have no security setup and they are just convenient portals for internet access. With hot spot networks having very little or no security setup it is a prime location for the bad guys to take advantage of unsuspecting victims, so don’t think your local coffee shop or cafe is not susceptible to these types of attacks.

Regardless if your wireless network is hidden or not encryption should always be used. Encryption will scramble the network communications so they are unreadable by anyone capturing the traffic. The bad guy doesn’t need to know if a wireless network is hidden or connect to the network to capture unencrypted traffic, and this unencrypted traffic could be divulging emails you send, web sites you visit, and passwords you type into log in pages. Encryption is an important security setting to enable on your wireless network and should be setup on all wireless networks whether they are hidden or not.

Used by itself hiding the network SSID does not provide adequate security, but using this feature along with encryption and other security settings available on your home wireless router will give you a more layered approach to security. The more layers or harder you make breaking the security of the network the more someone wanting to access it will move on to an easier target.

Security Is Your Responsibility When Using Free Wi-Fi

Coffee shops, restaurants, airports, and hotels, are just some of the locations that you may find an available public wireless network or a free Wi-Fi hot spot. These free wireless hot spots deliver a high-speed internet connection, but this convenient no hassle access to the internet comes with a lack of security. It doesn’t mean you should avoid accessing a free wireless hot spot, it just means you need to be aware of how to protect your device when you do.

To prove the point that security is your responsibility at a public hot spot I captured the following screen shot from a Wi-Fi user agreement from a local restaurant I often visit. The user agreement clearly states security and privacy is the user’s responsibility.

Click to Enlarge

Other businesses that offer free wireless access have similar verbiage in their Wi-Fi usage agreements. With the user being responsible for the security of their device I have outlined some general security tips that can help protect you when using a free public wireless hot spot.

    • Have an antivirus program installed.
      • Regardless if you access the internet from a wired or wireless network, your home, work, or Wi-Fi hot spot an antivirus program should always be installed and running on your computer. Antivirus will prevent the unwanted programs from being installed on, or accessing data your computer.
    • Make sure the firewall is enabled.
      • A firewall acts as a bouncer to either allow or deny access to your computer. The firewall uses rules to control the traffic and prevent an unauthorized person from accessing your computer through an internet or network connection.
    • Use a VPN connection.
      • Free public Wi-Fi provides no encryption or scrambling of the data as it travels the air waves, so anyone could capture the communications including passwords you are typing in to access websites. VPN will allow you to create an encrypted tunnel through the hot spot network to the VPN server. An encrypted VPN tunnel is the best way to scramble your communications as it travels the network and prevents anyone that may be eavesdropping on the Wi-Fi hot spot from reading your traffic.
      • There are a lot of personal VPN services available and a quick Google search will reveal numerous companies that provide the service. Most companies providing personal VPN should offer a free trial of their service along with monthly and annual plans for a fee. If you travel a lot or you are constantly using public Wi-Fi you may find this to be money well spent to protect your traffic when accessing any unencrypted public Wi-Fi network.
    • Use HTTPS when available.
      • Any website you access that requires some sort of log in should be using HTTPS. HTTPS is the secure alternative to HTTP, and to verify if any site is using HTTPS look in the browsers address bar and make sure the web address of the site starts with HTTPS. Some sites such as Facebook may require the user to enable the HTTPS feature through the privacy settings.

When I travel or access free Wi-Fi I’m usually on my Windows 8 laptop, and while researching this blog post I found some great articles on the Microsoft site discussing Wi-Fi security tips. One of those articles is linked below and provides additional details and instructions to help protect you when using public Wi-Fi.

Four Saftey Tips for Using Wi-Fi

Home Wireless Network Security Tips

A small office home office (SOHO) wireless router can be setup in just minutes, and can be a convenient and cost effective way to extend your home network. Many people don’t do much in the way of configuration or security on a SOHO wireless router when installing the device. However, just plugging in a wireless router without changing any of the factory default settings presents an insecure wireless network and can serve as an open internet portal to anyone nearby. Not only will it be an open internet connection, but it could open up unauthorized access to the computers on the network and the data stored on them. Anyone with a little knowledge of wireless networks and with the right utilities can sniff unencrypted wireless communications potentially capturing any data including passwords traversing the air waves.

Here is a list of some wireless security strategies that can be configured on most wireless routers. While no one feature will simply secure the wireless network, applying most or all will provide a layered approach to security. Some of these settings require an intermediate to advanced knowledge of wireless routers. For assistance or additional help with these settings consult the user’s manual for your specific wireless router.

  • Change the default Admin password used to access the wireless router.
    • Default passwords for routers are well known or can be found on the internet with some simple Google searches. If you setup encryption along with some of the other advanced security measures on the router it will all be useless if someone can just log into the router using the default password.
  • Enable Encryption.
    • Setting up encryption on the wireless network and protecting the traffic from being read by an unauthorized person is the most critical security feature to enable on the router. If someone in range of your wireless network was capturing the traffic encryption will scramble the data so it would appear as gibberish to that person. WEP was the original encryption method for wireless networks, but WEP has several known flaws and therefore should not be used. It is recommended to use WPA encryption or the stronger WPA2 encryption if all your wireless devices can support these levels of encryption. When using the WPA encryption methods a preshared key must be entered on the router and the same key is also entered on all of the clients wanting to join the network. When selecting a key avoid common dictionary words and use a random stream of letters, numbers, and symbols with a minimum of 20 characters in length. A wireless network using WPA encryption provides both security by controlling who can connect to the network, but also privacy by encrypting the communications as they travel across your network.
  • Change the default name of your wireless network (SSID).
    • The service set identifier (SSID) is the name of the network the wireless clients will use to connect to the network, and like the default password the factory set name given to the wireless network can be found out very easily. When selecting a name for the SSID don’t use anything that would identify who owns the network, such as your name, address, phone number, etc… You also don’t have use anything cryptic for the SSID, and a good choice is something that doesn’t bring attention to the name of the network and lets it blend in with any of the other surrounding networks.
  • Enable MAC Address Filtering.
    • Every network device is hard coded with a unique physical address called the MAC address. Wireless Routers can be configured with a list of MAC addresses allowed to connect to the wireless network. This sounds like a great setting to control the devices that connect to your network, but a reasonably skilled hacker can use free utilities from the internet to monitor traffic on the network to capture MAC addresses of devices on the allowed list. With the allowed MAC address the bad guy can spoof the MAC address on their device to make it appear as if it is in the allowed list.
  • Disable SSID broadcast.
    • Disabling the broadcast of the network name and essentially hiding the presence of the network sounds like a great feature, and I have seen some people rely on this feature alone for the security of their network. Similar to the MAC filtering setting mentioned before, anyone with a little bit of knowledge and the right utilities can scan the airwaves and discover hidden network SSIDs, so disabling the network broadcast should never be relied on as a cover all security setting. Don’t use this setting by itself, but combine it with other settings mentioned to have strength with multiple security layers.
  • Disable managing the router from a wireless client.
    • Force any client to be physically plugged into the router using a network cable to log in to the management interface.
  • Enable HTTPS for accessing the management interface.
    • Whenever HTTPS is available to encrypt communications it should always be taken advantage of. Using HTTPS to manage the router will prevent the user name and password from being compromised.
  • Centrally locate the wireless router in the house.
    • If you can locate the wireless router in a central location in the residence it should theoretically provide an even coverage area and control some of the leakage of the signal seen by your neighbors. You can also control the coverage area by adjusting the power setting on the wireless router, but this is a bit more of an advanced setting and not all SOHO routers allow power settings to be adjusted. Setting the power level to low may create dead zones in the wireless network coverage. Consult the user’s manual for your router for specific instructions on adjusting the power level.
  • Set time constraints to disable access to the wireless network.
    • Set restrictions when no one can use the wireless network without powering down the entire network or affecting the wired connections. For example if no uses the wireless network overnight a time restriction banning clients from connecting from 11:00pm to 6:00am to the wireless network can be configured. Powering down the router during vacations or during extended periods of non-usage can be the ultimate security setting to prevent outside hackers from trying to connect to the network.
  • Check for firmware updates on the router.
    • Routers have software called firmware loaded on them that control the capabilities of the router. The router vendors will release updates for the firmware to improve functionality or patch vulnerabilities. Checking every so often for firmware updates will guarantee your router has all the latest features and security patches applied.

Plugging in a wireless router and not configuring any of the security settings is the equivalent of leaving your house and not locking any of the doors. Hopefully the overview here will give you some information on how to lock down your wireless network and keep your neighbors from using you as an internet service provider.