Skip to main content
banner image
venafi logo

Identifying and Mitigating Security Risks of Pre-Shared Keys

Identifying and Mitigating Security Risks of Pre-Shared Keys

pre-shared keys PSK Venafi
January 2, 2019 | Alex Haslam

In any organization with shared wireless networks, appropriate authentication measures provide security for data stored within or transferred throughout the organization. A pre-shared key (PSK), often referred to as a “shared secret,” is one such measure of authentication. Typically this key is attached to a user password, and it can take shape in several different ways, from hexadecimal digits to character-based passphrases. As with most password-style authentication methods, longer keys are more secure, with Google Cloud recommending its users generate 32-character keys.

A pre-shared key usually comes before other network login credentials, such as usernames and passwords. Intended to simplify authentication, the shared secret must be known and recognized by each end of the communication. For example, if a user is planning to enter a virtual private network (VPN) using a mobile device, both the VPN and the device must know the same key.

For home networks, which a PSK is usually best-suited to, that key will generate a pairwise master key (PMK), which will help control access to the network. From there, a four-way handshake links the key between ends to validate the connection without the need for the full key. This prevents the full key, or even the PMK, from being transferred across a network, which helps safeguard against vulnerabilities.

Security Risks

Because there are two ends of communication with a PSK, there are two major areas of vulnerability. During the four-way handshake, the access point provides an access point for hackers as well, because they can capture the message integrity code, or MIC. Even more threatening is the fact that if one end is compromised, the other end may not be aware and may continue to send information as usual. In addition, in order to facilitate the communication itself, users must enable inbound VPN connections, while the firewall must allow outbound VPN connections. Both ports provide an area of entry for outside security threats.

Internal threats can also damage a network’s security. Former employees with network access can use their existing keys to access and take advantage of the network.

For malicious attacks, a network’s PSK can be cracked by brute force via security assessment suite Aircrack-ng and the tools within it. These tools can be used to monitor, capture packets, and finally capture the four-way handshake, opening the door to attacks from outside the organization.

Looking ahead

For many organizations and individuals, VPNs are intended to provide a layer of security to their internet connection by obfuscating or masking IP addresses. But if the connection to that VPN is compromised, as in the case of a PSK, there are new vulnerabilities for network users. This is why it’s essential for network administrators to stay on top of PSK security and implement strong key management practices.

The first way to do this is to generate a strong shared secret from the get-go. As previously mentioned, longer shared secrets are harder to crack than shorter ones, so many-character keys are the best first defense against an attack. If you use a machine identity management platform to generate keys and certificates, you can set policies that will ensure strong cryptographic attributes. 

Perhaps the most important thing any network administrator can do to mitigate security risks to PSKs is to change passwords. As with any password, PSK passwords should be changed frequently. In addition, if a security compromise is possible, as in the event of an access-allowed employee leaving the organization, passwords should be changed to prevent malicious access to the network.

A PSK is not going to be suitable for all networks within all organizations. Setup is complicated and can be expensive. However, these things are also true for VPNs in most cases, and because VPNs create security risks at the same time that they prevent others, a PSK can be a good way to protect the network. When appropriate precautions are taken to avoid vulnerabilities, a PSK can simplify and protect network authentication processes.


Related posts

Like this blog? We think you will love this.
Featured Blog

What Is a Private Key?

How Are Private Keys Used?<

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Alex Haslam
Alex Haslam

Alex Haslam writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more