In any organization with shared wireless networks, appropriate authentication measures provide security for data stored within or transferred throughout the organization. A pre-shared key (PSK), often referred to as a “shared secret,” is one such measure of authentication. Typically this key is attached to a user password, and it can take shape in several different ways, from hexadecimal digits to character-based passphrases. As with most password-style authentication methods, longer keys are more secure, with Google Cloud recommending its users generate 32-character keys.
A pre-shared key usually comes before other network login credentials, such as usernames and passwords. Intended to simplify authentication, the shared secret must be known and recognized by each end of the communication. For example, if a user is planning to enter a virtual private network (VPN) using a mobile device, both the VPN and the device must know the same key.
For home networks, which a PSK is usually best-suited to, that key will generate a pairwise master key (PMK), which will help control access to the network. From there, a four-way handshake links the key between ends to validate the connection without the need for the full key. This prevents the full key, or even the PMK, from being transferred across a network, which helps safeguard against vulnerabilities.
Because there are two ends of communication with a PSK, there are two major areas of vulnerability. During the four-way handshake, the access point provides an access point for hackers as well, because they can capture the message integrity code, or MIC. Even more threatening is the fact that if one end is compromised, the other end may not be aware and may continue to send information as usual. In addition, in order to facilitate the communication itself, users must enable inbound VPN connections, while the firewall must allow outbound VPN connections. Both ports provide an area of entry for outside security threats.
Internal threats can also damage a network’s security. Former employees with network access can use their existing keys to access and take advantage of the network.
For malicious attacks, a network’s PSK can be cracked by brute force via security assessment suite Aircrack-ng and the tools within it. These tools can be used to monitor, capture packets, and finally capture the four-way handshake, opening the door to attacks from outside the organization.
For many organizations and individuals, VPNs are intended to provide a layer of security to their internet connection by obfuscating or masking IP addresses. But if the connection to that VPN is compromised, as in the case of a PSK, there are new vulnerabilities for network users. This is why it’s essential for network administrators to stay on top of PSK security and implement strong key management practices.
The first way to do this is to generate a strong shared secret from the get-go. As previously mentioned, longer shared secrets are harder to crack than shorter ones, so many-character keys are the best first defense against an attack. If you use a machine identity management platform to generate keys and certificates, you can set policies that will ensure strong cryptographic attributes.
Perhaps the most important thing any network administrator can do to mitigate security risks to PSKs is to change passwords. As with any password, PSK passwords should be changed frequently. In addition, if a security compromise is possible, as in the event of an access-allowed employee leaving the organization, passwords should be changed to prevent malicious access to the network.
A PSK is not going to be suitable for all networks within all organizations. Setup is complicated and can be expensive. However, these things are also true for VPNs in most cases, and because VPNs create security risks at the same time that they prevent others, a PSK can be a good way to protect the network. When appropriate precautions are taken to avoid vulnerabilities, a PSK can simplify and protect network authentication processes.