CWSP-208 Exam Dumps - Certified Wireless Security Professional (CWSP)

A Robust Security Network (RSN) is defined by the IEEE 802.11i standard and is designed to provide a framework for secure wireless LAN communications. One of the primary criteria for a network to qualify as an RSN is that WEP (Wired Equivalent Privacy) must not be used for encryption, as WEP has well-known vulnerabilities and is considered insecure. RSN-compliant networks must use either CCMP (AES) or GCMP for encryption and 802.1X/EAP or WPA2-Personal for authentication.

Incorrect:

A. Token cards are not part of RSN criteria.

B. Dynamic WEP is still WEP and disqualifies RSN status.

D. WPA-Personal may be supported, but alone does not define an RSN.

E. SSHv1 concerns device management security, not RSN qualification.

The PTK derivation requires:

PMK

ANonce (generated by the Authenticator)

SNonce (generated by the Supplicant)

MAC addresses of both Authenticator and Supplicant

Both the Supplicant and Authenticator derive the same PTK using identical inputs during the 4-Way Handshake.

Incorrect:

B. The nonces are shared—each party uses both ANonce and SNonce.

C. Nonces indicate no such validation message.

D. The MACs are part of the PTK input but not used to generate the nonces themselves.

PEAPv0/EAP-TLS is a tunneled EAP method that requires:

The server to present a certificate for TLS tunnel establishment.

The client to present a valid client certificate within the tunnel (in the case of EAP-TLS).

If the client does not have a valid X.509 certificate installed, authentication will fail.

Incorrect:

A. The server certificate is required for the TLS tunnel, and it is typically present; the issue here lies with the client cert.

B. TKIP is technically compatible with PEAPv0, although AES-CCMP is preferred.

D. Kerberos is unrelated to EAP authentication and VLAN use.

EAP-FAST (Flexible Authentication via Secure Tunneling) provides:

Mutual authentication using Protected Access Credentials (PACs).

Does not require X.509 certificates for either client or server (although optional for servers).

Is faster and easier to deploy in environments lacking a PKI.

Incorrect:

B. EAP-MD5 provides no mutual authentication.

C. EAP-TLS requires client and server certificates.

D. PEAPv0/EAP-MSCHAPv2 requires a server certificate.

E. EAP-TTLS requires a server certificate.

F. PEAPv1/EAP-GTC still requires a server certificate.

The PTK (Pairwise Transient Key) is derived during the 4-Way Handshake using:

PMK (from PSK or EAP authentication)

ANonce and SNonce (nonces from authenticator and supplicant)

MAC addresses of client and AP

The PTK is then split into keys used for encryption and integrity protection.

Incorrect:

A. PSK can derive the PMK, but not the PTK directly.

B. GMK is used to derive the GTK, not PTK.

D. GTK is for group traffic encryption.

E & F. PK and KCK are components of PTK or alternate key usage—not used to derive PTK.

The GTK (Group Temporal Key) is used to encrypt multicast/broadcast traffic.

Each SSID has a unique GTK.

Only clients on the same SSID (ABCData) will receive and be able to decrypt multicast traffic encrypted with ABCData’s GTK.

Incorrect:

A. Application-layer authentication does not affect GTK distribution.

C. Clients on other SSIDs (e.g., Guest, ABCVoice) have different GTKs and cannot decrypt ABCData’s multicast traffic.

D. Each SSID uses a unique GTK; GTKs are not shared across SSIDs.

TKIP (used with WPA) introduced “Michael” as a message integrity check (MIC) algorithm to replace the insecure CRC-32 used in WEP. Michael:

Adds tamper protection to each packet.

Helps detect packet forgery.

Incorrect:

A. CRC-32 was used in WEP and proven weak.

B. Sequence counters help prevent replay attacks, not integrity checking.

C. RC5 is not used in WLAN security.

E. TKIP does not support block ciphers—it uses RC4, a stream cipher.

A Transitional Security Network (TSN) allows legacy stations to interoperate by using older encryption methods. If AES (CCMP) is unsupported by older equipment, the network can fall back to TKIP, which uses RC4 as its encryption algorithm. TKIP enables AES encryption on newer devices while accommodating legacy clients.

Options A, C, D are current or deprecated standards with AES; only RC4 matches the transitional need.