The reason for that is because enterprise Wi-Fi security is a two-step process, first creating a secure encrypted tunnel, using the aforementioned Transport Layer Security, between the wireless client and a RADIUS server (authenticating the server) and only then using MS-CHAP to authenticate the client. If the first step is properly implemented, and MS-CHAP protected, the Defcon tools are helpless to attack it, according to vonNagy.
The argument he advances in his blog post even assumes that the tools demonstrated at Defcon can in fact crack MS-CHAP completely. His point: It doesnt matter.
As Microsofts own webpage makes clear, PEAP is one member of a family of Extensible Authentication Protocol (EAP) protocols. It relies on Transport Layer Security (TLS) to create an encrypted channel between an authenticating PEAP client, for example a laptop or tablet, and a PEAP authenticator, in this case an enterprise Remote Authentication Dial-In User Service (RADIUS) server. PEAP can work with a variety of EAP authentication methods, one of them being EAP-MS-CHAPv2, which work inside the encrypted tunnel.
This tunneling occurs by relying on asymmetric cryptography through the use of X.509 certificates installed on the RADIUS server, which are sent to the client device to begin connection setup, vonNagy says in his post. The client verifies the certificate is valid& and proceeds to establish a TLS tunnel with the server and begins using symmetric key cryptography for data encryption.
Only then, once the TLS tunnel is fully formed, do the client and server make use of the less secure protocol such as MS-CHAPv2 to authenticate the client. This exchange is fully encrypted using the symmetric keys established during tunnel setup, vonNagy says. The encryption switches from asymmetric key cryptography to symmetric key cryptography to ease processing and performance, which are much faster this way. This is fundamentally the same method used for HTTPS sessions in a web browser.
VonNagy created a diagram to show the stages of this interaction. Reading from the top down, there is the initial association of the Wi-Fi client with the access point; then the start of the TLS tunnel negotiation between the client and RADIUS server; the creation of the tunnel between them; and then the MS-CHAPv2 challenge by RADIUS, and the corresponding, authenticating response by the Wi-Fi client.