Blog

Wireless Fidelity - security consideration

Wi-Fi or Wireless Fidelity

Wireless networks are currently used in all sorts of places. It is an easy installation of a connection that is available to everyone (really everyone) in a given location, without the need to laboriously install cable distribution. So, almost perfect connection technology. But what are the threats thus especially real threats to this method of communication?

Transmission power and basic features of the communication route

The first and basic problem of wireless technology is the actual transmission medium. Thanks to the transmission of electromagnetic waves, anyone who can intercept the signal and has the appropriate technology to receive it is a possible recipient. The only protection against unauthorized access to the network is thus only good quality cryptography.
Wi-Fi networks by generation occupy bands defined by IEEE standards. These are frequency areas around 2.4GHz, 5GHz, 6GHz and 60GHz. The bands 2.4GHz and 5GHz belong to the ISM (Industry, Scientific, Medical), i.e. frequencies freely usable. Other technologies such as Bluetooth, microwave ovens and some other technologies for LAN or PAN communication (PAN means Personal Area Network, usually wearable electronics) work on the frequency of 2.4GHz. Frequencies around 2.4GHz are heavily absorbed by moisture. At 5GHz and 6GHz frequencies, absorption occurs by other materials, such as masonry, but moisture again has the highest influence on attenuation. This is the effect of strong dielectric relaxation of water molecules. In translation, water has its poles and tries to adapt to the external electric field. Because it can't make it due to the high frequency, some of the energy is absorbed and used to overcome the bond with other molecules, i.e. it warms up. For the frequency of 60GHz, the situation is different, here moisture doesn't matter. Due to the high frequency, there must be direct visibility between the transmitter and receiver. However, because this frequency is in the resonance band of the O2 molecule, there is a significant attenuation, up to 15dB/km.
For these frequency bands, transmission power is usually limited by local laws. The power is given as EIRP (Equivalent Isotropically Radiated Power), the equivalent of uniformly radiated power by an omni-directional antenna. However, the following rules usually apply:

  • The 2.4GHz band (ISM) has a broadcast power limit of 250mW EIRP, 100mW in the Czech Republic. The specified communication band has a width of about 82MHz.
  • The 5 GHz band (ISM) has a broadcast power limit of 250mW EIRP, 200mW in the Czech Republic. For part of the frequencies in the range of 5.4GHz to 5.7GHz, a higher maximum power is allowed, but it must support the DFS function. Otherwise there could be interference with airport radar systems. This is a channel with a width of about 300MHz of the total allocated 500MHz.
  • The 6GHz band (ISM) has a broadcast power limit of 1000mW EIRP (1W). The communication band has a width of 1200MHz.
  • The 60GHz band (V-Band) has a broadcast power limit of 1000mW EIRP (1W).

In terms of throughput, it depends on the width of the channel itself, which can be several for a certain band. As a rule the bands 20MHz to 150 Mbps, 40MHz to 300Mbps, 80MHz to 600Mbps and 160MHz to 1200Mbps are used. This is a maximum throughput, not a stable speed.This throughput decreases with the number of networks on one frequency. This is due to their mutual interference, as networks compete for these bands. Other throughput problems occur inside a network, where access to the medium may be of interest to several clients at the same time.
And what exactly is the range for these frequencies? It depends not only on the transmitter power and antenna, but also on the antenna of the receiver. Common pole antennas work at a distance of several tens of meters, theoretically up to lower units of hundreds meters in open terrain. However, the directional antenna will have completely different characteristics, when it is possible to communicate under suitable conditions even at a distance of 2.5 - 4km. In general, however, it is not possible to reach "beyond the horizon" by communications without an amplifier violating the norms (technical due to interference and behavior due to common decency).

Details for those interested in deeper insight

The advantage of physics is the possibility to calculate the data with a certain degree of accuracy. Strangely, the calculation is not complicated, only several conditions need to be met. Here are a few steps that can better understand the influence of a particular situation.

Transmitting power conversion
The power is given in W by default, but the transmitting power is usually in dBm. The given formula is used for converting between these units. However, when converting, it is necessary to be careful and convert the power from W to mW, i.e. multiply by 1000.
P[dBm]=10⋅log10(P[mW])
Transmission Performance          P[dBm]
Transmission Performance          P[mW]

Vacancy attenuation
Although this does not seem to be the case, even the spread of free space creates a decay. As the distance increases, the strength of the signal decreases, engineering the pouch claims approximately with a square of distance.
LFS[dB]=20log10⋅((4πdf)/c)
Distance               d (km)
Transmission Frequency        f (MHz)
Light speed             c

Attenuation by obstacles
Here, modelling of the situation is necessary and simple patterns do not exist. Both attenuation and reflections affect signal propagation and any diffraction patterns (composition of waves leading to amplification or attenuation). Therefore, they are usually only used approximate values, or a specific situation needs to be measured. Some of the approximate values are given in the table. Because it is a sample, not a complete list, it is necessary to find specific values. But in general, that this attenuation increases with a higher frequency.

ObstacleApproximate attenuation [dB]
Glass (window)2-4 dB
Wooden wall5-10 dB
Drywall3-6 dB
Brick wall8-15 dB
Concrete wall15-30 dB
Concrete wall20-40 dB
Leafy tree (summer)10-20 dB
Human body (2.4GHz)td>3-6 dB

Equation for calculation of power received (Pr)
Communication always exists between two or more points, i.e. between the recipient and the sender. They influence her both transmitting power and gain of radiating or receiving antenna and of course attenuation on the way.

Pr=PTX+GTX+GRX−(LFS+LO)
Transmission antenna power            PTX (dBm)
Transmission antenna gain              GTX (dB)
Receiving antenna gain             GRX (dB)
Free space attenuation                                LFS (dB)
Obstacle attenuation                 LO (dB)

Receiver sensitivity and antenna gain
By default, Wi-Fi devices have a sensitivity of -90dBm. But if they are complemented by a higher quality antenna, their profit increases. That is, if I have a signal of -70dBm and current on a common antenna with 3dBi I will replace the antenna with a new one, what will happen? If I replace the original 3dBi antenna with the 18dBi antenna, the receiver instead of the original -70dBm it gets a signal equivalent to -55dBm. It is therefore a simple formula.
Effective sensitivity=ATX−GRX

Device Sensitivity             GRX (dBm)
Receiving antenna gain             GRX (dBi)

Detecting and locating Wi-Fi networks

Searching for Wi-Fi networks in the area is not a problem. Even if they don't have a published SSID. Yet to this day there are people who prefer to hide the network tag. It kind of reminds me of an ostrich trying to hide its head in the sand, but standing on a concrete panel. Browsing the band and searching for networks has even become fun, called WarDriving. The history of the term leads to films such as War Games (War Games). Here, the main character accidentally connects to a system controlling American missile defense instead of a school computer and nearly starts World War III.
Sometime after 2000, wardriving became fun for a certain group of IT enthusiasts, who began monitoring available networks and their security. In most cities, maps were created, the authors exchanged positions of transmitters with each other. Later, projects were created mapping these networks, which are gradually brought to the maps as je Wigle.net, WiFiMap.io and others. After all, other services are mapped in a similar way today. If you were interested in verifying the availability of 4G or 5G networks, for example, in the Czech Republic it is possible to use CTU portal, in England it is similar Signal checker, or worldwide NPerf.
Although wardriving is now a bit of a historical turn-off, it is not quite dead. It can be run by anyone who has a computer or mobile. Tools are available for mapping networks, such as NetStumbler, Kismet, AirCrack-NG and many others. These usually work under different operating systems (Android, BSD, Linux, OSX and Windows), or there are substitutes for the operating systems. If someone in the vicinity uses Wi-Fi network mapping and walks near your transmitter (access point), it will be mapped. Whether or not SSID doesn't matter. It just doesn't have a name, but it transmits, therefore it exists.
In the case of detection, there are basically two ways to find out at least approximately the location of the transmitting point. The first is to measure from several locations and to determine an approximate source based on the signal strength map. The second way is similar, but to measure the exact time of transmission of certain signals. Given the distance from the transmitting point and the need to achieve a certain accuracy, this means extremely accurate synchronization of time with an accuracy to the ns. This allows to determine the location with an accuracy of 1m. In a similar way, it is possible to use three connected computers, where one is shifted a little higher. This allows to determine the azimuth and elevation. Again, a good time source is required, this accuracy is not easy to achieve. Therefore, it is usually sufficient to measure the signal strength of a given network.

Methods of communication - Wi-Fi network standards

The actual method of communication is defined by the standards. It includes modulation of the transmitted signal, as well as frequency separation of individual communication channels within the bandwidth used. In Wi-Fi 6, collisions occurred due to random access to CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) media. Within standardization, efforts were made to solve this problem and limit the number of collisions by creating time schedules. Since Wi-Fi 6, frequency and time separation have been used, with time and frequency slots, so-called resource units, allocated according to the number of available stations. Outside these conditions, there are significant changes in communication using MIMO technology (Multiple Input, Multiple Output).

StandardTagYear
release
Band
(GHz)
Channel
(MHz)
Max. speed
(Mbps)
ModulationMIMO
IEEE 802.11Wi-Fi 019972.4222DSSS
FHSS
Ne
IEEE 802.11bWi-Fi 119992.42211DSSSNe
IEEE 802.11aWi-Fi 2199955
10
20
54OFDMNe
IEEE 802.11gWi-Fi 320032.45
10
20
54OFDMNe
IEEE 802.11nWi-Fi 420092.4/520
40
600OFDMMIMO 4
IEEE 802.11y-20083.75
10
20
54OFDMNe
IEEE 802.11acWi-Fi 52013520
40
80
160
6928OFDMMU-MIMO
IEEE 802.11ad-2012606757DMGNe
IEEE 802.11axWi-Fi 620192,4/520
40
80
80+80
600–9608OFDMAMU-MIMO 8
IEEE 802.11axWi-Fi 6E20202,4/5/620
40
80
80+80
600–9608OFDMAMU-MIMO 8
IEEE 802.11beWi-Fi 720252,4/5/680
80+80
160+80
160+160
320
1376–46120MU-MIMO 8
IEEE 802.11bnWi-Fi 820282,4/5/6100 000100 000

Cryptography used and its weaknesses

Historically, a large number of algorithms have emerged for network login and communication encryption. Those protections were gradually broken and subsequently replaced by a more successful procedure. From today's perspective, such weak methods cannot be recommended. Currently the WPA3 algorithm is the solution, but it will have to be replaced within a few years. The reason is its insufficient protection against attacks using quantum computers. Still, I can't imagine when they would attack a Wi-Fi network using quantum computers paid off. But this is not a defense against a possible transition to newer technologies, it is this is only an argument for risk analysis.

StandardTitleRelease YearWEPWPAWPA2WPA3
IEEE 802.11Wi-Fi 01997YesNoNoNo
IEEE 802.11bWi-Fi 11999YesSupplementedNoNo
IEEE 802.11a
IEEE 802.11g
Wi-Fi 2
Wi-Fi 3
1999
2003
CompatibilityYesSupplementedNo
IEEE 802.11nWi-Fi 42009NoYesYesNo
IEEE 802.11acWi-Fi 52013NoYesYesSupplemented
IEEE 802.11axWi-Fi 6/6E2019NoCompatibilityYesYes
IEEE 802.11beWi-Fi 72025NoNoYesYes
IEEE 802.11bnWi-Fi 82028NoNoUnknownYes

As you can see, over time there has been a change in mechanisms, with old and unsatisfactory ones being gradually replaced by newer ones. At the same time, there was a requirement to ensure backward compatibility for at least a limited period of time, due to investments by equipment manufacturers and a large number of installed products. Moving from day to day to newer algorithms simply was neither technically nor economically feasible, although it would have been desirable. But how are the different technologies safeguarded cryptographically? How is confidentiality and integrity ensured?

MechanismIVAlgorithmKey WidthControlKey Management
WEP-6424-bitRC4-4040-bitCRC-32No
WEP-12824-bitRC4104-bitCRC-32No
WEP-15224-bitRC4128-bitCRC-32No
WEP-25624-bitRC4232-bitCRC-32No
WEP2128-bitRC4128-bitCRC-32No
WPA-PSK48-bitRC4256-bitMIC4-Way handshake
WPA-TKIP48-bitRC4256-bitMIC4-Way handshake
WPA-EAP48-bitRC4256-bitMIC4-Way handshake
WPA2-PSK48-bitAES-128 CCM128/192/256-bitCBC-MAC4-Way handshake
WPA2-TKIP48-bitRC4256-bitMIC4-Way handshake
WPA2-CCMP48-bitAES-128 CCM128/192/256-bitCBC-MAC4-Way handshake
WPA2-EAP48-bitAES-128 CCM128/192/256-bitCBC-MAC4-Way handshake
WPA2-GCMP48-bitAES-128 GCM128/192/256-bitGHASH4-Way handshake
WPA3256-bitAES-128 CCM128/192/256-bitCBC-MACWPA3-SAE
WPA3256-bitAES-128 GCM128/192/256-bitGHASHWPA3-SAE

Notes:

  • IV is short for Initialization Vector, a bit string that is on the input of the encryption function. As a result it does not start with open text and changes the initial information.
  • TKIP is based on the old and broken algorithm RC4-128b, providing a mixing function for IV, sequence counter and 64-bit MIC (Message Integrity Check, Michael, de-facto the first 64-bit encrypted stream).
  • CCMP (Counter Mode with CBC-MAC protocol), is based on AES-CCM. CMAC (CBC-MAC) is used for integrity checks.
  • GCMP (Galois Mode), uses AES-GCM, GHASH is used for integrity checks.
  • EAP is a general authentication scheme (even in 802.1X with a RADIUS server) that supports theoretically up to 56 different methods. For some of these, there is evidence of weaknesses and vulnerabilities (MD5, MSCHAP, IKEv1 …), others are significantly better in terms of security significantly better (EAP-TLS, EAP-TTLS, EAPGTC …).
  • WPA3 UAE (Simultaneous Authentication of Equals) is an extended exchange of information before the 4Way Handshake itself. Uses ECDH (elliptic curves) and corresponding Oakley modes. Oakley modes define the curve used and although they are part of of these definitions and DH groups, they are not used for binding. After setting the keys, the classic 4Way Handshake occurs.
  • For protection against brute force attacks, the recommended password length is at least 20 characters using the current mechanisms.

From the point of view of data confidentiality, probably the worst possible way to use WEP, WEP2, WPA or WPA-TKIP. These algorithms use an old and vulnerable RC4 algorithm that is relatively easy to break with today's computers. Weaknesses of this algorithm were already known since 2008 (eStream competition), the first effective methods of attack appeared around 2012 and in 2015 was completely broken. Currently, WEP can be broken in under a minute, WEP2 in a matter of minutes. Newer WPA can be broken approximately within 10 minutes, WPA2-TKIP under half an hour. For more information, I recommend the "RC4 No More"[1].
AES algorithm-based mechanisms are acceptable protection from the point of view of confidentiality of information, but for this it is necessary to provide more information. The reason is the influence of authentication mechanisms that provide access to the network.

Attacks and their intensity

When configuring Wi-Fi networks, it is necessary to know the current attack methods to protect the networks. This allows corresponding how to defend the infrastructure from possible attack. This section describes possible attacks, but is not intended to give a completely exhaustive overview.

Attack NameAttackStandards Affected
WEP crackingTraffic decryptionWEP
WEP2
WPA
WPA2-TKIP
WPA/WPA2 PSK brute-forceObtain login credentials and decrypt trafficWPA
WPA2
KRACKTraffic decryptionWPA2
kr00kTraffic decryptionWPA2
PMKID attackGetting login credentials and decrypting trafficWPA2
FragAttacksHandling traffic without knowing the password and decrypting trafficWEP
WEP2
WPA
WPA2
WPA3
Deauthentication attackClient DisconnectWEP
WEP2
WPA
WPA2
WPA3
Evil Twin
Karma
Obtaining login and decrypting trafficWEP
WPA2
WPA3
DragonbloodObtaining login and decrypting trafficWPA3

WEP cracking
It exploits weaknesses in the RC4 and Initialization Vector (IV) encryption algorithm to decrypt traffic. The protection is to migrate to WPA2 or WPA3, never use WEP, WEP2, WPA and WPA2-TKIP. No other protection is possible. The attack can be carried out in the order of units of minutes [2].

WPA/WPA2 PSK brute-force
It is a dictionary attack on a pre-shared key (PSK) by capturing a handshake at WPA and WPA2. The solution is to use strong passwords and migrate to WPA3-SAE [3].

KRACK (Key Reinstallation Attack)
It exploits the re-installation of a key during a 4-way handshake to decrypt traffic. It can be exploited against WPA2. The solution is to migrate to WPA3, updating the device's firmware is only for the purpose of making it harder for the attacker [4].

Kr00k
KRACK attack variant, it is a Wi-Fi chipset error by two manufacturers [5].

PMKID attack
Obtaining PMKID from a handshake and offline dictionary attack on a password. Affects WPA2 and the protection is both the use of strong passwords and the transition to WPA3 [].

FragAttacks
Uses vulnerabilities in frame fragmentation and aggregation to inject malicious packets. Affects all devices using WEP to WPA3 [7]. The protection is the firmware update.

Deauthentication attack
Sends fake deauthentication frames (logouts) to disconnect the device from the network. Affects all technologies, the solution is to use 802.11w (Management Frame Protection) and to migrate to WPA3.

Evil Twin and Karma attack
This is the creation of a fake AP to eavesdrop or obtain login data. Because login authenticates the client, not the server, it is difficult to prevent this attack and affects all technologies. Certifying, using VPN over a Wi-Fi connection and migrating to WPA3 become a partial solution. Currently it is possible to use the purchased PineApple device for this type of attack, or to create your own solution.

Dragonblood
Analyzes weaknesses in the UAE handshake WPA3 in order to allow offline attacks on passwords. Affects WPA3, the solution is to update firmware and use strong passwords.

There are other attacks besides these attacks. Some target for example the initial client configuration, which is enabled by WPS (Wireless Protection Setup). This is vulnerable if short or default PINs are used (see Reaver tool). Next there is a set of attacks, which is named after the most common places where they can occur - cafe, cafe crack, caffé latte ....

Conclusion

According to current information, maintaining a certain level of Wi-Fi network security is very challenging. A well-managed wireless network has minimal risks, yet there are some. Unlike metallic wiring, it is possible to connect to the infrastructure remotely, in the order of hundreds of meters. The solution to this problem is both the use of newer technologies that limit the signal outside the building, and tougher access control at the network level.
Several methods can be used for tougher network management. On the one hand, WPS shutdown, on the other hand, authentication at the network level using IEEE 802.1X, and the separation of the wireless network from the rest of the infrastructure using a firewall. As a last resort, VPN is used to bridge potentially dangerous infrastructure. This is, after all, also recommended on public Wi-Fi hotspots as a safeguard against possible interception of communications.
Therefore, there must be an adequate risk analysis when Wi-Fi networks are used. There are situations where an attack on infrastructure alone incurs higher costs than the potential gain for the attacker. But the decision rests with the owner of the network. This article only serves to provide basic information about security.

References:

  1. RC4 No More
    Source: https://rc4nomore.com/
  2. WEP Cracking
    Source: https://www.researchgate.net/
  3. WPA/WPA2 PSK Bruteforce
    Source: https://www.iacr.org/
  4. KRAK Attack
    Source: https://www.krackattacks.com/
  5. kr00k Attack
    Source: https://www.eset.com/
  6. PM-KID Attack
    Source: https://www.mdpi.com/
  7. FRAG Attakc
    Source: https://www.fragattacks.com/
  8. Weakness of Wireless Session Containment
    Source: https://www.willhackforsushi.com/
  9. Wireless Security Protocols WPA3: A Systematic Literature Review
    Source: https://www.researchgate.net/
  10. WPS Attakc
    Source: https://sviehb.wordpress.com/

Autor článku:

Jan Dušátko
Jan Dušátko

Jan Dušátko has been working with computers and computer security for almost a quarter of a century. In the field of cryptography, he has cooperated with leading experts such as Vlastimil Klíma or Tomáš Rosa. Currently he works as a security consultant, his main focus is on topics related to cryptography, security, e-mail communication and Linux systems.

1. Introductory Provisions

1.1. These General Terms and Conditions are, unless otherwise agreed in writing in the contract, an integral part of all contracts relating to training organised or provided by the trainer, Jan Dušátko, IČ 434 797 66, DIČ 7208253041, with location Pod Harfou 938/58, Praha 9 (next as a „lector“).
1.2. The contracting parties in the general terms and conditions are meant to be the trainer and the ordering party, where the ordering party may also be the mediator of the contractual relationship.
1.3. Issues that are not regulated by these terms and conditions are dealt with according to the Czech Civil Code, i.e. Act No.89/2012 Coll.
1.4. All potential disputes will be resolved according to the law of the Czech Republic.

2. Creation of a contract by signing up for a course

2.1. Application means unilateral action of the client addressed to the trainer through a data box with identification euxesuf, e-mailu with address register@cryptosession.cz or register@cryptosession.info, internet pages cryptosession.cz, cryptosession.info or contact phone +420 602 427 840.
2.2. By submitting the application, the Client agrees with these General Terms and Conditions and declares that he has become acquainted with them.
2.3. The application is deemed to have been received at the time of confirmation (within 2 working days by default) by the trainer or intermediary. This confirmation is sent to the data box or to the contact e-mail.
2.4. The standard time for registration is no later than 14 working days before the educational event, unless otherwise stated. In the case of a natural non-business person, the order must be at least 28 working days before the educational event.
2.5. More than one participant can be registered for one application.
2.6. If there are more than 10 participants from one Client, it is possible to arrange for training at the place of residence of the intermediary or the Client.
2.7. Applications are received and processed in the order in which they have been received by the Provider. The Provider immediately informs the Client of all facts. These are the filling of capacity, too low number of participants, or any other serious reason, such as a lecturer's illness or force majeure. In this case, the Client will be offered a new term or participation in another educational event. In the event that the ordering party does not agree to move or participate in another educational event offered, the provider will refund the participation fee. The lack of participants is notified to the ordering party at least 14 days before the start of the planned term.
2.8. The contract between the provider and the ordering party arises by sending a confirmation from the provider to the ordering party.
2.9. The contract may be changed or cancelled only if the legal prerequisites are met and only in writing.

3. Termination of the contract by cancellation of the application

3.1. The application may be cancelled by the ordering party via e-mail or via a data mailbox.
3.2. The customer has the right to cancel his or her application for the course 14 days before the course takes place without any fees. If the period is shorter, the subsequent change takes place. In the interval of 7-13 days, an administrative fee of 10% is charged, cancellation of participation in a shorter interval than 7 days then a fee of 25%. In case of cancellation of the application or order by the customer, the possibility of the customer's participation in an alternative period without any additional fee is offered. The right to cancel the application expires with the implementation of the ordered training.
3.3. In case of cancellation of the application by the trainer, the ordering party is entitled to a full refund for the unrealized action.
3.4. The ordering party has the right to request an alternative date or an alternative training. In such case, the ordering party will be informed about all open courses. The alternative date cannot be enforced or enforced, it depends on the current availability of the course. If the alternative training is for a lower price, the ordering party will pay the difference. If the alternative training is for a lower price, the trainer will return the difference in the training prices to the ordering party.

4. Price and payment terms

4.1. By sending the application, the ordering party accepts the contract price (hereinafter referred to as the participation fee) indicated for the course.
4.2. In case of multiple participants registered with one application, a discount is possible.
4.3. The participation fee must be paid into the bank account of the company held with the company Komerční banka č. 78-7768770207/0100, IBAN:CZ5301000000787768770207, BIC:KOMBCZPPXXX. When making the payment, a variable symbol must be provided, which is indicated on the invoice sent to the client by the trainer.
4.4. The participation fee includes the provider's costs, including the training materials. The provider is a VAT payer.
4.5. The client is obliged to pay the participation fee within 14 working days of receipt of the invoice, unless otherwise stated by a separate contract.
4.6. If the person enrolled does not attend the training and no other agreement has been made, his or her absence is considered a cancellation application at an interval of less than 7 days, i.e. the trainer is entitled to a reward of 25% of the course price. The overpayment is returned within 14 days to the sender's payment account from which the funds were sent. Payment to another account number is not possible.
4.7. An invoice will be issued by the trainer no later than 5 working days from the beginning of the training, which will be sent by e-mail or data box as agreed.

5. Training conditions

5.1. The trainer is obliged to inform the client 14 days in advance of the location and time of the training, including the start and end dates of the daily programme.
5.2. If the client is not a student of the course, he is obliged to ensure the distribution of this information to the end participants. The trainer is not responsible for failure to comply with these terms and conditions.
5.2. By default, the training takes place from 9 a.m. to 5 p.m. at a predetermined location.
5.3. The trainer can be available from 8 a.m. to 9 a.m. and then from 17 a.m. to 6 p.m. for questions from the participants, according to the current terms and conditions.
5.4. At the end of the training, the certificate of absorption is handed over to the end users.
5.5. At the end of the training, the end users evaluate the trainer's approach and are asked to comment on the evaluation of his presentation, the manner of presentation and the significance of the information provided.

6. Complaints

6.1. If the participant is grossly dissatisfied with the course, the trainer is informed of this information.
6.2. The reasons for dissatisfaction are recorded in the minutes in two copies on the same day. One is handed over to the client and one is held by the trainer.
6.3. A statement on the complaint will be submitted by e-mail within two weeks. A solution will then be agreed within one week.
6.4. The customer's dissatisfaction may be a reason for discontinuing further cooperation, or financial compensation up to the price of the training, after deduction of costs.

7. Copyright of the provided materials

7.1. The training materials provided by the trainer in the course of the training meet the characteristics of a copyrighted work in accordance with Czech Act No 121/2000 Coll.
7.2. None of the training materials or any part thereof may be further processed, reproduced, distributed or used for further presentations or training in any way without the prior written consent of the trainer.

8. Liability

8.1. The trainer does not assume responsibility for any shortcomings in the services of any third party that he uses in the training.
8.2. The trainer does not assume responsibility for injuries, damages and losses incurred by the participants in the training events or caused by the participants. Such costs, caused by the above circumstances, shall be borne exclusively by the participant in the training event.

9. Validity of the Terms

9.1 These General Terms and Conditions shall be valid and effective from 1 October 2024.

Consent to the collection and processing of personal data

According to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "the Regulation"), the processor xxx (hereinafter referred to as "the Controller") processes personal data. Individual personal data that are part of the processing during specific activities at this web presentation and in the course of trade are also broken down.
Although the collection of data is ubiquitous, the operation of this website is based on the right to privacy of each user. For this reason, the collection of information about users takes place to the extent absolutely necessary and only if the user decides to contact the operator. We consider any further collection and processing of data unethical.

Information about the records of access to the web presentation

This website does not collect any cookies. The site does not use any analytical scripts of third parties (social networks, cloud providers). For these reasons, an option is also offered for displaying the map in the form of a link, where the primary source is OpenStreet and alternatives then the frequently used Maps of Seznam, a.s., or Google Maps of Google LLC Inc. The use of any of these sources is entirely at the discretion of the users of this site. The administrator is not responsible for the collection of data carried out by these companies, does not provide them with data about users and does not cooperate on the collection of data.
Logging of access takes place only at the system level, the reason being the identification of any technical or security problems. Other reasons are overview access statistics. No specific data is collected or monitored in this area and all access records are deleted after three months.

Information about contacting the operator of the site

The form for contacting the operator of the site (administrator) contains the following personal data: name, surname, e-mail. These data are intended only for this communication, corresponding to the address of the user and are kept for the time necessary to fulfil the purpose, up to a maximum of one year, unless the user determines otherwise.

Information about the order form

In case of an interest in the order form, the form contains more data, i.e. name, surname, e-mail and contact details for the organisation. These data are intended only for this communication, corresponding to the address of the user and are kept for one year, unless the user determines otherwise. In the event that a business relationship is concluded on the basis of this order, only the information required by Czech law on the basis of business relations (company name and address, bank account number, type of course and its price) will continue to be kept by the administrator.

Information about the course completion document

Within the course, a course completion document is issued by the processor. This document contains the following data: student's name and surname, the name and date of the course completion and the employer's name. The information is subsequently used for the creation of a linear hash tree (non-modifiable record). This database contains only information about the provided names and company names, which may or may not correspond to reality and is maintained by the processor for possible re-issuance or verification of the document's issuance.

Rights of the personal data subject

The customer or visitor of this website has the possibility to request information about the processing of personal data, the right to request access to personal data, or the right to request the correction or deletion of any data held about him. In the case of deletion, this requirement cannot be fulfilled only if it is not data strictly necessary in the course of business. The customer or visitor of this website also has the right to obtain explanations regarding the processing of his personal data if he finds out or believes that the processing is carried out in violation of the protection of his private and personal life or in violation of applicable legislation, and the right to request removal of the resulting situation and to ensure the correction.
Furthermore, the customer/visitor of this website may request restriction of processing or object to the processing of personal data and has the right to withdraw his/her consent to the processing of personal data at any time in writing, without prejudice to the lawfulness of their processing prior to such withdrawal. For this purpose, the contact e-mail address support@cryptosession.cz is used.
The customer/visitor has the right to file a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.