4-Way Handshake

For AP and client exchanging encrypted data, both need to have the right key(s) installed. Each time a client (Supplicant) associates to an AP (Authenticator), new temporal keys for the pairwise data transmissions are generated, which are unique for each connected client. In case of Broad- and Multicast frames, all clients use the same Groupwise Temporal Key (GTK) that don’t require a new generation for each association.

Transient keys are derived from a master key, a Pairwise Master Key (PMK) could be the passphrase for WPA-PSK or a key derived from the EAP process for WPA-802.1X or WPA-Enterprise. Since transient keys are used, an attacker cannot obtain the master key from sniffing the frames in the air and it is possible to change the PTK without changing the passphrase itself.

The installation of Pairwise and Groupwise Transient Keys (PTK/GTK) is done by the so called 4-Way Handshake with the following flow graph:

4 Way Handshake

Source: Wikipedia

Pairwise Temporal Key Generation

The function to generate a Pairwise Temporal Key (PTK) is known as a Pseudo Random Function (PRF):

PTK = PRF(PMK | ANonce | SNonce | AA | SA)

With ANonce and SNonce as Nonces (Nonce: Number used once) from Authenticator (AP) and Supplicant (client) and the Authenticator’s and Supplicant’s MAC Addresses (AA/SA).

EAP-Key Message 1/4 (ANonce)

As the first message is send from AP to client, this message includes a random number as ANonce for PTK generation at the client. Since the client knows its own SNonce and SA as well as the AA (from Beacons, Probe Response and/or Association Response) and PMK, the ANonce from this message is the only missing information.

Key 1of4


EAP-Key Message 2/4

As the Supplicant (client) replies to the first EAP Key message, the client sends the used SNonce as clear text to the AP “protected” by a cryptographic hash (HMAC-SHA1) called Message Integrity Code (MIC) for integrity of of this message the installed key on the client side. The AP will generate its own MIC and compare it the the one in this message, if they match, EAP-Key message 3 is send for key installation. This message also includes the Robust Security Network Information Element (RSN IE).

Key 2of4 802.1X-2

EAP-Key Message 3/4

Message 3 is the last unencrypted key message, as long as no retransmission(s) occur and the pairwise temporal key remains valid. The AP informs the client about the installation of the PTK and the receive sequence counter (RSC) for the GTK. The GTK itself is given in the WPA Key Data field, secured/encrypted with the PTK.


EAP-Key Message 4/4

The Supplicant acknowledges the installation of PTK and GTK afterwards, encrypted Unicast and Broad-/Multicast transmission can start now.




The generation of P/GTKs is quite easy and three of the four frames for the installation are unencrypted, which means that the only secret in PTK derivation is the Pairwise Master Key (PMK). As I will show in another post, the generation of a new PTK for each association to an AP can be shortened to enable a much faster association. This is especially important for client roaming and should not bother any single AP installation at home.


In October 2017, postdoctoral researcher Mathy Vanhoef (PhD @ KU Leuven, Belgium) published his research paper on how the EAPoL key exchange can be attacked to read encrypted data without retrieving the actual PMK. He named the attack “KRACK” and here is the link to his paper.

*2017-04-18 Updated due to feedback from apoorva in the comment section*

*2018-01-18 Updated with a link to Mathy van Hoef’s research paper on Key Reinstallation Attacks*


15 thoughts on “4-Way Handshake

  1. Very nice post!
    But, I have two questions: what is the field “WPA Key Data” inside EAP-Key Message 2/4? Is this encrypted?
    (Forgive my bad english, please).




  2. Hello Henrique,
    the key handshake itself does not use encryption, that’s why you can sniff and take a look at all 4 packets without being connected to the network. Therefore, the “WPA Key Data” is not encrypted, you can see all the interpreted details below that field which is basically the RSN Information Element, which can also be found in Probe Responses for example. So the client basically tells the AP that WPA2 with AES (CCM) encryption has to be used to groupwise and pairwise keys and that it does not support any further features like Protected Management Frames for example.

    You might think it is encrypted since you see the hexadecimal representation of the tags and flags below it. I hope this answers your questions?

    PS: Your english is perfectly fine.


  3. Thank you very much, mtroi!

    You answered perfectly.

    I wanted to discover the PTK looking at all 4 handshake’s frames. Learn now that PTK is not transmitted through medium. So, think discover PTK through of Message Integrity Code (MIC), but researched quickly and see that it is not possible.


    • Good morning;
      (1) Is the PTK and Snonce (Hashed) and transmitted to the AP as an “Snonce ?” and
      (2) Once the Client receives and Ack for the GTK, does the proceeding data exchanges get encrypted by AES CCMP ? Is this how it works?

      Thanks in advance,


      • Hello Dj,
        if you read the post more carefully, you find most of your questions answered.
        1) PTK is never transmitted, it is derived from information (ANonce, SNonce and MACs) that are given/transmitted
        2) SNonce is transmitted as clear text, the Hash (MIC) is for only for verification, that the information is valid
        3) After Client has sent EAPoL Message 4, AP and client transmit encrypted (unicast, multicast, broadcast) data packets.

        kind regards,


  4. Hi Mtroi, nice article and quite well explained.
    But I think there is a correction required.
    In EAP-Key Message 1/4 (ANonce) –> The client only waits for ANonce value to generate PTK, it already has by this time the value of authenticator’s mac address from beacon frames and that is how supplicant will get to know whom to send the key request.
    In EAP-Key Message 2/4 –> SNonce is not protected by MIC, SNonce is send with MIC, SNonce is non-encrypted or non-hashed value (just clear text) as you have correctly pointed out in wireshark and that is not to protect the integrity of the message but it allows authenticator to go verify the PTK generated by supplicant.
    How ??
    The authenticaor goes ahead and use the SNonce from EAP packet 2, it already has supplicant’s MAC address, PSK/PMK, its own mac addr to generate it’s own MIC and then it will compare both (one sent from supplication and generated by itself) if the match results to 0, it authenticates and sends packet 3 as Key installation and if it results to 1 it goes ahead and send “Deauthentication” packet.

    Liked by 1 person

    • Hi Apoorva,
      thanks for your feedback including a very detailed explanation of the stuff that I’ve been unsure/uncertain about. The post has been updated.

      kind regards,


    • Hi Apoorva, I’m new to 802.11 and i was looking for 4-way handshake videos. Unfortunately there were not plenty of them on the youtube, could you please explain it to me in detail? I’d appreciate if you could explain me in hindi. TIA.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.