4-Way Handshake

For AP and client exchanging encrypted data, both need to have the right key(s) installed. Each time a client (Supplicant) associates to an AP (Authenticator), new temporal keys for the pairwise data transmissions are generated, which are unique for each connected client. In case of Broad- and Multicast frames, all clients use the same Groupwise Temporal Key (GTK) that don’t require a new generation for each association.

Transient keys are derived from a master key, a Pairwise Master Key (PMK) could be the passphrase for WPA-PSK or a key derived from the EAP process for WPA-802.1X or WPA-Enterprise. Since transient keys are used, an attacker cannot obtain the master key from sniffing the frames in the air and it is possible to change the PTK without changing the passphrase itself.

The installation of Pairwise and Groupwise Transient Keys (PTK/GTK) is done by the so called 4-Way Handshake with the following flow graph:

4 Way Handshake

Source: Wikipedia

Pairwise Temporal Key Generation

The function to generate a Pairwise Temporal Key (PTK) is known as a Pseudo Random Function (PRF):

PTK = PRF(PMK | ANonce | SNonce | AA | SA)

With ANonce and SNonce as Nonces (Nonce: Number used once) from Authenticator (AP) and Supplicant (client) and the Authenticator’s and Supplicant’s MAC Addresses (AA/SA).

EAP-Key Message 1/4 (ANonce)

As the first message is send from AP to client, this message includes a random number as ANonce for PTK generation at the client. Since the client knows its own SNonce and SA as well as the AA (from Beacons, Probe Response and/or Association Response) and PMK, the ANonce from this message is the only missing information.

Key 1of4

802.1X-1

EAP-Key Message 2/4

As the Supplicant (client) replies to the first EAP Key message, the client sends the used SNonce as clear text to the AP “protected” by a cryptographic hash (HMAC-SHA1) called Message Integrity Code (MIC) for integrity of of this message the installed key on the client side. The AP will generate its own MIC and compare it the the one in this message, if they match, EAP-Key message 3 is send for key installation. This message also includes the Robust Security Network Information Element (RSN IE).

Key 2of4 802.1X-2

EAP-Key Message 3/4

Message 3 is the last unencrypted key message, as long as no retransmission(s) occur and the pairwise temporal key remains valid. The AP informs the client about the installation of the PTK and the receive sequence counter (RSC) for the GTK. The GTK itself is given in the WPA Key Data field, secured/encrypted with the PTK.

802.1X-3

EAP-Key Message 4/4

The Supplicant acknowledges the installation of PTK and GTK afterwards, encrypted Unicast and Broad-/Multicast transmission can start now.

802.1X-4

 

Conclusion

The generation of P/GTKs is quite easy and three of the four frames for the installation are unencrypted, which means that the only secret in PTK derivation is the Pairwise Master Key (PMK). As I will show in another post, the generation of a new PTK for each association to an AP can be shortened to enable a much faster association. This is especially important for client roaming and should not bother any single AP installation at home.

Attacks

In October 2017, postdoctoral researcher Mathy Vanhoef (PhD @ KU Leuven, Belgium) published his research paper on how the EAPoL key exchange can be attacked to read encrypted data without retrieving the actual PMK. He named the attack “KRACK” and here is the link to his paper.

*2017-04-18 Updated due to feedback from apoorva in the comment section*

*2018-01-18 Updated with a link to Mathy van Hoef’s research paper on Key Reinstallation Attacks*

19 thoughts on “4-Way Handshake

  1. Very nice post!
    But, I have two questions: what is the field “WPA Key Data” inside EAP-Key Message 2/4? Is this encrypted?
    (Forgive my bad english, please).

    Thanks!

    \o/

    Like

  2. Hello Henrique,
    the key handshake itself does not use encryption, that’s why you can sniff and take a look at all 4 packets without being connected to the network. Therefore, the “WPA Key Data” is not encrypted, you can see all the interpreted details below that field which is basically the RSN Information Element, which can also be found in Probe Responses for example. So the client basically tells the AP that WPA2 with AES (CCM) encryption has to be used to groupwise and pairwise keys and that it does not support any further features like Protected Management Frames for example.

    You might think it is encrypted since you see the hexadecimal representation of the tags and flags below it. I hope this answers your questions?

    PS: Your english is perfectly fine.

    Like

  3. Thank you very much, mtroi!

    You answered perfectly.

    I wanted to discover the PTK looking at all 4 handshake’s frames. Learn now that PTK is not transmitted through medium. So, think discover PTK through of Message Integrity Code (MIC), but researched quickly and see that it is not possible.

    Like

    • Good morning;
      (1) Is the PTK and Snonce (Hashed) and transmitted to the AP as an “Snonce ?” and
      (2) Once the Client receives and Ack for the GTK, does the proceeding data exchanges get encrypted by AES CCMP ? Is this how it works?

      Thanks in advance,
      Dj

      Like

      • Hello Dj,
        if you read the post more carefully, you find most of your questions answered.
        1) PTK is never transmitted, it is derived from information (ANonce, SNonce and MACs) that are given/transmitted
        2) SNonce is transmitted as clear text, the Hash (MIC) is for only for verification, that the information is valid
        3) After Client has sent EAPoL Message 4, AP and client transmit encrypted (unicast, multicast, broadcast) data packets.

        kind regards,
        mtroi

        Like

  4. Hi Mtroi, nice article and quite well explained.
    But I think there is a correction required.
    In EAP-Key Message 1/4 (ANonce) –> The client only waits for ANonce value to generate PTK, it already has by this time the value of authenticator’s mac address from beacon frames and that is how supplicant will get to know whom to send the key request.
    In EAP-Key Message 2/4 –> SNonce is not protected by MIC, SNonce is send with MIC, SNonce is non-encrypted or non-hashed value (just clear text) as you have correctly pointed out in wireshark and that is not to protect the integrity of the message but it allows authenticator to go verify the PTK generated by supplicant.
    How ??
    The authenticaor goes ahead and use the SNonce from EAP packet 2, it already has supplicant’s MAC address, PSK/PMK, its own mac addr to generate it’s own MIC and then it will compare both (one sent from supplication and generated by itself) if the match results to 0, it authenticates and sends packet 3 as Key installation and if it results to 1 it goes ahead and send “Deauthentication” packet.

    Liked by 1 person

    • Hi Apoorva,
      thanks for your feedback including a very detailed explanation of the stuff that I’ve been unsure/uncertain about. The post has been updated.

      kind regards,
      mtroi

      Like

    • Hi Apoorva, I’m new to 802.11 and i was looking for 4-way handshake videos. Unfortunately there were not plenty of them on the youtube, could you please explain it to me in detail? I’d appreciate if you could explain me in hindi. TIA.

      Like

  5. Hallo werter mtroi,

    ich arbeite aktuell an einer Hausarbeit zu WPA2 und Auswertung mit Wireshark. Bitte ganz kurze Erklärung warum im EAP-Frame 3 in WireShark letzte Zeile eine WPA-Key-Data angezeigt wird und in EAP-Frame 4 die Daten auf 0 gesetzt wurden – 1) ist das der GTK und nicht der Key für PTK, richtig? 2) dann müsste der GTK aber doch auch in Frame 4 vorhanden sein?

    Vielen Dank, mir wäre sehr geholfen wenn ein kurzes Feedback möglich wäre,

    PAPSI

    Like

    • Hallo PAPSI,
      der GTK wird verschlüsselt als WPA Key Data vom AP zur STA übertragen, wie im Blogpost beschrieben mit dem PTK als Schlüssel. Wenn die STA Frame 3 empfängt und bisher alles richtig gerechnet hat, dann ist sie in der Lage den PTK zu benutzen und damit die WPA Key Data zu entschlüssseln, um den GTK zu erhalten/installieren. Anders als der PTK, welcher auf beiden Seiten ausgerechnet wird, kommt der GTK allein vom AP, daher braucht die STA diesen nicht mehr an den AP zurückzuschicken (WPA Key Data Feld leer). Frame 4 stellt nur eine Bestätigung der STA dar, dass sie alles korrekt empfangen hat und nun verschlüsselt kommunizieren kann.

      Viel Erfolg bei deiner Hausarbeit.
      mtroi

      Like

  6. Hi

    There is a case, let’s say I am a legitimate user and already get connected to the AP, So I can see the Anonce and the SNonce of the new node joining the network, and can derive the PTK of those new nodes. Then how this PTK is unique to every user

    Like

    • Hello Manish,
      the PTK is unique as ANonce & SNonce are unique for each connection attempt and the MAC address of a STA (SA) differs from others (The AP MAC (AA) does of course not change). By the way, you don’t need to be connected to the AP to see the A/SNonce, that’s something anybody can obtain by sniffing the packets over the air. As long as the Pairwise Master Key is unknown to not-connected user, (s)he’s not able to compute the PTK based on A/SNonce and AA/SA alone. I hope that answers your question?!

      Regards,
      mtroi

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.