What is Four-Way handshake?
Between Access point (Authenticator) and WiFi client (Supplicant) four messages are exchanged to generate encrypted keys used to encrypt and decrypt 802.11 data frames.
Key Hierarchy (Source from CWSP Study Guide)
Master Session Key (MSK):
Also known as AAA key which is generated either from 802.1X/EAP authentication (EAP-TLS or PEAP etc) process or PSK authentication.
In 802.1X/EAP authentication, generating MSK is depends on EAP method and key length is atleast 64 octets. Below are the attribute value pairs seen in Access-Accept
In Personal/PSK authentication, we configure passphrase 8-63 characters. This passphrase converts into 256 bits PSK using below formula (Passphrase to PSK mapping)
PSK = PBKDF2 (PassPhrase, ssid, ssidLength, 4096, 256)
Pairwise Master Key (PMK):
When 802.1X is configured, MSK seeding material or keying material used to create Master Key called PMK. PMK is derived from MSK seeding material. PMK is first 256 bits of MSK. Now PMK is known to client (Supplicant) and Radius Server. PMK is sent via secure channel from Radius server to Access Point (Authenticator) in Access-Accept packet as attribute value pairs (Enc-RECV-Key)
Group Master Key (GMK):
The access point generates GMK simply by choosing a 256-bit cryptographic-quality random number. GMK may be regenerated at configured interval time to reduce the risk of GMK being compromised.
Pairwise Transient Key (PTK):
PTK is used to encrypt all unicast transmission between Access point & client. PTK is unique between a client and Access point. PTK is derived from PMK
Anonce is a random number generated by an Access point/Authenticator
Snonce a random number generated by the Client/Supplicant
MAC addresses of Client/Supplicant
MAC address of Access point/Authenticator
PRF is a pseudo-random function which is applied to all the input.
Group Transient Key (GTK):
GTK is used to encrypt all broadcast/multicast transmission between Access point & multiple clients and it is shared to all the clients connected to Access point. GTK which is 256 bits is derived from the GMK by combining with a nonce value and the MAC address of the access point. Two keys are required:
Message 1/4
Message 2/4
Between Access point (Authenticator) and WiFi client (Supplicant) four messages are exchanged to generate encrypted keys used to encrypt and decrypt 802.11 data frames.
Key Hierarchy (Source from CWSP Study Guide)
Also known as AAA key which is generated either from 802.1X/EAP authentication (EAP-TLS or PEAP etc) process or PSK authentication.
In 802.1X/EAP authentication, generating MSK is depends on EAP method and key length is atleast 64 octets. Below are the attribute value pairs seen in Access-Accept
Enc-RECV-Key = MSK(0,31) = Peer to Authenticator Encryption Key
(MS-MPPE-Recv-Key in [RFC2548]). Also known as the PMK in [IEEE-802.11]
Enc-SEND-Key = MSK(32,63) = Authenticator to Peer Encryption Key
(MS-MPPE-Send-Key in [RFC2548])
RECV-IV = IV(0,31) = Peer to Authenticator Initialization Vector
SEND-IV = IV(32,63) = Authenticator to Peer Initialization Vector
In Personal/PSK authentication, we configure passphrase 8-63 characters. This passphrase converts into 256 bits PSK using below formula (Passphrase to PSK mapping)
PSK = PBKDF2 (PassPhrase, ssid, ssidLength, 4096, 256)
Pairwise Master Key (PMK):
When 802.1X is configured, MSK seeding material or keying material used to create Master Key called PMK. PMK is derived from MSK seeding material. PMK is first 256 bits of MSK. Now PMK is known to client (Supplicant) and Radius Server. PMK is sent via secure channel from Radius server to Access Point (Authenticator) in Access-Accept packet as attribute value pairs (Enc-RECV-Key)
When Personal/PSK is configured, the PSK will become the Pairwise Master Key (PMK), so basically the PSK is equal to the PMK.
Group Master Key (GMK):
The access point generates GMK simply by choosing a 256-bit cryptographic-quality random number. GMK may be regenerated at configured interval time to reduce the risk of GMK being compromised.
Pairwise Transient Key (PTK):
PTK is used to encrypt all unicast transmission between Access point & client. PTK is unique between a client and Access point. PTK is derived from PMK
PTK = PRF (PMK + Anonce + SNonce + MAC (AA)+ MAC (SA))
PMKAnonce is a random number generated by an Access point/Authenticator
Snonce a random number generated by the Client/Supplicant
MAC addresses of Client/Supplicant
MAC address of Access point/Authenticator
PRF is a pseudo-random function which is applied to all the input.
PTK
consist of 5 different keys
1. Key
Confirmation Key (KCK)-is 128 bit long and used to provide data integrity during 4 -Way Handshake &
Group Key Handshake.
2. Key Encryption Key (KEK) is 128 bit long and used by EAPOL-Key frames to provide data privacy during 4-Way Handshake & Group Key Handshake.
3. Temporal Key is 128 bit long and used to encrypt & decrypt MSDU of 802.11 data frames between supplicant & authenticator
4. Temporal MIC-1 is 64 bit long used only with TKIP configurations for unicast packets sent by access points for providing Message Authentication Codes (MACs)
5. Temporal MIC-2 is 64 bit long used only with TKIP configurations for unicast packets sent by clients for providing Message Authentication Codes (MACs)
2. Key Encryption Key (KEK) is 128 bit long and used by EAPOL-Key frames to provide data privacy during 4-Way Handshake & Group Key Handshake.
3. Temporal Key is 128 bit long and used to encrypt & decrypt MSDU of 802.11 data frames between supplicant & authenticator
4. Temporal MIC-1 is 64 bit long used only with TKIP configurations for unicast packets sent by access points for providing Message Authentication Codes (MACs)
5. Temporal MIC-2 is 64 bit long used only with TKIP configurations for unicast packets sent by clients for providing Message Authentication Codes (MACs)
Group Transient Key (GTK):
GTK is used to encrypt all broadcast/multicast transmission between Access point & multiple clients and it is shared to all the clients connected to Access point. GTK which is 256 bits is derived from the GMK by combining with a nonce value and the MAC address of the access point. Two keys are required:
- Group Encryption key (128 bits)
- Group Integrity key (128 bits)
Four-Way Handshake Flow
Message 1/4
Access point (Authenticator) sends EAPOL-Key frame containing an
random number called ANonce to client (supplicant) with a Key Replay Counter, which is a number that is used to match each pair of messages sent, and discard replayed messages.
Now client knows its own SNonce and SA as well as the AA (from Beacons,
Probe Response and/or Association Response) and PMK. Client have all necessary inputs to
generate PTK using pseudo-random function(PRF)
PTK = PRF (PMK + Anonce + SNonce + MAC (AA)+ MAC (SA))
Message 2/4
Client (Supplicant) replies to the first EAPOL Key
message, sends the used SNonce as clear text to the AP which is “protected”
by a cryptographic hash (HMAC-SHA1) called Message Integrity Code (MIC) for
integrity of the installed key on the
client side. The Access point derive PTK and will generate its own MIC. Now Access point compare it with the MIC in
this message, if they match, EAPOL-Key message 3 is send. This message also includes the Robust Security Network Information Element (RSN
IE).
Message 3/4
This Message is the last unencrypted key message, as long as
no retransmission(s) occur and the pairwise temporal key remains valid. Access point (Authenticator) sends EAPOL-Key frame containing ANonce, RSN-IE & MIC and
informs the client about the installation of the PTK. If necessary, Access point (Authenticator) will derive GTK from GMK and the receive sequence
counter (RSC) for the GTK. The GTK will be delivered to client and mentioned in the WPA Key Data field which is encrypted with the PTK.
Message 4/4
Client (Supplicant) sends final EAPOL-Key frame to Access point to acknowledges the installation of PTK and GTK
afterwards, encrypted Unicast and Broad-/Multicast transmission can start now.
Good detailing. Very useful
ReplyDelete