4-Way Handshake - Wifi Authentication

clementS - - 7 mins read

Abstract

To connect to a WiFi network, the authentication depends on security protocols, the most common of which are:

  1. WEP
  2. WPA Personal
  3. WPA Entreprise
  4. WPA2-Personal
  5. WPA2-Enterprise
  6. WPA3

There are 2 different versions of WPA and WPA2 which work slightly differently in terms of authentication.

While WEP and WPA3 have their own authentication protocols, WPA and WPA 2 (the most common ones nowadays) use the 4-Way Handshake method to allow a device to connect to WiFi and secure connection.

The 4-Way Handshake requires a PMK (Pair Master Key), a secret shared by both sides (client and server). This can be a password (network key) or a username + password in the case of Enterprise authentication.

In this article, you will learn how this method works from a network-oriented point of view.

Configuration

We will consider a WPA-Personal/WPA2-Personal WiFi, so the PMK will just be the WiFi password encrypted. We will dive in further explanations shortly.

But remember that except getting PMK before authentication starts through a WiFi password(secret shared by both sides), WPA2-Entreprise and WPA-Entreprise works the same way. They use an external RADIUS authentication server with personal user informations and not a global shared key. Indeed, they use 4-way handshake to secure communication.

Lets consider the following situation:

There is a device that knows the key (password) and wants to connect to a WPA/WPA2-PSK WiFi network.

4-Way Handshake Initiation

The device sends an authentication request to the network. This request is not included in the 4-Way Handshake.

4-Way Handshake

schema

This diagram shows the different requests and what they contain.

Note: “STA” stands for Station, and “AP” for Access Point
The device is actually the station and the access point is the network node handling authentication

First Request

Firstly, the AP sends a nonce, which is a large random integer.

When the station receives the packet, the station creates the PTK (Pairwise Transient Key) using the Key Derivation Function (KDF). This key is created with:

  1. The Pre-Shared Key (PSK),
  2. The ANonce received previously,
  3. The SNonce.

The SNonce is similar to the ANonce, a large random number generated on the station side. Each time the station tries to authenticate, the SNonce and ANonce are generated again. These numbers ensure that the PTK is temporary.

The KDF algorithm returns the PTK. We don’t use the password or the PSK directly because we don’t want the explicit key to go through the network. This is quite obvious; we don’t want others to easily intercept the password.

Pre-Shared Key (PSK)

To get the PSK, the device only needs the BSSID (network MAC address) and the password.
=> The process is really simple:
Hash the password with the BSSID as salt using the SHA-1 algorithm.

Now, we have the PSK (the AP also performs this operation).

The PSK is calculated before authentication starts (the station has all infos it needs: password & BSSID).
Indeed, you selected a network to connect to (BSSID) and enter password.
Even if “How the station list all available network(network name & network MAC address) ?” could definitely an entire article, here is how does it mainly works:

The station send a ‘Broadcast’ unencrypted network packet “Is there any available network ?”. A Broadcast packet is a packet that everyone are allowed to read.
Finally every access point reply: “I’m here”, and their BSSID is included in their network packet header.

The PMK is exactly the same as PSK for both WPA-Personal and WPA2-Personal

VERY IMPORTANT

For WPA-Entreprise and WPA2-Entreprise, they use here the PMK created by RADIUS authentication

How RADIUS pre-authentication works ?

  1. Client Authentication Request: A client device (supplicant) requests network access. The access point (AP), acting as an authenticator, forwards this request to the RADIUS server.

  2. EAP Exchange: The client and RADIUS server engage in an Extensible Authentication Protocol (EAP) exchange, which provides mutual authentication and allows the server to verify the client’s identity using credentials like usernames, passwords, or certificates.

  3. Session Key Derivation: Upon successful authentication, the RADIUS server generates the Master Session Key (MSK), which it sends securely to the access point.

  4. PMK Generation: The access point extracts a portion of the MSK to create the Pairwise Master Key (PMK). The PMK is then used in the four-way handshake process between the client and AP to securely establish encryption keys.

This RADIUS-based process ensures that only authenticated users can join the network and that the derived PMK is unique for each session, helping to secure wireless communications.

More Info Here

Second Request

Let’s make a short recap.
At the beginning, we only know the PSK=PMK, which we derive from the network password and BSSID.
PMK is derived from RADIUS authentication in case of WPA-Entreprise and WPA2-Entreprise

We received the AP’s nonce from the first request, and the station generated the SNonce to create the PTK from the ANonce, SNonce, and PSK.

Now we need to tell the AP that we know the password without explicitly sending the password (a hacker could incercept the packet and easily know the password).

The station sends a packet containing the SNonce, allowing the AP to generate the same PTK. At the end of the packet, a signature called the Message Integrity Code (MIC) is added.

The MIC is just a SHA-1 hash of the packet content with the PTK as salt.
When the AP receives the second request, it will generate its PTK (it has all the necessary information: SNonce, ANonce, PSK). However, at this moment, the AP doesn’t know if the station has the correct password.

The AP generates the MIC from its newly generated PTK and compares it with the provided MIC.
If the MICs are identical => PTKs are identical => PSKs are identical => passwords are identical

Third Request

To tell the station that it has the correct password, the AP won’t do so explicitly.

IMPORTANT: the AP doesn’t send explicitly a message because we want the network to be authenticated. Indeed, a hacker could duplicate the network and fake the real network (emmiting a stronger signal). This make the station sure that also the AP knows the password and it’s the same as him

But if there’s a network whose you know the password, you can fake it and other people can connect to your network while they think they are connected to the real one This is known as Evil Twin attack

The AP will use the same strategy: a MIC.

To optimize the request, the AP will send useful information: the Group Temporal Key (GTK), directly generated by the AP.

To check if the station has the correct password, the AP generates the MIC corresponding to the GTK (packet content) using the PTK.

If both match, the station and AP are sure that the other has the correct password.

Last Request

The station sends an acknowledgment packet to tell the AP that everything is OK.

The encrypted communication can now begin.

Encryption

WPA2 uses AES while WPA uses TKIP to encrypt packet content. Even if both are encryption’s methods, AES is more secure (because it uses longer encryption keys). This makes it nearly impossible for an hacker to read a captured packet.

The PTK contains several keys.
Several keys are derived from the PTK:

  1. KCK = PTK bits 0-127, the key confirmation key -> used for MIC (verifying message integrity).
  2. KEK = PTK bits 128-255, the key encryption key -> used for encrypting the key data in the authentication packets.
  3. TEK = PTK bits 256-383, the temporal encryption key for unicast traffic -> used for AES encryption.

We simplify things by saying that we use the PTK for something, but in reality, we often use just a part of it.

Recap of Key Derivation

key_derivation

In WPA2-PSK and WPA-PSK, the PMK is the same as the PSK.

Conclusion

Remember that even if we use WPA/WPA2, if a hacker catch all packets (this can be done easily with Wireshark), he can brutforce PTK and get WiFi.
Indeed, he has all infos he needs (both nonces, BSSID, protocols…).

Wireshark is just a tool to capture traffic using pcap (an network capture API).

You learned how the 4-way handshake works. Now you can discover the way to get PMK for WPA(2)-Entreprise.

Useful Links:

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
https://networklessons.com/cisco/ccnp-encor-350-401/wpa-and-wpa2-4-way-handshake
https://www.wifi-professionals.com/2019/01/4-way-handshake
https://en.wikipedia.org/wiki/Pre-shared_key
https://en.wikipedia.org/wiki/Key_derivation_function