4-Way Hand shake , Keys generation and MIC Verification-WPA2

We have so many blogs that will help us to know more about the 4-way handshake, In this post we will learn about the PTK generation and MIC generation of the 4-way handshake and we will learn about how to generate the keys , and verify the MIC in M2, M3 and M4.

Multiple keys will be generated in 4-way handshake, and different keys are used for different purposes.

Both the client and AP know the passphrase, And they don’t exchange the passphrase during handshake. Both the AP and client will get negotiated on the keys to be used.

Observe the below figure to know about the key hierarchy.

1) Passphrase is known to both AP and supplicant.

2) PSK Gets generated from the Passphrase from the following function. We need passphrase and SSID to generate the PSK.

PSK = pbkdf2.pbkdf2(str.encode(passphrase), str.encode(SSID), 4096, 32)

3) PMK gets generated from the below function. PBKDF2 (Password-based Key Derivation Funtion 2) which uses HMAC-SHA1 to encode the data.

If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server.

PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)

The 4096 iterations to create 256 bit PMK with SSID used as salt and PSK used as the base of entire process.

4) PTK can be generated with a function (customPRF512) and this function expects few values to be passed as a arguments to regenerate the PTK which is the length of 384-bit, and additional 128-bit only for TKIP Configurations. We can generate the PTK easily from the python script, we will see about that later in the post.

PTK = PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA))

5) PTK Consists of multiple keys they are

KEK – Used to encrypt the keys [Ex: GTK will be encrypted in M3 using KEK to deliver to the client].
KCK – Used during the creation of the MIC, Hash will be generated using KCK.
TK – Encryption and decryption of unicast packets.
MIC Tx – Only used with TKIP configurations for unicast packets sent by access points.
MIC Rx – Only used with TKIP configurations for unicast packets sent by clients.

Below are the contents of the PTK and the length of the keys.

Now Observe the below figure that shows the 4-way handshake procedure.

Now check the Below sniffer capture of 4-way handshake, I have filtered only the required packets.

Key Generation

Lets open the EAPOL Message 1 and observe the Anonce that is sent by the AP.

1) M1 Message: Here AP will send the Nonce and we call it as ANONCE. And the 4-way handshake uses HMAC-SHA1 procedure to generate the MIC. For PMF the MIC key will be generated using AES CMAC , so the key generation algorithm used for PMF and WPA2+PSK will be different.

2) M2 Message: See the below M2 Message will be sent by the Supplicant and observe the contents of the M2 Message in the below sniffer. Supplicant will send the snonce, and now we have the required components to generate the PTK.

Required values. to generate the PTK are :

Snonce
Anonce
PMK
Source MAC Address
Destination MAC Address

Now observe the below M2 Message. Here MIC Verification will be done, and MIC bit is set to 1.

Now We have the required values to generate the PTK. And now we should have the KCK which will be derived from the PTK and KCK will be used to generate the MIC. First we will generate the PTK and then we will check how to generate the MIC. We need to give all the input to the python program and we can see the PTK generated.

Observe the below image to see the output of the script that has generated the required keys. Now we are giving the input to the script that is going to generate the keys. We enter the below input.

SSID
Passphrase (WiFi Password)
AP MAC
Client MAC
Anonce (We got from the M1 Message, Observe the M1 Message sniffer capture above)
Snonce (We got it from M2 Message, Observe the M2 Message sniffer capture above)

Observe the below image to check the generated Keys.

In a pre-shared-key network, the PMK is actually the PSK. So, observe that in the above figure generated PSK and PMK are same.

Now we have the PTK and the value is (Observe the above Figure 3)
fb18560e63909f84f31d39da03a5d82fdc78c3b56f1870544308b84dee2144b87615729c4884a545d392c20b3f697025633245fc5a0fa15efeb0c82501f3a7b4

We will get the remaining keys from the PTK. PTK is divided in to the mutiple keys. Observe the below figure.

This image has an empty alt attribute; its file name is image-24.png

Keys
So, KCK is 1st 128 bits of the PTK i.e
KCK: fb18560e63909f84f31d39da03a5d82f

KEK, is 2nd 128 bits of the PTK i.e
KEK: dc78c3b56f1870544308b84dee2144b8

TK
TK : 7615729c4884a545d392c20b3f697025

MIC Tx
MIC Tx: 633245fc5a0fa15e

MIC Rx
MIC Rx: feb0c82501f3a7b4

MIC Verification

Now we will generate the MIC for the M2 data, and we will have to verify that the generated MIC matches with the value that we see in the sniffer.

Now we have to get the the M2 data from the sniffer capture. Observe the below capture and get the hex data from the wireshark. Below capture we can see the M2 802.1x Authentication data. Data is selected below (Blue Color).

And the 16 Byte MIC is selected in Red Color.

Now WPA2 PSK uses HMAC-SHA1 to generate the MIC and it uses the KCK as a secret to generate the MIC. Observe the below screen capture that generated the MIC, I have used openssl command line to generate the MIC.

In the below command I have replaced the MIC value to 16 byte Zero, and we use the key as KCK to generate the MIC. Observe that we are using the KCK as a key in the below figure. Execute the openssl command in any linux terminal.

Figure 4 : MIC Generation

M2 MIC Generation
echo -n ‘0103007502010a000000000000000000015214c4dbe4a567e78b8f30b2b016a2d90ea50c27d408614c1fc0a0000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000’ | xxd -r -macopt hexkey:fb18560e63909f84f31d39da03a5d82f
(stdin)= 5b4205c05f9ba1b869b8786d1f3fc43da056320a

Observe that generated sha-1 hash for the data is 20 bytes. And we take only the 16 bytes from the hash so we do not consider the last 4 bytes of the data. so the actual MIC that we saw in the Sniffer is given below. So we do not consider the last 4 Bytes from the generated sha-1 hash.

With MIC Verification 2/4 Messages are completed. If user enters the wrong passphrase then there will be a MIC failure and we don’t see the messages after the Message 2. See the below sniffer capture to check this behavior when the user enters the wrong key.

In the M3 Message , AP notifies the Supplicant to install the Keys and AP will send the GTK to the Supplicant, and the GTK will be encrypted using KEK. GTK could be a random number and it will be sent to the supplicant by encrypting it with KEK.

Observe the below capture to see the M3 Message.

Now see the MIC Generation for the M3 Message , it is similar to the one we saw in creating the M2 Message. But we have to get the data of the M3 message and then use the KCK as the secret key to generate the hash. Execute the below openssl command in any linux terminal.

M3 MIC generation:
echo -n ‘020300c70213ca00100000000000000002ac9871c9ca129468708ca0d554e22f4f8b6eaa6dbaa121d2233bf33cbc29d346000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006814ca01f8d15d931b12c98e973fd6b090abb7dc7277fe31823a2e8a19553946cf6236256850a4428244b990fddcabee637536a199b747b7e1f9eaa0e29878988cade1cbd6214cc6ef1a33dcce40539ba9909da2c891aecba97698bd8e3acd85f4002f581c4240009c’ | xxd -r -p | openssl dgst -sha1 -mac HMAC -macopt hexkey:fb18560e63909f84f31d39da03a5d82f
(stdin)= 9687171611e49a4611c13e0f3c6ac79b56c707e8

Observe that Sha-1 hash for the M3 data and i.e 20 Bytes and we consider only the 16 bytes for MIC verification, and observe the MIC in the above sniffer capture and it matches.

M4 MIC Generation

With the M4 Message the 4-way handshake procedure is completed. Observe the below capture to check the MIC verification for M4 and this procedure is similar to the one we saw for M2 and M3. See the below capture to check the MIC for M4 Message.

M4 MIC Generation
echo -n ‘0103005f02030a0000000000000000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000’ | xxd -r -p | openssl dgst -sha1 -mac HMAC -macopt hexkey:fb18560e63909f84f31d39da03a5d82f
(stdin)= 27a9b02f893e6ebb25c59a82def9c084c0a7169e

Observe the MIC generated and the MIC that we have observed in the sniffer. And we have to consider only the 16 bytes of generated Hash for the MIC . And after this all the unicast traffic will be encrypted using the TK that was generated during the 4-way handshake. Encrypted DHCP procedure will happen and after that data transfer will happen.

2-Way Handshake (Group Key Update)

I have written a detailed post about this Group keys in the below link, you can have a look at the below link.

GTK/IGTK Unwrap in M3

The Group Temporal Key (GTK) used in the network may need to be updated due to the expiration of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP with the older GTK.

To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:

The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA, and protects the data from tampering, by use of a MIC.
The STA acknowledges the new GTK and replies to the AP.

Observe the below flow about the group key handshake.

Here also the generation of the MIC is similar to the one we saw in the 4-way handshake MIC will get generated using KCK. we use HMAC-SHA1 will be used to generate the MIC. Observe the below sniffer capture to check the 2-way group key update.

I have set the settings to send the group key to every 30 seconds, and observe the below capture that Group Messages are going for every 30 seconds. Observe the timestamp in the below capture. I have filtered only the required messages.

Check the M1 Message from the Group Key Hand Shake.

Below is the M2 Message from the Group Key hand Shake.

GTK Generation

We need a GMK and Gnonce to generate the GTK, and below is the function that will generate the GTK.

GTK = PRF-256(GMK, “Group key expansion”, MAC_AP||GNonce)

We have a test template that Standard gives to check whether the generated GTK is calculated as per the standard. Observe the below screen from the test data.

Now we will send the Randomly generated 256 bit GMK and AA (Authenticator MAC) and Gnonce. Now we will execute the python script and check the GTK that the file has generated.

We will take the first 16 bytes of the Generated Hash and it is the GTK. The output that got generated matched with the above table. This GTK will be sent to the Supplicant by encrypting with the KEK in the M3 Message.

Decrypt data using Wireshark

We can decrypt the data using the wireshark , but we should capture the 4-way handshake first , in the wireshark and then you can see the decrypted data.

We can do this by two ways.

By entering the passphrase:SSID combination in the wireshark.
By entering the genearted PSK in the wireshark.

Enter the passphrase:SSID combination.

Open Wireshark , Goto Edit –> Preferences –> Protocol –> IEEE802.11 and then click the edit.

Here we have options to decrypt the traffic.

Now we select the wpa-pwd combination and we enter the value as “passphrase:SSID” format. check the below screenshot.

Or We can enter the PSK that is generated prior to the 4-way handshake.

We can do any of the ways to decrypt the trafiic and observe the traffic that is getting decrypted after giving the details on the wireshark.

Observe the M3 Message in the wireshark, GTK , KEK and KCK values that got decrypted in the wireshark, and compare the results that we saw earlier in the post to verify the KEK And KCK values. It matches.

30Comment

Add yours

1

P2P Group Formation Procedures – Negotiation Method – PART 2 – Praneeth’s Blog on 8th Nov 2019 at 6:58 pm
Reply

[…] https://praneethwifi.wordpress.com/2019/11/08/4-way-hand-shake-keys-generation-and-mic-verification/ […]

LikeLike
2

P2P Group Formation Procedure – Persistent Method – Praneeth's Blog on 23rd Nov 2019 at 8:01 pm
Reply

[…] Phase-2 of the Group Formation […]

LikeLike
3

GTK/IGTK Unwrap in M3 Message of 4-way Handshake – Praneeth's Blog on 19th Sep 2020 at 7:53 pm
Reply

[…] 4-Way Handshake keys generation for WPA2 […]

LikeLike
4

Opportunistic Wireless Encryption – Praneeth's Blog on 27th Nov 2020 at 7:16 am
Reply

[…] 4-Way Hand Shake WPA2 […]

LikeLike
5

Sandy on 25th Apr 2021 at 1:42 pm
Reply

Hi Praneeth ,

I have one doubt , in WPA2-PSK , how passphrase mapped to PSK hash code . As I see in the picture , PSK and PMK are having same hash code . How our passphrase maps to ?

Thanks in Advance ,
Sandy

LikeLike
- 6
  
  Kemparaj Praneeth on 26th Apr 2021 at 4:04 pm
  Reply
  
  Sandy,
  
  In WPA2 Personal Network, PMK=PSK.
  
  If we get PSK , then it is enough on WPA2-Personal network.
  
  If you want to generate the PSK for WPA2 , You can give a try in the link https://www.wireshark.org/tools/wpa-psk.html.
  
  or you can use the python function or any other c code to generate the PSK.
  
  PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
  
  It gives same PSK/PMK that is showed in the above post. If we get PSK it is enough for WPA2-Personal networks because PSK = PMK.
  
  LikeLike
7

Sandy on 26th Apr 2021 at 1:05 pm
Reply

Thanks Praneeth for the reply

LikeLike
8

Hema latha on 8th Aug 2021 at 6:02 pm
Reply

Hi Praneeth,
Is that GTK is needed to generated at every preset timer during the STA is connected to AP? and secondly, based on what the GMK is computed?
Thanks in advance

LikeLike
- 9
  
  Kemparaj Praneeth on 8th Aug 2021 at 9:13 pm
  Reply
  
  Hi Hemaltha, GTK gets generated based on what we set in the AP UI page. If you observe few AP pages, it will have the settings to send the Group key periodically, so that AP will be keep sending the new GTKs based on the time we set. If that setting is not there in the AP, then it depends on how the vendor has implemented to trigger that 2-way hand shake.
  
  GMK is a completely random data, AP uses some random function to generate the GMK. Generating the GMK value depends on the vendor, they usually try to generate the GMK with the higher entropy.
  
  LikeLike
10

Azeem Hashmani on 15th Feb 2022 at 12:13 am
Reply

Can you please share key.py file ?

LikeLike
11

Ian on 24th Feb 2022 at 12:45 am
Reply

Praneeth, that was a brilliant piece of work. Any chance you could post the PCAP files for us all to see.

LikeLike
- 12
  
  Kemparaj Praneeth on 28th Feb 2022 at 11:50 am
  Reply
  
  Ian, I will check if I can find the capture. I have written the post long back.
  
  LikeLike
13

eyrei on 24th Feb 2022 at 12:46 am
Reply

Hi Praneeth,
Any chance you could post the PCAP files for this?

LikeLike
- 14
  
  Kemparaj Praneeth on 28th Feb 2022 at 11:50 am
  Reply
  
  Eyrei , I will check if I can find the capture. I have written this post long back.
  
  LikeLike
  - 15
    
    eyrei on 28th Feb 2022 at 4:07 pm
    
    Hi Praneeth,
    Thank-you for taking the time to respond.
    Kin regards.
    EyreI
    
    LikeLike
16

Sandy on 27th Feb 2022 at 8:47 pm
Reply

Hi Praneeth ,
Is there any chance of GTK renewal happens when one client disconnects from the AP or it will be the same for the new connecting clients ?
What AP will share new things to the client in the M-3 msg , except GTK , MIC , ANonce , RSN IE info ? I heard PMKID , PMK Key like this anything shared in between AP & client . why are they shared , if they independently derived on their own ?
Thanks in Advance

LikeLike
- 17
  
  Kemparaj Praneeth on 28th Feb 2022 at 11:47 am
  Reply
  
  Sandy, If we capture the packets we will know if any GTK update happening when any new clients are connected. When I tested I have not seen any M3 and M4 exchange happened. So, it will be same or it depends on implementation. Because if hundred clients are connected, it is not a good idea to send Group key update for all the hundred clients as soon as née client is connected.
  
  In M3 only GTK, nonce, MIC will be shared. PMKs will not be exchanged, PMKs will be derived. PMKIDs will be exchanged during fast roaming procedure on Reassociation requests as far as I know. So, I am not sure about it as I am not aware of fast roaming message exchanges. We have to capture the packets and analyse.
  
  LikeLike
18

Sandy on 3rd Mar 2022 at 1:30 am
Reply

Hi Praneeth,
Thanks for your response.
One more doubt, the Nonces which are used here in exchange are encrypted ones or not. Why because, these Nonces are unique w. r. t MAC, Valid for that session only.
What do you say on this?
Regards,
Sandy

LikeLike
- 19
  
  Kemparaj Praneeth on 3rd Mar 2022 at 5:38 am
  Reply
  
  Nonces are not encrypted. They are plain text.
  
  LikeLike
20

Olivier on 23rd Mar 2022 at 3:53 am
Reply

Praneeth, great writeup!
Would you know in case 802.11r is configured, if there is any difference during MIC verification by the AP… the EAPOL M2 frame is considerably larger due to Mobility Domain and FT IEs?
Thanks!

LikeLike
- 21
  
  Kemparaj Praneeth on 23rd Mar 2022 at 5:06 pm
  Reply
  
  Olivier, there will not be any change in the MIC Verification. The MIC generation procedure will be same and it does not depend on the length of the M2 message.
  
  LikeLike
  - 22
    
    Olivier on 24th Mar 2022 at 3:53 am
    
    Thanks Praneeth,
    I think that for 11r or PMF, AES-128 CMAC will be used rather than HMAC-SHA1 based on the value of the Key Descriptor Field. Is that correct?
    Regards,
    Olivier
    
    LikeLike
23

Kemparaj Praneeth on 24th Mar 2022 at 4:14 am
Reply

PMF uses aes – cmac for MIC generation, key descriptor field will be set for aes cmac .. It should be same for the roaming scenarios as well…

LikeLike
24

Sandy on 19th May 2022 at 5:12 pm
Reply

Hi Praneeth ,

What will be the failure reason code for Password mismatch in the Connection process . As we see , multiple retrials of password entries are prompted when we give the wrong password in mobiles . In this case , it will struck with M2 msg . Do AP send the DeAuth and Dissoc msgs to the client for password failure ? Will AP send DeAuth to Client giving Unspecied Reason code 1 ?
Thanks ,
Sandy

LikeLike
25

Benjamin on 18th Apr 2023 at 9:50 pm
Reply

Hi Praneeth
Something I don’t understand is, why the SNOUNCE dont require a MIC. Because if a Hacker changes the SNOUNCE the PTK of the Client and the AP will never be the same. A connection can never be established. Or am I wrong?
Thank’s , Banjamin

LikeLike
- 26
  
  Kemparaj Praneeth on 10th May 2023 at 11:00 am
  Reply
  
  Benjamin,
  
  Snonce should be plaintext, the AP also need this to info generate the PTK, and verify the MIC that is being sent in M2.
  If any hacker changes the snonce, still he should know the PSK to generate the proper MIC.
  
  LikeLike
27

Bhaskar on 14th May 2023 at 3:25 pm
Reply

Hi Praneeth, I found your blog more informative and have been learning more from your blog posts. Thank you so much.

I have a query on this blog post.

Is it possible to generate PMK from PSK using any online tools/sources? I have found tools to generate PSK but not for PMK. Is there any limitation/reason for not generating PMK using online tools?

LikeLike
- 28
  
  Kemparaj Praneeth on 16th May 2023 at 6:51 pm
  Reply
  
  Bhaskar,
  
  You can generate PMK from PSK. You can check for any python program to do that. or You can use wpa_supplicant code to do that.
  
  LikeLike
29

Marcus on 25th Mar 2024 at 9:49 pm
Reply

Hello! Can you post the python code “key.py” that you used? I’m trying to do it by my own but i can’t get it. Thanks!

LikeLike
- 30
  
  Kemparaj Praneeth on 25th Mar 2024 at 11:07 pm
  Reply
  
  Marcus, I worked on it long back. Not sure where I kept the copy.
  
  LikeLike