WPA3 Authentication – PART 2

Testing and Sniffer Captures

Before you read about this post , have a look at the earlier post about the WPA3 Handshake.

WPA3-Authentication Part-1

In this post , we will see about the frame exchanges in WPA3 and the few test scenarios.

Before we go into the sniffer captures observe the below frame exchange that happen in the WPA3 Handshake.

Please note that KCK in the AuthConfirm is different from the KCK in PTK

In WPA3 Authentication PMF is Mandatory. Observe the below Beacon capture from the WPA3 Network.

Similar settings will be seen in the Probe Response Frame as well.

Test Scenario : Successful WPA3 Authentication

Observe the below sniffer capture for the successful handshake procedure. I have filtered only the required frames.

1) Now lets see the Commit message from Client to AP. i.e frame number 1114.

2) Now Lets see the commit Message from AP to client. It will also contain the scalar and FFE (i.e X and Y) i.e frame number 1116.

Note that public data is also encrypted. It is not a clear text.

3) At this point Both the Peers will generate the same shared secret and the hashed confirm message goes from Client to AP, and AP verifies the Confirm that is sent by Client. Observe below capture for this.

Figure 6 : Confirm Message from Client to AP

4) Confirm Message from AP to client and client verifies. So the Mutual Authentication happens here. Observe the below capture here.

Figure 7: Confirm Message from AP to Client

Confirm Message
You can see that Hashed Confirm message from the Client to AP , and AP to client are different, Still the Peers will be able to verify based on the inputs that they send to function.

Once the DragonFly authentication is success , PMK will be derived.

PMK in WPA3
Here PMK that got generated is not just based on the SSID and passphrase. It is based on the key generated in Diffie Helmen algorithm and Elliptic Curve Cryptography. So, here each client will have different PMK. But in the WPA2 each connected client has the same PMK.

5) See the Association Request frame below for the WPA3 Handshake.

After the Association, 4-way handshake will be done based on the PMK that is generated and the required keys will be generated.

Test Scenario : Entering Wrong Passphrase

Now lets test entering the wrong pass phrase and observe where exactly it fails.

1) Client enters the wrong PIN.

2) Authentication Request (Commit) frame will be sent from client to AP

3) Authentication Response (Commit) frame will be sent from AP to client

4) In the commit exchange the Public data X ,Y will be exchanged and both the client and AP will guess the password and generate the same shared secret, if the password entered on the both AP/Client are correct.

5) After the commit phase, Now client will generate the shared secret and it will send the confirm message to the AP. [Here client will generate the wrong Confirm Message] because the password entered is wrong.

6) Now AP will receive the Confirm message and it will verify the confirm message that is sent by the Client. Here the verification of the confirm will be wrong, because the shared secret is wrong. So, the AP will send the failure in the Confirm message.

Observe the below diagram to understand the flow.

Figure 9 : SAE Authentication with wrong PassPhrase entered on client

Observe the below sniffer captures to understand this flow. I am not showing the commit exchange here.

See the below SAE confirm frame that is being sent from Client to AP.

Figure 10 : Wrong Hashed confirm sent to AP from client

See the below confirm message that is being sent from the AP to client. But the wireshark shows it as malformed packet , as it is not able to dissect it properly. Still we can see the failure in the SAE confirm message.

Figure 11 : AP sends SAE failure to the Client.

That’s all about in this post. In the next post we will see the replay attack in WPA3 and few more testing scenarios and we will see how the AP behaves.

10Comment

Add yours

1

Replay Attack on WPA3 – PART-3 – Praneeth's Blog on 28th May 2021 at 10:47 am

[…] WPA3-AUTHENTICATION-PART-2 […]

LikeLike
2

Manikandan on 2nd Jul 2021 at 11:52 pm

Hi Praneeth,
Really nice post and it cleared some of my clots on WPA-3. I have some doubts which are,
1. From the note, “Note that public data is also encrypted. It is not a clear text”
Ques : How the public data is encrypted even before generating any keys? and how is the encrypted data validated i.e authenticated ?
2. How the peers verify the hashes on confirm phase even with different value from one to another ? As per formulae for confirm hash the variable data is sender ID as other args are shared by peers, so the peer tweaks the value of sender ID to validate the hash shared by other peer ?
Thanks in advance

LikeLike
3

Kemparaj Praneeth on 5th Jul 2021 at 8:11 pm

Hi Manikandan,

For the first question , yes we don’t have keys generated yet , but the password is known on both the parties. Password is also one of the seeds to generate the (x,y) point. I will point you to go through the RFC7644 section 3.2 (Derivation of the Password Element) to understand this better. (https://datatracker.ietf.org/doc/html/rfc7664#section-3.2)

For the second question, Sender sends the hashed data to the receiver, the value sender ID is generated during the generation of Password Element (base). So, the both parties knows this value based on the order they send to the functions.
Hash is not just the sender-id , sender-id one of the values concatenated as a part of data to generate the hash which will be known the receiver. If the both parties doesn’t know this , then there will be auth fail. if the Handshake goes fine, then the both parties will generate them properly and then compare the hash values.

I will point you to the RFC7644 (Section 3.4) to understand this (https://datatracker.ietf.org/doc/html/rfc7664#page-14).

Regards
Praneeth

LikeLike
4

Manikandan on 7th Jul 2021 at 11:17 pm

Thank you so much Praneeth. Now I understood what is happening. But, while reading the RFC I came across the section 2.1 and it states
“A prime, q, which is the order of G, and thus is also the size of
the cryptographic subgroup that is generated by G”
Does it referring that the n times dot operation of G? and how it differs from PE in our case or are they same?

LikeLike
5

Kemparaj Praneeth on 17th Jul 2021 at 11:37 am

In the section 2.1 you are referring to domain parameters, which is different from the PE. Both are not the same. The domain parameters are fixed for the each brainpool curve based on the RFC 6932.

LikeLike
- 6
  
  Manikandan on 18th Jul 2021 at 10:00 am
  
  Thanks Praneeth for the response. Blogs are really awesome.
  Please do on EAP methods, Radius, especially TLS. Waiting 🙂.
  
  LikeLike
7

Kemparaj Praneeth on 18th Jul 2021 at 10:40 am

Thanks Manikandan.. Soon I will be writing a decryption of TLS1. 2/1.3 tunnels…

LikeLiked by 1 person
8

Tharun Shankavaram on 3rd Jan 2023 at 12:46 pm

Hi praneeth,

So if user gives the wrong password then the failure happens in the Authentication frame exchange phace itself? If yes, then why again after association req and res the 4 way hand shake required?
Because in wpa2, M2 will be failing when user gives wrong password right?

LikeLike
- 9
  
  Kemparaj Praneeth on 3rd Jan 2023 at 9:38 pm
  
  Tarun, MIC gets generated in the M2… Confirmation whether client and AP derived same PTK happens in the M2 phase… This is for WPA2 if wrong password is given… WPA3 it gets failed even before 4 way hand shake
  
  LikeLike
10

6GHz Connectivity Testing – MacBook vs PC – WirelessIsFun on 3rd Apr 2023 at 4:02 pm

[…] https://praneethwifi.in/2021/03/10/wpa3-authentication-part-2/ […]

LikeLike

Testing and Sniffer Captures

Test Scenario : Successful WPA3 Authentication

Test Scenario : Entering Wrong Passphrase

Share this:

Related