Learn about the Robust Security Network, its features, and the use of the 802.11X Extended Authentication Protocol. Understand how the 4 way handshake generates dynamic keys for each network device.
Hello World! As mentioned in the previous post, WEP is now broken beyond repair, and new devices are implementing stronger and reliable security mechanisms such as WPA or 802.1x/EAP. In 2002, WPA was released as an urgent fix for WEP that does not require hardware change and can be done by simply updating the firmware. When WPA2 was released in the 802.11i-2004 standard, it added more security.
In this post, I'll discuss the authentication and encryption methods used in both WPA and WPA2. To summarise, both use the same four-step handshakes, but the encryption algorithm is different.
The task group defined and implemented improved encryption and authentication algorithms in the 802.11i amendment which is now part of 802.11-2012 standard, they had published a protocol discussing dynamic key generation via 4 way handshake and two types of keys for unicast and multicast transmission, also called Robust Security Network (RSN).
RSN is implemented at the link level and offers protection for traffic between a connected station with access point, also known as Robust Security Network Associations (RSNA). This addresses numerous issues with the previous encryption methods:
- Enhanced user authentication mechanisms using 4-way handshake and also provide deauthentication when authentication is failed.
- Cryptographic key management and improved data confidentiality let different user have two kind of keys for unicast traffic access point \( \longleftrightarrow \) station (PTK), and another is for multicast traffic access point \( \longleftrightarrow \) stations or stations \( \longleftrightarrow \) stations (GTK)
RSN associations use unique keys for each client station in the network. The GTK and PTK can have different or same cipher suite depending on negotiations.
- Lastly, replay protection uses a sequence counter to prevent packet injection by discarding packets with a lower value. When a new master key is installed, the initialisation vector/sequence counter is reset to one and then incremented by one for each frame. It is implemented from the initial release of TKIP.
💡
Regardless of the retry flag set in frame control, each frame contains a different value of the initialisation vector which is trivially incremented from previous transmission. This will result in a different digest for the same plain text. If you don't believe me, download the wpa-Induction.pcap file and use the wireshark frame.number == 835 || frame.number == 837 filter.
Here is a quick comparison of different security feature implemented in pre-RSN and RSN security mechanisms. This image is take from Page 51 of RSN guide US Govinfo.
RSN Information Element – RSNIE
You will see RSN Information tag with special number 48 in the "Tagged Parameters" of the beacon or probe response frames. The authentication management method is PSK (pre-shared key), and the cipher suite (encryption method) is TKIP, hence WPA is used in this WiFi network.
The GTK supports only TKIP in the above screenshot, and PTK supports both TKIP and CCM encryption. However, because it is a matter of security, both the station and the access point will use the strongest algorithm available on both ends. In this context, CCMP is stronger than TKIP, so it will be used in the unicast traffic.
Authentication and Key Management – AKM
Although the 802.1X/EAP framework does not require encryption, it strongly recommends it for data privacy. The use of encryption keys in both the authentication and information exchange phases is explained in RSN standards. The Authentication and Key Management Protocol (AKMP) can be either a pre-shared key (PSK) or a port-based access control using RADIUS server.
ℹ️
The 802.112012 standard also defines a third type of AKMP known as Simultaneous Authentication of Equals (SAE), which is used to replace PSK authentication in WPA3 encryption.
This image is taken from Chapter 5 of CWSP Study Guide.
The access point of your personal network will broadcast the AKM information in the RSNIE tag as shown above.
It is an old authentication protocol that dates back even before I was born 😅 for Point-to-Point protocols, used to connect your devices to the internet. Unlike the environments where certain methods of authentication are enforced (like email/password in websites), EAP allows protocol designers to either use existing and standardised methods, or create their own EAP methods, so it is flexible, as it can also be configured with smart cards, LDAP, certificates, and other methods.
Simply put, it acts similar to what passport.js is for the websites.
This image is taken from Chapter 6 of Wireless Networks - The Definitive Guide book shows how different EAP methods can be implemented to secure different link layer protocols.
IEEE-802.1X is a framework that is an IEEE adaptation of EAP (RFC 3748) to generate dynamic keys every time a station connects to a WLAN network, also known as Extensible Authentication Protocol over Wireless (EAPoW) or Extensible Authentication Protocol over LAN (EAPoL). As a result, even if the same device reconnects to the network, the keys will be different than before.
Quoting from the RFC documentation, why EAP is preferred
EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP.
It usually works by authenticating the station with Open System and associating it with the network, after which the 4-way handshake process begins, as shown below.
In personal networks, the use of pre-shared keys is favoured for convenience and accessibility, while in corporate settings, an AAA server with RADIUS technology is deployed to manage user authentication, authorisation, and accounting centrally, mitigating insider security risks. Currently, most WiFi access points come equipped with built-in AAA servers, including those found in homes.
Finally in the July 2001 discussion, it was finalised that EAP will be used to implement authentication framework for the authenticating WLAN data frames.
Why Did IEEE Opt for EAP Instead of a Custom Protocol?
I've formulated multiple considerations.
- The adoption of the EAP protocol in networking standards is rooted in its well-established history, community testing, vendor acceptance, and its proven role as a reliable authentication framework.
- IEEE standards gain adaptability to diverse authentication needs across varied networking setups, technologies, and organisations. Moreover, it is flexible enough to implement organisation specific authentication protocols. For example, Microsoft implemented their own version of MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol).
- At last, creating an entirely new authentication protocol from scratch can be time-consuming and resource-intensive. The IEEE can leverage an existing framework and focus its efforts on other aspects of its networking standards by adopting EAP.
Although you will realise while reading the MoM of this meeting, it was not easy to adopt the protocol, but this was the good approach to inherit the capabilities of something that is already implemented and wanting. In terms of git, you can call it a fork.
Key Generation Process
I will show you the working of EAPoL messages and how both unicast and multicast keys are generated and installed on the stations and access points The flow on the Wireshark can also be understood like the image I got from eTutorials.org.
Note: In this image, authenticator means the access point and supplicant means station device. We will use this nomenclature as defined in the EAP RFC.
After a successful association, and before the first key message, the supplicant will generate a 256-bit Pairwise Master Key (PMK) by providing SSID and Pre-Shared Key (PSK) to the Password Based Key Derivation Function v2 (PBKDF2) and an HMAC-SHA1 digest. This can be accomplished in Python using the passlib.crypto.digest.pbkdf2_hmac
function.
Key Message 1
This message is fairly simple and straightforward where the authenticator creates a random 256-bit nonce value (let's call it A-Nonce) and sends along with a request to the supplicant.
Key Message 2
The client will now also generate a supplicant nonce (let's call it S-Nonce) and use the information to generate the Pairwise Transient Key (PTK) using PMK, S-Nonce, A-Nonce, Supplicant Address (SA) and Authenticator Address (AA) which will be used to encrypt the unicast frames. Each PTK is actually a concatenation of three (or five, in case of TKIP) separate keys and values:
- 128-bits Key Confirmation Key (KCK) is used in the MIC function to create the payload checksum.
- 128-bits Key Encryption Key (KEK) is used to encrypt the GTK key in message 3.
- 128-bits Temporal Key (TK) is the one actually used to encrypt / decrypt traffic once EAPoL is completed.
- 64-bits MIC Authenticator Tx Key (MIC Tx) [TKIP Specific]
- 64-bits MIC Authenticator Rx Key (MIC Rx) [TKIP Specific]
Now to perform encryption and decryption on the access point, it needs to be installed on its end, which is done by second message from supplicant to authenticator. The authenticator at this point will also have all the required information to generate the PTK for the user on its end, and verify using MIC code.
Because the PTK generation is not specific to vendor and any device can be used with any access point network, a pseudo random function (PRF) should be defined and accepted globally. I found it on this blog (original link is not working so I shared the way back link).
ℹ️
Does this sound familiar? Check out this post to learn how to get the pre-shared key from a live capture using a dictionary-based attack.
Key Message 3
If the authenticator successfully generated and installed the PTK, it will send an acknowledgement along with a randomly generated Group Transient Key (GTK). Because it is typically encrypted by KEK, it will be unique for each device and is intended to be used for all broadcast messages in the network.
Now supplicant has all the information required to generate and install the GTK on its end.
💡
When the AP renews the GTK (e.g., when a client disconnects from the network), it performs a two-way handshake to re-distribute the GTK to replace the old key with the new one for further encryption of the multicast/broadcast traffic in the BSSID network.
Key Message 4
Now, supplicant sends the final EAPOL-Key frame to authenticator to confirm temporal keys have been installed and it is ready to send and recieve the encrypted traffic.
A MIC is computed and transmitted along with the message to provide an additional verification of its proper functioning.
While learning this process, I got stuck in the terminologies and different keys, and the PTK partitioning differed between TKIP (512 bits) and CCMP (384 bits). Fortunately, I discovered this article, which helped me understand the differences and applications of each.
💡
Because GTK (derived from GMK) is used for encrypting all the broadcast/multicast traffic in the BSSID network, it will be distributed as a shared key to all clients via access points, it must be protected in some way. The AP uses the KEK from the PTK to encrypt the frame before sending it to the specific client via unicast transmission.
You must be thinking why are deriving another set of keys from the master keys when we have it already computed for these, why can't we use it for the encryptions directly? Well, first of all it's a good sign you are thinking that deep. Let me try to answer this based on my understanding and research.
Each data frame has an IV, which serves as a seed for generating encryption/decryption keys and introducing randomness. As you can see, the address space has increased from WEP (3 bytes), but in a longer session, it may run out of space and re-use the values. As a result, regenerating and distributing transient keys is a more efficient way to ensure network randomness.
Another reason that I found on a medium blog, think of master keys as
private secret code that you and AP know (PMK) or all the hosts on the BSSID network know (GMK) and use to talk securely to the Wi-Fi router.
Because encryption is symmetric, both parties must have the same key, even if one generates it and sends it to the other party. In any encryption, only public keys, not private keys, can be shared over an untrusted medium. So you can think of transient keys as public keys.
🙌
Also thanks to @zero_chaosx on the RF Hackers Sanctuary village discord server for clearing my doubts.
- https://www.wifi-professionals.com/2019/01/4-way-handshake
- https://praneethwifi.in/2019/11/09/4-way-hand-shake-keys-generation-and-mic-verification/
- https://mrncciew.com/2014/08/21/cwsp-rsn-information-elements/
- https://mrncciew.com/2014/08/19/cwsp-4-way-handshake/
- https://www.techtarget.com/searchsecurity/definition/Extensible-Authentication-Protocol-EAP
- https://hashcat.net/forum/thread-7717.html
- https://en.wikipedia.org/wiki/IEEE_802.1X
- http://etutorials.org/Networking/802.11+security.+wi-fi+protected+access+and+802.11i/Part+II+The+Design+of+Wi-Fi+Security/Chapter+8.+Access+Control+IEEE+802.1X+EAP+and+RADIUS/EAPOL/
- https://web.archive.org/web/20201111234114/https://www.ins1gn1a.com/understanding-wpa-psk-cracking/
- https://web.archive.org/web/20210118223526/https://shellvoide.com/wifi/understanding-wpa-wpa2-hash-mic-cracking-process-python/
- https://vocal.com/secure-communication/eap
- https://passlib.readthedocs.io/en/stable/lib/passlib.crypto.digest.html#passlib.crypto.digest.pbkdf2_hmac
- https://www.rfc-editor.org/rfc/rfc3748.html
- http://etutorials.org/Networking/Wireless+lan+security/Chapter+8.+WLAN+Encryption+and+Data+Integrity+Protocols/Key+Management/
- https://en.wikipedia.org/wiki/IEEE_802.11i-2004
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/network-access?tabs=eap-tls%2Cserveruserprompt-eap-tls%2Ceap-sim
- https://mentor.ieee.org/802.11/dcn/01/11-01-0348-00-000i-minutes-for-tgi-for-the-july-2001-session.doc
- https://infosecwriteups.com/4-way-handshake-in-wireless-communication-9e3d869f18be