Wednesday 18 July 2012

Wireless Authentication - 4 Way Handshake

The authentication process for WPA is known as the 4 way handshake, this is required for a client to be authenticated onto the network.

At the start of the process the client and the AP both know the passphrase (PSK) and the Pairwise Master Key (PMK) which is computed from the PSK and SSID.

The first step is for the AP and Client to form a new key called the Pairwise Transient Key (PTK), this key is a function of the PMK, a random number from the AP (A-nonce) a random number from the client (S-nonce) and the MAC address of the AP and client.
  1. The AP sends an A-nonce to the client
  2. The client sends a S-nonce to the AP as well as a MIC. - The AP uses the MIC to verify that the client has the PMK. If the MIC is incorrect then the PTK and PMK are incorrect because the PTK is derived from the PMK.
  3. The AP sends a GTK (group Temporal Key) to the client, plus a MIC.
  4. The client sends an acknowledgement to the AP
The client and AP can now install the key and begin encrypting the traffic.

This 4 way handshake is also used for WPA Enterprise as well as WPA PSK, the difference being that the PMK is derived from the clients authentication with the RADIUS server with EAP

Here is a good reference from Wikipedia which details a drawing to help remember the process:
http://upload.wikimedia.org/wikipedia/commons/a/ac/4-way-handshake.svg

Full article is below:
http://en.wikipedia.org/wiki/IEEE_802.11i-2004

No comments:

Post a Comment