Hacking Book | Free Online Hacking Learning


introduction of wifi four handshake authentication process

Posted by verstraete at 2020-02-27

Author: 98 (member of the author team of Xin'an Road)

Now everyone is very familiar with the common ways to crack WiFi password, but do you understand the principle of cracking? I think a lot of people don't know, so let's talk about it briefly today.

What is WiFi's four handshake for?

This is a process of WiFi authentication. You can't join his LAN without your device's authentication.

What's the relationship between WiFi's four handshakes and WiFi cracking?

Our WiFi running package uses this to crack violently, grabbing the key during the handshake process to crack violently

Text begins

Let's take a look at the flow chart of an attacker cracking a WiFi

We all know that when attacking a wireless signal, we often need to use some professional devices, but we don't need to attack WiFi. Because the "attack device" of WiFi is the management frame in the WiFi 802.11 protocol. For details, see my chapter "WiFi killer"

WAP / wap2 algorithm

WPA = 802.1x + EAP + TKIP +MIC  =  Pre-shared Key + TKIP + MIC

802.11i(WPA2) = 802.1x + EAP + AES + CCMP = Pre-shared Key + AES + CCMP

To understand the above formula, we need to know some of the professional terms, as follows:

(supplicant requester): any device that attempts to access the APS service set

PSK (pre shared key): PSK is a pre shared key, a Unicode string used to verify L2TP / IPSec connections

PMK (pairwise master key): the key used by the authenticator to generate a group temporary key (GTK), usually a set of random numbers generated by the authenticator.

GTK (Group transient key): generated by group master key (GMK) through hash operation, it is a key used to protect broadcast and multicast data.

Mic (message integrity code). Hash value calculated for a set of data to be protected to prevent data from being tampered with.

Nonce: a randomly generated value, used only once.

PTK (pairwise transient key): the encryption key finally used to encrypt unicast data stream.

GTK (Group temporary key): the encryption key finally used to encrypt broadcast and multicast data stream.

After knowing these terms and comparing the previous pictures, I believe you can understand that the four-way handshake process of WAP / wap2 is realized through a series of key exchanges.

PTK consists of three parts: kck (key confirmation key), KEK (key encryption key), TK (temporary key). As shown in the picture:

The bytes produced are different when using different encryption modes

When the encryption method is TKIP, PTK is 512 bits long, kck occupies 128 bits, KEK occupies 128 bits, TK occupies 128 bits, and Mic key occupies 128 bits.

When the encryption mode is CCMP, kck128 bit, kek128 bit, tk128 bit. KEK and kck are used for eapol key encryption and verification, and TK is used for later data encryption.

The first is the eapol key confirmation key (kck), which is used to calculate the integrity check value of the message generated by the key. The second eapol key encryption key (KEK) is used to encrypt the message generated by the key.

Group key:

The GMK group master key is used as the basis of temporary Key to obtain GTK (groupTransient key) as well as a pair of keys

The formula is as follows:

GTK = PRF-X ( GMK,"Group key expansion",AA||GN)

Nonce generated by GN - authenticator

AA - authenticator MAC address

Note that unlike pairwise key extension, AA and an without supplicant are different, as shown in the figure

In fact, using the master key as the basis of the temporary key, through the pseudo-random function, the group master key will be expanded into a group key hierarchy. No key encryption or key confirmation is generated here, because the key exchange is based on pairwise eapol key

Process chart of four handshakes:

(the data is from the CWSP wireless certification book. Because the English version of CWSP can be found on the name of CSDA author, part of the translation can be directly borrowed.)

4-Way Handshake Message 1

First, the authenticator sends an eapol key frame with anonce to the supplier,

4-Way Handshake Message 2

The anonce and AA that supplier will get. At this time, supplier already has PMK, AA and spa, so PTK can be calculated by the following function

PTK = PRF (PMK + ANonce + SNonce + AA + SPA)

Supplier derives key according to anonce, a nonce (snonce) generated by itself, PMK set by itself, MAC address of authenticator and other information. (anonce generated by MAC (AA) wireless network card MAC (SPA) AP, snonce PRF (pseudo random function))

Supplier then sends snonce and some information to the authenticator through the second eapol key. Message 2 also contains a mic value that will be encrypted by kck. After the receiver authenticator takes out the snonce in message 2, it will perform similar calculation as in supplier to verify whether the message returned by supplier is correct. If not, it will indicate that supplier's PMK is wrong, so the whole handshake work stops.

4-Way Handshake Message 3

If the supplier key is correct, the authenticator also performs key derivation. After that, the authenticator will send the third eapol key to the supplier. The message carries the group transient key (GTK) for subsequent group key update, which is encrypted with KEK and Mic (encrypted with kck). After receiving message 3, supplier will also do some calculations to determine whether the PMK of AP is correct. Note that the igtk (integrity GTK) is used to encrypt and decrypt the management frames sent and received by the multicast address.

4-Way Handshake Message 4

The supplier sends eapol key to the authenticator for confirmation at the last time. If the authentication is successful, both parties will install (install) key. Install means to use them to encrypt data.

Controlled Port Unlocked

After both parties complete the authentication, the control port of the authenticator will be opened, so that the 802.11 data frame can pass normally, and all unicast data frames will be protected by PTK, and all multicast data and broadcast data will be protected by GTK.

Supplier and authenticator complete key derivation and group pairing, and the two sides can communicate normally.

Since PTK is used by PMK, its encryption process is MAC (AA) + wireless network card MAC (SPA) +AP generated random value (ANonce) + WiFi generated random value (SNonce) + password you enter

This formula is calculated by hash and MD5. Even if you know four answers, you can't use these answers to reversely deduce passwords. Each authentication is performed by using different random generated values

PTK = PRF (PMK + ANonce + SNonce + AA + SPA)

(some functions of this formula are not written if they are not variables.)

Of course, PTK and PMK can be converted as follows:

PTK ← PRF-X(PMK, “Pairwise key expansion”, Min(AA,SPA) || Max(AA,SPA) ||Min(ANonce,SNonce) || Max(ANonce,SNonce))*

(this can't be explained at the level of the author. I hope someone can explain it.)

Mic algorithm:

Mic key = the first 16 bytes of PTK. At the second handshake, the first 16 bytes of the PTK are extracted to form a mic key. In the third handshake, extract the first 16 bytes of the PTK to form a Mickey. Use the following algorithm to generate the mic value. Use the mic key and an 802.1x data frame to get the mic value:

MIC = HMAC_MD5(MIC Key,16,802.1x data)

(we will know some other values in the handshake package, but this MIC is related to the WiFi password) (SSID, AP Mac, station Mac, snonce, anonce, 802.1xdata (data)) are all the values we know.)

Derivation process of MIC (from Baidu)

l  PSK=PMK=pdkdf2_SHA1(passphrase, SSID, SSID length,4096)

l  PTK=SHA1_PRF(PMK, Len(PMK),"Pairwise key expansion",MIN(AA,SA) || Max(AA,SA) || Min(ANonce,SNonce) || Max(ANonce,SNonce))

L mic key = extract the first 16 bytes of PTK

l  MIC = HMAC_MD5(MIC Key,16,802.1x data)

The above part is professional knowledge and agreement, so it seems boring. After all, the agreement cannot be modified and interpreted.

How about brute force?

Don't worry. The next part is the introduction. When we know about the four handshakes above, we can know what is used for violent cracking

Brute force WiFi attack is to use the frame of de authentication to make the client disconnect himself when connecting to WiFi, and then the mobile phone will reconnect the WiFi itself, that is, in the process of reconnecting the WiFi (mobile phone authenticates), the attacker intercepts some useful keys to brute force the attack.


This is a cap packet

There is a lot of data in it, and this packet is encrypted, so some important information is basically invisible

And the WiFi password is in this packet, but it needs to be verified

The principle of dictionary cracking:

The above pictures are a little ugly, but they will be more clear than the words.

Use PSK + SSID in our dictionary to make PMK (the most time-consuming step, which is the bottleneck of the current solution), then calculate PTK by combining the client MAC in handshake package, BSSID of AP, a-nonce (random value), s-nonce (random value), and then calculate mic by adding the original message data, HMAC ﹤ MD5) and compare with MIC sent by AP. If it is consistent, PSK is the key.



There are also bad points or unclear explanations. Please point them out in the comment area so that the author can see them for improvement. The author can only do his best to explain this boring agreement, but we can't modify it at will. So the author tries his best to draw pictures and explain them to you so that many little whites can understand them. Just like it!