24

From my understanding this is how WPA2 works for home networks:

  • PSK (Pre-Shared Key) is used to generate PMK (Pairwise Master Key), which is used together with ANonce (AP Nonce) to create PTK (Pairwise Transient Key).
  • PTK is devided into KCK (Key Confirmation Key, 128 bit), KEK (Key Encryption Key, 128 bit) and TEK (Temporal Encryption Key, 128 bit).
  • KCK is used to construct MAC in EAPOL packets 2,3 and 4.
  • KEK is used to encrypt some data sent to client(for example GTK).
  • TEK is used for encrypting traffic between client and AP, later during session.

Now the WPA 4-way handshake:

  1. AP sends ANonse (AP Nonce) to client, which is basically a random Integer of 256 bits.
  2. Client use the ANonce and PMK to generate PTK (Pairwise Transient Key), and send CNonce (Client Nonce) and MAC.
  3. AP sends MAC and GTK (Group Temporal Key) to client.
  4. Client send ACK with MAC.

Now, how does handshake cracking work (for example dictionary attack) if the whole PTK isn't used (KCK and KEK are used during handshake, but TEK isn't)? I understand that the words from dictionary are used as PSK to generate PMK and Anonce (which is also captured in handshake) to generate PTK, but how can I know when PTK is correct when 1/3 of the key is never used?

Julian Knight
  • 7,102
  • 18
  • 23
user3362334
  • 467
  • 1
  • 3
  • 10
  • Also see http://security.stackexchange.com/questions/25239/wpa2-enterprise-aes-encryption-key-size?rq=1 – Pacerier May 25 '15 at 08:11

1 Answers1

20

Short answer is, 4-way handshake password "cracking" works by checking MIC in the 4th frame. That is, it only checks that KCK part of the PTK is correct. 4-way handshake doesn't contain data that would allow checking of other parts of the PTK, but that's actually not needed, for two reasons:

  1. MIC verification is how AP checks the validity of PTK (and, consequently, the password);
  2. Chances of a password producing PTK that has valid KCK but invalid other parts are really low: KCK is 128 bits, so probability of incorrect password producing correct KCK is 2-128.

Overall, 4-way password "cracking" works like this:

  1. 4-way handshake is parsed to get SP and STA addresses, AP and STA nonces, and EAPOL payload and MIC from 4th frame;
  2. Candidate password is used to compute PMK;
  3. PTK is computed from PMK, AP and STA addresses and nonces;
  4. KCK from computed PTK is used to compute MIC of the EAPOL payload obtained at step 1;
  5. Computed MIC is compared to the MIC obtained at step 1. If they match then candidate password is reported as correct.

If you'd like to see actual implementation of the attack, one place to start is coWPAtty sources: they're relatively small, self-contained, and easy to read.

Andrey
  • 2,236
  • 17
  • 14