4-way handshake in wireless communication
Hello tech enthusiast,
This topic is very important especially when you want to learn wireless hacking, You should have knowledge of how things work in the backend. So, before we understand the 4-way handshake. There are some terminologies that you need to understand.
Terminologies
NONCE: Initialization vector (IV) is an arbitrary (random number) that can used within the secret key (passkey) for data encryption called nonce (number used once).
ANONCE: NONCE generated by an Access point (router).
SNONCE: NONCE generated by a Supplicant (Your phone, laptop)
MIC (Message Integrity Code): This is like a seal on a letter that shows if anyone tampered with the message. It helps ensure that the message isn’t messed up or altered during transmission.
MSK (Master Session Key): The master session is the first key which is generated either from 802.1X/EAP or derived from PSK authentication. Which helps to create the following keys.
PMK (Pairwise Master Key): When the passphrase (router’s password) is entered. The function called a key derivation function takes a passphrase as an input and performs a series of cryptographic operations to produce the PSK (Pre-Shared Key), Now this PSK is used to generate PMK.
PMK resides on both as in AP (router) and client devices (phone, laptop etc), so we do not need to share this information. We use this information to create PTK which are used for unicast data encryption.
PTK( Pairwise Transient Key): So, PTK is a combination of PMK, Anonce, SNonce, MAC of Access point, and MAC of the supplicant when we get PTK via PRF (Pseudo Random Function).
GMK (Group Master Key): GMK is a key used in Wi-Fi security protocols, such as WPA3, to secure group communication within a Wi-Fi network. It’s generated during the process of establishing a secure connection between devices and the Wi-Fi access point (router). The GMK is used to derive the Group Transient Key (GTK), which is then used to encrypt multicast and broadcast messages sent to multiple devices within the same network. GTK is generated on every access point and shared with the devices connected to the Access point.
Group Transient Key (GTK): GTK is derived from the Group Master Key (GMK). It’s a unique key used to encrypt multicast and broadcast messages sent to all devices within a Wi-Fi network. When devices in the network need to receive shared messages (like broadcasted data or multicast traffic), the GTK ensures that only devices connected to the same network can decrypt and understand those messages. This helps protect the privacy of group communications within the Wi-Fi network. there will be a different GTK which will be shared between its associated devices.
In simple terms, the GMK is the “master key” used to derive the GTK, and the GTK is the actual key that encrypts messages shared among devices within the same Wi-Fi network, ensuring that outsiders can’t easily understand those messages.
What is the role of PMK and GMK then?
The PMK is like your private secret code that you use to talk securely to the Wi-Fi router. It’s just between you and the router (visiting the bank website, Gmail login, etc.)
The GMK is like a special magic word that everyone on the same Wi-Fi network knows. It’s used to make sure that when you send messages to everyone on the network, only the people on the network can understand them. This keeps your group chats private.
Now understand the handshake,
Message 1: The access point sends an EAPOL message with Anonce (random number) to the device to generate PTK. Don’t forget client device knows Ap’s MAC because it's connected to it. It has PMK, Snonce, and its own MAC address. Once it receives Anonce from the access point it has all the inputs to create the PTK.
Message 2: Once the device has created its PTK it sends out SNonce which is needed by the access point to generate PTK as well. The device sends EAPOL to AP message with MIC (message integrity check) to make sure the access point can verify whether this message is corrupted or modified. Once SNonce is received by the AP it can generate PTK as well for unicast traffic encryption.
Message 3: EAPOL message is sent from AP to the client device containing GTK. AP creates GTK without the involvement of the client from GMK.
Message 4: The fourth and last EPOL message will be sent from the client to AP just to confirm that the Keys have been installed.
Control port unlocked: Once the 4-way handshake is completed successfully virtual control port which blocks all the traffic will be open and now encrypted traffic can flow. Now all unicast traffic will be encrypted with PTK and all multicast traffic will be encrypted via GTK which is created in the 4-way handshake process.
A concept that is related to this topic, I think I should share is, Authentication & Association
Authentication and association are fundamental processes in Wi-Fi networking that allow devices to connect to a wireless network. Here’s an overview of each process:
- Authentication: Authentication is the process of verifying the identity of a device or user before granting access to the network. It ensures that only authorized devices can connect. In Wi-Fi networks, authentication typically involves confirming that the device has the correct credentials to join the network. There are different methods for authentication:
a. Open System Authentication: This is a basic form of authentication where the client device sends a request to join the network, and the access point responds with an “OK” signal if it’s allowed to join.
b. Shared Key Authentication: This method involves a challenge-response mechanism. The access point sends a challenge to the client, and the client responds with the correct answer. This helps ensure that the client knows the correct credentials to join
c. 802.1X and EAP Authentication: In more secure networks, such as enterprise environments, the Extensible Authentication Protocol (EAP) is often used. It involves more advanced authentication methods, like using certificates or usernames/passwords.
2. Association: The association is the process that occurs after authentication. It’s when the client device and the access point agree to communicate with each other. Once authenticated, the client device requests association with a specific access point. The access point accepts the request, and a unique identifier called a Basic Service Set Identifier (BSSID) is assigned to the client’s connection.
During association, the client and access point also negotiate settings like communication channels and data rates. This helps ensure that the devices can communicate effectively within the network.
In simple terms, authentication confirms that a device has the right to join a network, and association sets up the rules and parameters for communication between the device and the access point.
Thank you for reading, This took a lot of effort, drop a comment, and hit the clap button if you liked it.
