【转载】4-Way Handshake 学习

转自 https://blog.csdn.net/sinat_20059415/article/details/88066924

1. 4-Way Handshake概要

For AP and client exchanging encrypted data, both need to have the right key(s) installed. Each time a client (Supplicant) associates to an AP (Authenticator), new temporal keys for the pairwise data transmissions are generated, which are unique for each connected client. In case of Broad- and Multicast frames, all clients use the same Groupwise Temporal Key (GTK) that don’t require a new generation for each association.

Transient keys are derived from a master key, a Pairwise Master Key (PMK) could be the passphrase for WPA-PSK or a key derived from the EAP process for WPA-802.1X or WPA-Enterprise. Since transient keys are used, an attacker cannot obtain the master key from sniffing the frames in the air and it is possible to change the PTK without changing the passphrase itself.

对于AP和客户端交换加密数据，两者都需要安装正确的密钥。 每次客户端（请求者）关联到AP（认证者）时，生成用于成对数据传输的新临时密钥，其对于每个连接的客户端是唯一的。 在广播和多播帧的情况下，所有客户端使用相同的Groupwise Temporal Key（GTK），每个关联不需要新一代。

瞬态密钥从主密钥导出，成对主密钥（PMK）可以是WPA-PSK的密码，或者是从WPA-802.1X或WPA-Enterprise的EAP过程导出的密钥。 由于使用了临时密钥，攻击者无法通过嗅探空中的帧来获取主密钥，因此可以在不更改密码本身的情况下更改PTK。

 

Pairwise Temporal Key Generation

The function to generate a Pairwise Temporal Key (PTK) is known as a Pseudo Random Function (PRF):

PTK = PRF(PMK | ANonce | SNonce | AA | SA)

With ANonce and SNonce as Nonces (Nonce: Number used once) from Authenticator (AP) and Supplicant (client) and the Authenticator’s and Supplicant’s MAC Addresses (AA/SA).

生成PTK的过程被称为伪随机过程，有5项输入，分别是

• PMK（成对主秘钥）
• ANonce（由AP生成的Nonce，直译是被用过1次的数字，其实是表示最多使用1次的意思，表示不会重复利用，减少安全风险）
• SNonce（由STA生成的Nonce）
• AA(AP MAC地址)
• SA(STA MAC地址)

 

2. 4-Way Handshake流程详解

The installation of Pairwise and Groupwise Transient Keys (PTK/GTK) is done by the so called 4-Way Handshake with the following flow graph:

4 Way Handshake

Source: Wikipedia

这个图就是维基百科上的图，只是维基百科上讲的很粗略，不是很明白四次握手的流程。

维基百科上的四次握手流程如下

1. AP向密钥重放计数器发送一个随机数值（ANonce）以及一个密钥重放计数器，该计数器用于匹配发送的每对消息，并丢弃重放的消息。 STA现在具有构建PTK的所有属性。
2. STA将其自己的随机值（SNonce）与消息完整性代码（MIC）一起发送到AP，包括认证，其实际上是消息认证和完整性代码（MAIC），以及和消息1一样的密钥重放计数器，允许AP匹配正确的消息1。
3. AP通过检查MIC，RSN，ANonce和密钥重放计数器字段来验证消息2，如果有效，则构建并用另一个MIC发送GTK。
4. STA通过检查MIC和密钥重放计数器字段来验证消息3，并且如果有效则向AP发送确认。

原文：

The actual messages exchanged during the handshake are depicted in the figure and explained below (all messages are sent as EAPOL-Key frames):

1. The AP sends a nonce-value (ANonce) to the STA together with a Key Replay Counter, which is a number that is used to match each pair of messages sent, and discard replayed messages. The STA now has all the attributes to construct the PTK.
2. The STA sends its own nonce-value (SNonce) to the AP together with a Message Integrity Code (MIC), including authentication, which is really a Message Authentication and Integrity Code (MAIC), and the Key Replay Counter which will be the same as Message 1, to allow AP to match the right Message 1.
3. The AP verifies Message 2, by checking MIC, RSN, ANonce and Key Replay Counter Field, and if valid constructs and sends the GTK with another MIC.
4. The STA verifies Message 3, by checking MIC and Key Replay Counter Field, and if valid sends a confirmation to the AP.

 

2.1 EAP-Key Message 1/4 (ANonce)

As the first message is send from AP to client, this message includes a random number as ANonce for PTK generation at the client. Since the client knows its own SNonce and SA as well as the AA (from Beacons, Probe Response and/or Association Response) and PMK, the ANonce from this message is the only missing information.

当第一条消息从AP发送到客户端时，此消息包含一个随机数作为ANonce，用于在客户端生成PTK。 由于客户端知道自己的SNonce和SA以及AA（来自信标，探测响应和/或关联响应）和PMK，因此来自此消息的ANonce是唯一缺失的信息。

 

 

2.1.1 本地对照学习

结合之前抓的连接2.4G AP的包

在四次握手之前，还有

• Probe Request/Response
• Authentication
• Association Request/Response

3类包

之前有提及AA（来自信标，探测响应和/或关联响应），这边看下

这边看Probe Response包中确实带有了AP和STA的mac地址，其实上面3类包中都包含了mac地址。

 

然后找一下参考网站截的图

1.表示AP发往STA

 

2.key Information & WPA Key Nonce

对比少了个RSN PMKID

 

2.2 EAP-Key Message 2/4

As the Supplicant (client) replies to the first EAP Key message, the client sends the used SNonce as clear text to the AP “protected” by a cryptographic hash (HMAC-SHA1) called Message Integrity Code (MIC) for integrity of of this message the installed key on the client side. The AP will generate its own MIC and compare it the the one in this message, if they match, EAP-Key message 3 is send for key installation. This message also includes the Robust Security Network Information Element (RSN IE).

当请求方（客户端）回复第一个EAP密钥消息时，客户端将使用过的SNonce作为明文发送给AP，发送过程受到加密散列（HMAC-SHA1）的保护，（称为消息完整性代码（MIC），以确保客户端安装的密钥的消息完整性。 AP将生成自己的MIC并将其与此消息中的MIC进行比较，如果它们匹配，则发送EAP-Key消息3以进行密钥安装。 该消息还包括加强安全网络信息元素（RSN IE）。

 

2.2.1 本地对照学习

1.STA->AP

2.Key Information

可以看到有WPA Key Nonce和WPA Key MIC

另外本地抓的包可以看到第二次握手发生了重传，握手了两次，重传传递包中WPA Key Nonce和WPA Key MIC是一样的。

 

2.3 EAP-Key Message 3/4

Message 3 is the last unencrypted key message, as long as no retransmission(s) occur and the pairwise temporal key remains valid. The AP informs the client about the installation of the PTK and the receive sequence counter (RSC) for the GTK. The GTK itself is given in the WPA Key Data field, secured/encrypted with the PTK.

只要不发生重传并且成对临时密钥保持有效，消息3是最后一个未加密的密钥消息。 AP通知客户端有关PTK的安装和GTK的接收序列计数器（RSC）。 GTK本身在WPA密钥数据字段中给出，使用PTK进行保护/加密。

2.3.1 本地对照测试

本地抓的包看起来比较奇怪，本身是黑的，SSID为Wildcard，下面还是红色的，感觉不大对，但是ANonce和第一次发的是一模一样的。

待本地再抓1次看下情况。

 

2.4 EAP-Key Message 4/4

The Supplicant acknowledges the installation of PTK and GTK afterwards, encrypted Unicast and Broad-/Multicast transmission can start now.

Supplicant随后确认PTK和GTK的安装，现在可以启动加密的单播和广播/多播传输。

 

2.4.1 本地对照试验

这个MIC和第2/3次握手都不一样

 

3. Conclusion

The generation of P/GTKs is quite easy and three of the four frames for the installation are unencrypted, which means that the only secret in PTK derivation is the Pairwise Master Key (PMK). As I will show in another post, the generation of a new PTK for each association to an AP can be shortened to enable a much faster association. This is especially important for client roaming and should not bother any single AP installation at home.

P / GTK的生成非常简单，安装的四个框架中有三个是未加密的，这意味着PTK推导中唯一的秘密就是成对主密钥（PMK）。 正如我将在另一篇文章中展示的那样，可以缩短为AP的每个关联生成新的PTK，以实现更快的关联。 这对于客户端漫游尤其重要，不应该在家中安装任何单个AP。

 

4.Attacks

In October 2017, postdoctoral researcher Mathy Vanhoef (PhD @ KU Leuven, Belgium) published his research paper on how the EAPoL key exchange can be attacked to read encrypted data without retrieving the actual PMK. He named the attack “KRACK” and here is the link to his paper.

*2017-04-18 Updated due to feedback from apoorva in the comment section*

*2018-01-18 Updated with a link to Mathy van Hoef’s research paper on Key Reinstallation Attacks*

2017年10月，博士后研究员Mathy Vanhoef（比利时KD Leuven博士）发表了他的研究论文，探讨如何在不检索实际PMK的情况下攻击EAPoL密钥交换来读取加密数据。 他将攻击命名为“KRACK”，这是他的论文的链接。

* 2017-04-18由于评论部分apoorva的反馈而更新*

* 2018-01-18更新了Mathy van Hoef关于重新安装攻击的研究论文*https://papers.mathyvanhoef.com/ccs2017.pdf