The 4-way handshake is the process of exchanging 4 messages between an access point (authenticator) and the client device (supplicant) to generate some encryption keys which can be used to encrypt actual data sent over Wireless medium.
Some terms to understand before we jump into 4-Way Handshake:
MSK - Master Session Key
PMK - Pairwise Master Key
GMK - Group Master Key
PTK - Pairwise Transit Key
GTK - Group Temporal Key
ANonce - nonce is a random number generated by an access point
SNonce - nonce is a random number generated by an supplicant or client.
View Website
View Website
View Website
MIC - Message Integrity Check
EAPoL - Extensible Authentication Protocol over LAN
PTK (Pairwise Transit Key):
Pairwise transit key is used to encrypt all unicast traffic between a client station and the access point. PTK is unique between a client station and access point. To generate PTK, client device and access point need the following information.
PTK = PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA))
PRF stands for pseudo-random function which is applied to all the input. PTK is dependent on PMK
GTK (Group Temporal Key):
Group temporal key is used to encrypt all broadcast and multicast traffic between an access point and multiple client devices. GTK is the key which is shared between all client devices associated with 1 access point. GTK is dependent on another high-level key GMK
PMK (Pairwise Master Key):
What is PMK and why we need it? Now we know what is PTK and GTK. PTK is generated with the help of PMK. As we discused above in order to generate PTK, we need the following input.
PTK = PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA)) In case of WPA2/PSK when device authenticates with access point the PSK becomes PMK.
GMK (Group Master Key):
Group master key is used in a 4-way handshake to create GTK discussed above. GTK is generated on every access point and shared with the devices connected to this AP.
MSK (Master Session Key):
The master session is the first key which is generated and is the base or the top of a pyramid responsible for all the other keys to arise.
4-Way Handshake "The Process Itself":
Once we understand important keys and how they are generated now let’s have a look on an actual 4-way handshake. Once the device is authenticated and associated and now security will be checked, and 4-way handshake will start.
Message 1: Access point sends EAPOL message with Anonce (random number) to the device to generate PTK. Don’t forget client device knows Ap's MAC because its connected to it. It has PMK, Snonce and its own MAC address. Once it receives Anonce from access point it has all the inputs to create the PTK.
PTK = PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA))
Message 2: Once the device has created its PTK it sends out SNonce which is needed by the access point to generate PTK as well. The device sends EAPOL to AP message2 with MIC (message integrity check) to make sure when the access point can verify whether this message corrupted or modified. Once SNonce received by the AP it can generate PTK as well for unicast traffic encryption.
Message3: EAPOL message3 is sent from AP to client device containing GTK. AP creates GTK without the involvement of the client from GMK.
Messsage 4: Fourth and last EPOL message will be sent from the client to AP just to confirm that Keys have been installed.
And BOOM!!! The Process is Complete. Now all unicast traffic will be encrypted with PTK and all multicast traffic will be encrypted via GTK which created in the 4-way handshake process.
The Full conversation from association to complete 4-way handshake is depicted by this image
Comments (0)