学习:
https://wlan1nde.wordpress.com/2014/10/27/4-way-handshake/
For AP and client exchanging encrypted data, both need to have the right key(s) installed. Each time a client (Supplicant) associates to an AP (Authenticator), new temporal keys for the pairwise data transmissions are generated, which are unique for each connected client. In case of Broad- and Multicast frames, all clients use the same Groupwise Temporal Key (GTK) that don’t require a new generation for each association.
Transient keys are derived from a master key, a Pairwise Master Key (PMK) could be the passphrase for WPA-PSK or a key derived from the EAP process for WPA-802.1X or WPA-Enterprise. Since transient keys are used, an attacker cannot obtain the master key from sniffing the frames in the air and it is possible to change the PTK without changing the passphrase itself.
对于AP和客户端交换加密数据,两者都需要安装正确的密钥。 每次客户端(请求者)关联到AP(认证者)时,生成用于成对数据传输的新临时密钥,其对于每个连接的客户端是唯一的。 在广播和多播帧的情况下,所有客户端使用相同的Groupwise Temporal Key(GTK),每个关联不需要新一代。
瞬态密钥从主密钥导出,成对主密钥(PMK)可以是WPA-PSK的密码,或者是从WPA-802.1X或WPA-Enterprise的EAP过程导出的密钥。 由于使用了临时密钥,攻击者无法通过嗅探空中的帧来获取主密钥,因此可以在不更改密码本身的情况下更改PTK。
Pairwise Temporal Key Generation
The function to generate a Pairwise Temporal Key (PTK) is known as a Pseudo Random Function (PRF):
PTK = PRF(PMK | ANonce | SNonce | AA | SA)
With ANonce and SNonce as Nonces (Nonce: Number used once) from Authenticator (AP) and Supplicant (client) and the Authenticator’s and Supplicant’s MAC Addresses (AA/SA).
生成PTK的过程被称为伪随机过程,有5项输入,分别是
The installation of Pairwise and Groupwise Transient Keys (PTK/GTK) is done by the so called 4-Way Handshake with the following flow graph:
4 Way Handshake
Source: Wikipedia
这个图就是维基百科上的图,只是维基百科上讲的很粗略,不是很明白四次握手的流程。
维基百科上的四次握手流程如下
原文:
The actual messages exchanged during the handshake are depicted in the figure and explained below (all messages are sent as EAPOL-Key frames):
As the first message is send from AP to client, this message includes a random number as ANonce for PTK generation at the client. Since the client knows its own SNonce and SA as well as the AA (from Beacons, Probe Response and/or Association Response) and PMK, the ANonce from this message is the only missing information.
当第一条消息从AP发送到客户端时,此消息包含一个随机数作为ANonce,用于在客户端生成PTK。 由于客户端知道自己的SNonce和SA以及AA(来自信标,探测响应和/或关联响应)和PMK,因此来自此消息的ANonce是唯一缺失的信息。
结合之前抓的连接2.4G AP的包
在四次握手之前,还有
3类包
之前有提及AA(来自信标,探测响应和/或关联响应),这边看下
这边看Probe Response包中确实带有了AP和STA的mac地址,其实上面3类包中都包含了mac地址。
然后找一下参考网站截的图
1.表示AP发往STA
2.key Information & WPA Key Nonce
对比少了个RSN PMKID
As the Supplicant (client) replies to the first EAP Key message, the client sends the used SNonce as clear text to the AP “protected” by a cryptographic hash (HMAC-SHA1) called Message Integrity Code (MIC) for integrity of of this message the installed key on the client side. The AP will generate its own MIC and compare it the the one in this message, if they match, EAP-Key message 3 is send for key installation. This message also includes the Robust Security Network Information Element (RSN IE).
当请求方(客户端)回复第一个EAP密钥消息时,客户端将使用过的SNonce作为明文发送给AP,发送过程受到加密散列(HMAC-SHA1)的保护,(称为消息完整性代码(MIC),以确保客户端安装的密钥的消息完整性。 AP将生成自己的MIC并将其与此消息中的MIC进行比较,如果它们匹配,则发送EAP-Key消息3以进行密钥安装。 该消息还包括加强安全网络信息元素(RSN IE)。
1.STA->AP
2.Key Information
可以看到有WPA Key Nonce和WPA Key MIC
另外本地抓的包可以看到第二次握手发生了重传,握手了两次,重传传递包中WPA Key Nonce和WPA Key MIC是一样的。
Message 3 is the last unencrypted key message, as long as no retransmission(s) occur and the pairwise temporal key remains valid. The AP informs the client about the installation of the PTK and the receive sequence counter (RSC) for the GTK. The GTK itself is given in the WPA Key Data field, secured/encrypted with the PTK.
只要不发生重传并且成对临时密钥保持有效,消息3是最后一个未加密的密钥消息。 AP通知客户端有关PTK的安装和GTK的接收序列计数器(RSC)。 GTK本身在WPA密钥数据字段中给出,使用PTK进行保护/加密。
本地抓的包看起来比较奇怪,本身是黑的,SSID为Wildcard,下面还是红色的,感觉不大对,但是ANonce和第一次发的是一模一样的。
待本地再抓1次看下情况。
The Supplicant acknowledges the installation of PTK and GTK afterwards, encrypted Unicast and Broad-/Multicast transmission can start now.
Supplicant随后确认PTK和GTK的安装,现在可以启动加密的单播和广播/多播传输。
这个MIC和第2/3次握手都不一样
The generation of P/GTKs is quite easy and three of the four frames for the installation are unencrypted, which means that the only secret in PTK derivation is the Pairwise Master Key (PMK). As I will show in another post, the generation of a new PTK for each association to an AP can be shortened to enable a much faster association. This is especially important for client roaming and should not bother any single AP installation at home.
P / GTK的生成非常简单,安装的四个框架中有三个是未加密的,这意味着PTK推导中唯一的秘密就是成对主密钥(PMK)。 正如我将在另一篇文章中展示的那样,可以缩短为AP的每个关联生成新的PTK,以实现更快的关联。 这对于客户端漫游尤其重要,不应该在家中安装任何单个AP。
In October 2017, postdoctoral researcher Mathy Vanhoef (PhD @ KU Leuven, Belgium) published his research paper on how the EAPoL key exchange can be attacked to read encrypted data without retrieving the actual PMK. He named the attack “KRACK” and here is the link to his paper.
*2017-04-18 Updated due to feedback from apoorva in the comment section*
*2018-01-18 Updated with a link to Mathy van Hoef’s research paper on Key Reinstallation Attacks*
2017年10月,博士后研究员Mathy Vanhoef(比利时KD Leuven博士)发表了他的研究论文,探讨如何在不检索实际PMK的情况下攻击EAPoL密钥交换来读取加密数据。 他将攻击命名为“KRACK”,这是他的论文的链接。
* 2017-04-18由于评论部分apoorva的反馈而更新*
* 2018-01-18更新了Mathy van Hoef关于重新安装攻击的研究论文*https://papers.mathyvanhoef.com/ccs2017.pdf