Basic EAP terms

• WPA: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
• WPA-Enterprise
  • uses EAP for authentication
  • EAP should result in a PMK (Pairwise Master Key)
• WPA-Personal
  • uses 256-bit pre-shared key (can be derived from ASCII passphrase + SSID: PBKDF2 with SSID as salt, 4096 iterations and HMAC-SHA1)
• TK: Temporal Key (shared secret protecting data frames)
• TKIP: “Temporal Key Integrity Protocol”
  • RC4-based cipher with “integrity check”
  • TK is split into one 128-bit encryption key and two 64-bit MIC (Message Integrity Check) keys (one for each direction)
  • unique per-packet key derived from encryption key, sender MAC and 48-bit nonce
    • static MIC keys?
  • MIC: provided by Michael algorithm
    • broken: trivial to recover key with known plaintext + ciphertext
• CCMP, CCMP-128: AES128-CCM (CTR + CBC-MAC)
  • TK used as key; IV includes sender MAC and 48-bit nonce (replay counter)
• GCMP: AES-GCM (always AES256?)
  • TK / IV same as CCMP
  • GCM faster than CCM
• PMKID (optional)
  • sent by AP in first EAPOL frame
  • 128-bit HMAC-SHA1(psk, "PMK NAME" | MAC_AP | MAC_CLIENT)
  • -> quick check whether authentication will work
  • -> simple offline attack

WPA 4-way handshake

Both WPA-Personal and WPA-Enterprise result in a PMK (Pairwise Master Key):

• PSK: PMK is the PSK (possibly derived from passphrase and ssid)
• WPA3 SAE: PMK comes from the Dragonfly handshake
• EAP: PMK is result of EAP authentication

During the 4-way handshake both sides derive the PTK (Pairwise Transient Key) from PMK, ANonce, SNonce and MAC addresses; KDF depends on WPA version / AKM algorithm. From the PTK various other keys are derived.

Four messages are sent:

• Authenticator (AP) sends 256-bit random ANonce (Msg1)
• Supplicant (Client) sends 256-bit random SNonce (Msg2)
  • already protected by new KCK/KEK from PTK?
• Authenticator (Msg3) and then Supplicant (Msg4) send empty (protected) handshake messages (to confirm and verify?)

Various attacks:

• Offline dictionary attacks possible
  • -> require high entropy PSK in WPA2
  • https://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface.html ?
• Rainbowtable attacks
  • deriving PSK from pass-phrase + SSID is “slow”
  • -> pre-generate PSKs for certain SSIDs and pass-phrases
• “KRACK”: nonce-reuse through reinstalling same key with replays/…

Group Temporal Key

With WPA2+ a Group Temporal Key is included in the 3rd message.

• GTK can be refreshed later
• broadcast/multicast should be distributed by the AP (-> client sends it as unicast to AP)

Derive keys

PTK is split into: * (default 128-bit) KCK (Key Confirmation Key) and (default 128-bit) KEK (Key Encryption Key) * protect handshake (EAPOL_KEY) messages * (256-bit?) Temporal Key (TK) * TK protects data frames * and possible more keys.

Handshake messages

KCK (integrity) / KEK (encryption) protect handshake (EAPOL_KEY) messages.

• HMAC-MD5 RC4 (WPA1?)
  • HMAC-MD5 for MIC
  • RC4 for payload encryption
• HMAC-SHA1 AES (WPA2?)
  • HMAC-SHA1 (truncated to 16 bytes) for MIC
  • AES-WRAP (RFC 3394) for payload encryption
• AES-128-CMAC (WPA3?)
  • AES-CMAC (RFC 4493, with AES-128) for MIC
  • AES-WRAP for payload encryption
• AKM (“Auth Key Management”)
  • Depends on “authentication algorithm” ?
    • SAE
    • OSEN (Hotspot 2.0 online signup with encryption)
    • IEEE 802.1x Suite B
      • uses HMAC-SHA256 (truncated to 16 bytes) for MIC
    • IEEE 802.1x Suite B 192-bit
      • 256-bit KEK key length
      • 192-bit MIC key length
      • uses HMAC-SHA384 (truncated to 24 bytes) for MIC
    • FILS (Fast Initial Link Setup) SHA256 and SHA384
      • 256-bit KEK key length for SHA256, 512-bit for SHA384
      • no MIC; uses AES-SIV (RFC 5297) for authenticated encryption
      • uses a shorter handshake ??
        • wpa code doesn’t look like it uses empty encrypted payloads, so it can’t authenticate Msg2/Msg4
        • name suggests a different handshake too
    • OWE (Opportunistic Wireless Encryption (a.k.a. Enhanced Open))
      • variable KCK and KEK length
      • KCK length half of PMK length
      • KEK length is 16 bytes for 16 and 24 bytes long KCK; 32 bytes if KCK is 32 bytes
      • uses HMAC for MIC depending on KCK length (MIC length same as KCK length):
        • 16 bytes: HMAC-SHA256
        • 24 bytes: HMAC-SHA384
        • 32 bytes: HMAC-SHA512
    • DPP (Device Provisioning Protocol)
      • encryption / MIC same as OWE
    • FT IEEE 802.1x SHA384
      • 256-bit KEK key length
      • use HMAC-SHA384 as MIC with 192-bit MIC key length
  • “Fast Transition” (FT) variants of some of those algorithms
  • unless otherwise specified: use AES-WRAP for payload encryption and AES-CMAC for MIC (uses AES-128/192/256 depending on key length)

WPA versions

• WPA
  • “upgrade” of WEP by using TKIP: dynamic key for RC4
• WPA2
  • mandatory CCMP-128 support (but TKIP still allowed?)
• WPA3-Enterprise
  • mandatory (?) GCMP (AES256, with SHA-384 as HMAC, but what for???)
• WPA3-Personal
  • replaces PSK with SAE (Dragonfly handshake)
    • shared secret derived from Dragonfly handshake is used for 4-way handshake
  • SAE supports mesh networks (both peers can initiate handshake concurrently)
    • but uses AMPE (Authenticated Mesh Peering Exchange) to derive session keys instead of 4-way handshake?
  • still allows (or always uses?) CCMP-128

Dragonfly Handshake

• used in EAP-pwd and WPA3-Personal (SAE)
• maps password (combined with other ids like MAC addresses/…) to element in a group (multiplicative in F_p or curve over F_p)
• idea: security based on discrete log in group
• various timing attacks to find secret group element (“Dragonblood”)
• both sides need plaintext password (EAP-pwd supports hashes, but hash replaces password -> pass the hash)
  • this directly follows from the fact the password is mapped with other dynamic data to a group element