alan wang

CTS 134: Understanding the 4-Way Handshake

The 4-Way Handshake is critical for secure wireless transmissions. Learn more about it in this episode.

Alan Wang

We met Alan at Cisco Live US 2018 in Orlando, FL. He was also the winner of our CLUS giveaway during the conference! Learn more about Alan, the network engineer, in this episode.

Alan at Cisco Live 2018

CWS & CWT Bundle Giveaway Winners

Congrats to Michael Velasco and Biruk Eshete for winning the book bundle! We’ll be reaching out to you via email.

4-Way Handshake

If you recall back in episode 131, we spoke about the 802.11 Open System Authentication and Association. Following that episode, when using pre-shared key or 802.1X authentication you’ll come across the 4-way handshake.

Wireless transmissions between the client and the AP need to be secure. We do that with four frame exchanges between a supplicant (client) and authenticator (AP).

With a PSK network, the 4-way handshake occurs after the association frames. In an 802.1X network, the 4-way handshake occurs after the EAP authentication.

The 4-way handshake is used to establish a pairwise transient key (PTK). It uses EAPOL-Key frames to form the 4-way handshake.

Here’s a graphic to help describe the process.

The 4-way handshake process

The messages between the supplicant and authenticator is as follows:

Message 1: The authenticator sends an EAPOL-Key frame containing the ANonce for PTK generation. The supplicant will use this message to generate an SNonce and derive a PTK.

Message 2: The supplicant sends an EAPOL-Key frame containing its SNonce, RSNE, and MIC. The supplicant derives a PTK. The MIC will be set to bit 1 and will be confirmed by the authenticator. The RSN element will be visible in this message.

Message 3: The authenticator sends the message 3 EAPOL-Key frame and derives a PTK. The MIC is verified. Also important, the Group Temporal Key (GTK) is sent in message 3. ***In the episode I may have incorrectly called this the Group Transient Key.

Message 4: The supplicant sends the 4th and last EAPOL-Key frame to the authenticator. It notifies the authenticator if the temporal keys were installed and the secure bit will be set.

Download the PCAP file provided for this episode below in the Links & Resources section.

Links and Resources