CTS 134: Understanding the 4-Way Handshake

The 4-Way Handshake is critical for secure wireless transmissions. Learn more about it in this episode.

Alan Wang

We met Alan at Cisco Live US 2018 in Orlando, FL. He was also the winner of our CLUS giveaway during the conference! Learn more about Alan, the network engineer, in this episode.

Alan at Cisco Live 2018

CWS & CWT Bundle Giveaway Winners

Congrats to Michael Velasco and Biruk Eshete for winning the book bundle! We’ll be reaching out to you via email.

4-Way Handshake

If you recall back in episode 131, we spoke about the 802.11 Open System Authentication and Association. Following that episode, when using pre-shared key or 802.1X authentication you’ll come across the 4-way handshake.

Wireless transmissions between the client and the AP need to be secure. We do that with four frame exchanges between a supplicant (client) and authenticator (AP).

With a PSK network, the 4-way handshake occurs after the association frames. In an 802.1X network, the 4-way handshake occurs after the EAP authentication.

The 4-way handshake is used to establish a pairwise transient key (PTK). It uses EAPOL-Key frames to form the 4-way handshake.

Here’s a graphic to help describe the process.

The 4-way handshake process

The messages between the supplicant and authenticator is as follows:

Message 1: The authenticator sends an EAPOL-Key frame containing the ANonce for PTK generation. The supplicant will use this message to generate an SNonce and derive a PTK.

Message 2: The supplicant sends an EAPOL-Key frame containing its SNonce, RSNE, and MIC. The supplicant derives a PTK. The MIC will be set to bit 1 and will be confirmed by the authenticator. The RSN element will be visible in this message.

Message 3: The authenticator sends the message 3 EAPOL-Key frame and derives a PTK. The MIC is verified. Also important, the Group Temporal Key (GTK) is sent in message 3. ***In the episode I may have incorrectly called this the Group Transient Key.

Message 4: The supplicant sends the 4th and last EAPOL-Key frame to the authenticator. It notifies the authenticator if the temporal keys were installed and the secure bit will be set.

Download the PCAP file provided for this episode below in the Links & Resources section.

Links and Resources

CTS 133: 802.11 PHY Types

Let’s discuss the different 802.11 PHY types available for devices to use.

Meet Glenn Cate

Our featured wireless network engineer is Glenn Cate, CWNE #181. Catching up with Glenn at Cisco Live 2018 was great and we were able to get him talking about himself. Listen to the episode to hear a little bit about Glenn.

Glenn Cate, CWNE #181

802.11 PHY Types

The 802.11 Standard defines different PHY types. Includes the data rates supported by each PHY and what band they operate in. Data rates depend on the channel width and modulation used.

Download the free 802.11 PHY Types Reference PDF

In 1997, the first iteration of the standard was released. We call this 802.11 Prime. In this standard, the PHY type available used Direct Sequence Spread Spectrum (DSSS). It was only available in the 2.4 GHz spectrum using a 22 MHz wide channel. It offered 1 spatial stream and devices were able to use from 1 to 2 Mbps data rates.

Table of 802.11 PHY Types

802.11 PHY Types

802.11a was ratified in 2009 and operated in the 5 GHz spectrum. With this PHY, devices were able to use up to 54 Mbps data rates. Modulation used with this PHY type was Orthogonal Frequency Division Multiplexing (OFDM) and used a 20 MHz wide channel at 1 spatial stream.

802.11b, still operating in the 2.4 GHz spectrum used a modulation of High Rate DSSS (HR/DSSS) for this PHY type. It still used a 22 MHz wide channel width but offered data rates up 5.5 and 11 Mbps.

To maintain backwards compatibility to DSSS but bring improvements to 2.4 GHz was the 802.11g PHY type. The new modulation used was Extended Rate Physical OFDM (ERP OFDM). The channel width changed to 20 MHz but still saw data rates up to 54 Mbps using 1 spatial stream.

The biggest change to Wi-Fi came with the 802.11n PHY. It was dual-band and used the High Throughput (HT) modulation. It offered up to 600 Mbps data rates and introduced channel bonding to 40 MHz channel widths. Another improvement was the introduction of MIMO and 4 spatial streams.

What we’re currently used to, as of the release of this episode, is the 802.11ac PHY type. Defined as Very High Throughput (VHT) and only operating in the 5 GHz spectrum, it introduced new channel bonding at 80 and 160 MHz channel widths. This increased channel width, along with 8 spatial streams, touts up to 6.9 Gbps data rates. But don’t hold your breath.

Next up, not ratified yet as of the time of this published episode, is 802.11ax PHY type with modulation scheme of High Efficiency (HE). This brings increased efficiency in the 2.4 GHz and 5 GHz spectrum. Specifying, in this PHY type, is 1024 QAM and up to 9.6 Gbps data rates. We shall see what this brings to the real world.

Links and Resources