2

Assume a situation where a wireless access point is using WPA2-PSK, and it is configured to allow only a single client association at one time.

Client A connects to the access point with PSK and engages in some higher layer communication with hosts accessible on the AP's network.

Client B also has the PSK, but (presumably?) cannot associate with the access point while client A is associated.

Does the limitation of a allowing only one association to the access point at a time prevent client B from using his knowledge of the PSK to sniff client A's 4-way handshake[1] and decrypt client A's traffic?

By sniffing the 4-way handshake, I mean employing the tactic described in in posts like these:

http://www.howtogeek.com/204335/warning-encrypted-wpa2-wi-fi-networks-are-still-vulnerable-to-snooping/

and

Are WPA2 connections with a shared key secure?

Thanks.

Community
  • 1
senator
  • 23
  • 1
  • 3

1 Answers1

4

No

Any user who has the psk has the ability to decrypt all traffic encrypted with that AP using WPA2-PSK. The cipher keys are generated from that PSK all the attacker has to know is the psk and what functions the AP and Client use to generate the cipher keys, which he/she already has from previously associating themselves with access point. If the traffic has other layers, ssl for instance, well then that part of the traffic is "safe". However the Broadcast key (BES) might and should be changed by the AP whenever a client associates and also when they leave the LAN.

Some of those attacks you posted are for attackers who don't have the PSK, i.e. it changed or they never used that AP, can capture the 4-way PSK handshake which usually contains a MAC, or password-key based hash of some used-once string (nonce). The attacker can then brute-force that hash key to obtain the PSK. The key used to create the MAC is the PSK which is the password or some pseudo-derived version of it. "Deauth" Allows an attacker to kick someone off the network to force the handshake to happen again so they can capture it. Basically faking packets that tell the client to disconnect.

dylan7
  • 737
  • 8
  • 17