2

During the WPA/WPA2 4-way handshake, the first two steps are as follows. (1) The AP sends an ANonce to the client, (2) The client computes its own Nonce (SNonce), computes the Preshared Transient Key (PTK) and sends the SNonce to the AP along with a MIC.

My question: The first Nonce was not protected by a MIC and hence could be modified by an adversary. Could it be that the MIC sent in the second message is computed over both the ANonce and SNonce? This way the ANonce would also be verified too.

Minaj
  • 1,536
  • 2
  • 14
  • 23
  • Does this answer you? http://security.stackexchange.com/questions/66008/how-exactly-does-4-way-handshake-cracking-work?rq=1 – schroeder Aug 23 '16 at 20:59
  • It does not seem to directly answer my question. I am wondering whether the MIC is computed only on the SNonce since most resources seem to show it this way. If this is the case, I wonder how ANonce integrity is checked. – Minaj Aug 23 '16 at 21:06
  • Could the Nonce be computed on the PTK as well? – Minaj Aug 23 '16 at 21:25

1 Answers1

3

The ANonce that is sent in the first message is indeed not protected. It is randomly chosen by the AP, and is sent in clear-text.

The MIC in the second message only protects the SNonce, and thus cannot be used to verify the ANonce. However, upon receipt of the SNonce, the AP will calculate the PTK, based on:

  • the ANonce it generated randomly in the first step
  • the SNonce that it received from the supplicant (which has not been validated yet, as the MIC can only be validated with a valid PTK)

The AP then has calculated the PTK, and can easily verify the MIC, and thus the SNonce. However, if the MIC checks out, it follows that the ANonce probably has not been spoofed, otherwise the PTK calculated by the AP would be different from the PTK calculated by the supplicant (as they used a different ANonce), and the MIC would not check out.

The standard states (of course), that in case the MIC does not check out, the message must be discarded. So, whereas an adversary CAN modify the ANonce, it will lead to a unsuccessful handshake.

Moreover, as an extra defense, the ANonce is again sent in an EAPOL-Keyframe in the 3rd message of the handshake (see image below). The recipient MUST verify that the ANonce in this protected EAPOL-Keyframe is the same as the ANonce that was sent in message 1. Simply said, message 1 is repeated here, but now with a MIC to protect the ANonce, just like you suggested it should be done, however as we did not have enough information to calculate a MIC in step 1, it is done here in step 3. (source: 802.11i standard)

4-way handshake

This website has Wireshark screenshots which show you that the ANonce is sent both in message 1 and message 3, and that the 3rd message contains a MIC to protect the ANonce (comparably, message 2 contains the SNonce and the MIC to protect it). I've copied them here for archiving purposes:

Message 1: Message 1

Message 2: Message 2

Message 3: Message 3

Message 4: Message 4

Michael
  • 5,393
  • 2
  • 32
  • 57
  • Its still not so clear. Lets focus on the statement, " ... otherwise the PTK calculated by the AP would be different from the PTK calculated by the supplicant ...", -- How can the sender and AP can know if they computed the same PTK ? They do not exchange the PTK at any time during the exchange. – Minaj Aug 24 '16 at 07:13
  • In the image, you see that after message 2 is sent by the supplicant, the authenticator 'Calculates PTK using ANonce and SNonce'. Directly thereafter, the authenticator recalculates the MIC that the supplicant has sent in message 2 (not shown in the image, but can be read in the spec). To calculate this MIC, the PTK is required. If the PTK would be different, the MIC calculated by the authenticator would NOT match the MIC calculated by the supplicant. So whereas the PTK is not exchanged, the MIC can be seen as a derivative that was calculated using the PTK. – Michael Aug 24 '16 at 13:19