Why does message 1 of the WPA2 4 way handshake begin with the access point sending a random number?

Question

All the references I have found

https://en.wikipedia.org/wiki/IEEE_802.11i-2004

https://www.wifi-professionals.com/2019/01/4-way-handshake

https://www.hitchhikersguidetolearning.com/2017/09/17/eapol-4-way-handshake/

indicate that the first thing that happens is the sending of the Anonce( a random number) from the access point to the client. This communication carries no information and could have come from any attacker. The client then constructs message 2 with this formula: PTK = PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA)) Now the access point can create message 3 to return to the client.

Since the access point kicked off the whole process with just a random number, How does the client know that the access point is genuine and not a spoof? Somewhere I am missing where the 4 way handshake proves the access point's authenticity.

score 3 · Accepted Answer · edited May 09 '21 at 19:36

This communication carries no information and could have come from any attacker.

Correct. But the server knows which random number (ANonce) it has sent and requires that the client does computations with this number and not with some other number set by the attacker. In other words: the ANonce is neither secret nor does it need to be protected. All what is needed is that it is defined by the server. The server uses the self-defined ANonce and not some attacker-defined ANonce when validating computations done by the client. Validating will only succeed if the client is using the server-defined ANonce and not the attacker-defined ANonce too.

Somewhere I am missing where the 4 way handshake proves the access point's authenticity.

From Wikipedia:

The four-way handshake[8] is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the access point (AP) and client encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK.

so the validation then comes in message 3. if not validated->no message 3. — aquagremlin, May 09 '21 at 21:39
@aquagremlin: yes, if the ANonce is a different one than provided by the server when validation will fail and the handshake is aborted. — Steffen Ullrich, May 09 '21 at 21:56

Why does message 1 of the WPA2 4 way handshake begin with the access point sending a random number?

1 Answers1

Linked