wpa_supplicant: isn't "802.1x Start" required for WPA?

Arjan van Bentem hostap at avbentem.dds.nl
Tue Apr 19 14:07:50 EDT 2005


Hi everybody,

Trying to figger out why my Linksys card works on Windows, but not on 
Linux I used Ethereal to see what's actually sent. I noticed some 
differences. Any comment?

As a response to the initial key as sent by the access point, the 
Windows XP driver first seems to send a "Start", shown by Ethereal like:

802.1x Authentication
    Version: 1
    Type: Start (1)
    Length: 0

Does anyone know if this "Start" might be required for some access 
points (in my case: a Speedtouch 580 access point)? wpa_supplicant / 
ndiswrapper do not send such "Start" but sends the EAPOL WPA key right 
away.

The first EAPOL WPA key message as sent by wpa_supplicant is almost the 
same as the Windows message. However: the value for "Key Length" is zero 
on Windows, but not in wpa_supplicant. And the Windows driver sends a 
value for "WPA Key" that is 2 bytes longer and ends in two zero bytes:

802.1x Authentication
    Version: 1
    Type: Key (3)
    Length: 121
    Descriptor Type: EAPOL WPA key (254)
    Key Information: 0x0109
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC 
and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .0.. .... = Install flag: Not set
        .... .... 0... .... = Key Ack flag: Not set
        .... ...1 .... .... = Key MIC flag: Set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 0
    Replay Counter: 0
    Nonce: 8C855DF530FA17592DF24429E81E85D4F3A95E5C1DE8F003...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: AA71A7850C2CCBB92084A447026FD4BB
    WPA Key Length: 26
    WPA Key: DD180050F20101000050F20201000050F20201000050F202...
        Tag Number: 221 (Vendor Specific)
        Tag length: 24
        Tag interpretation: WPA IE, type 1, version 1
        Tag interpretation: Multicast cipher suite: TKIP
        Tag interpretation: # of unicast cipher suites: 1
        Tag interpretation: Unicast cipher suite 1: TKIP
        Tag interpretation: # of auth key management suites: 1
        Tag interpretation: auth key management suite 1: PSK
        Tag interpretation: Not interpreted

Hardcoding the "Key Length" to read zero, and expaning the value for WPA 
Key to hold the optional extra zeroes [being WPA Capabilities (2 octets, 
little endian) (default: 0)] does not make any difference though. 
Nevertheless:

Any comment on the value for "Key Length"?
/
/As a result: somehow on Windows the next message received from the 
access point shows:

802.1x Authentication
    Version: 1
    Type: Key (3)
    Length: 119
    Descriptor Type: EAPOL WPA key (254)
    Key Information: 0x01c9
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC 
and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .1.. .... = Install flag: Set
        .... .... 1... .... = Key Ack flag: Set
        .... ...1 .... .... = Key MIC flag: Set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 32
    Replay Counter: 1
    Nonce: 2712B538FA14AEEFBEADCF3CB4B9F4D105FC350EB3C81068...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 878BCC70146B6BAC14C9F28E60E8E820
    WPA Key Length: 24
    WPA Key: DD160050F20101000050F20201000050F20201000050F202

whereas the response when using wpa_supplicant does not have the 
"Install flag"and "Key Ack flag" set:

    Key Information: 0x0109
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC 
and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .0.. .... = Install flag: Not set
        .... .... 0... .... = Key Ack flag: Not set
        .... ...1 .... .... = Key MIC flag: Set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 0
    Replay Counter: 0
    Nonce: 36FE26FC69C23963127480E33556313C81D9115C006D2CF4...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: A9B000409FFF1E3EF5C138A7009053FF
    WPA Key Length: 24
    WPA Key: DD160050F20101000050F20201000050F20201000050F202

Thanks for your time,
Arjan.





More information about the HostAP mailing list