failure after 4 way handshake

matthieu castet castet.matthieu at free.fr
Sun Oct 16 16:17:04 EDT 2005


Hi,


I believe the problem with AP not replying after '4 way handshake'
should be a security feature, because there the same problem with the
windows driver and it disappear after a timeout.

Jouni Malinen wrote:
>>So there no traffic from the master after the '4 way handshake'. And 
>>after a 10 seconds timeout client card start probing.
> 
> 
>>>Have you tried swapping Michael MIC TX/RX keys? That is one of the most
>>>common problems with TKIP key configuration. This can be done be
>>>swapping bytes 16..23 and 24..31 in the TKIP key.
>>
>>Yes I need to swapp the key.
> 
> 
> What happens if you do not swap the key?
> 
It still doesn't work.

I have done more testing for the key and :
if I don't set correctly the first 16 bits, the packet is dropped.
What ever I set for the RX key, the packet is decrypted but seem to
contain some garbage at the end (but wpa_supplicant is still able to see
it as IEEE 802.1X data)[1].

if I don't set the TX key the TX packets are sent in clear.

So yes it should be definitely a key problem, but it will need more
investigation...


> 
>>But as the master don't seem to reply, the key isn't used...
> 
> 
>>I believe, I need first to understand why I recieve an encrypted packet 
>>after the '4 way handshake'
> 
> 
> I'm missing something here. Above you say that there is no traffic from
> the AP after 4-Way Handshake and the "don't seem to reply" part sounds
> similar. However, now this is talking about an encrypted packet.. 
Sorry I wasn't enough clear :
sometimes there no traffic from AP after 4-Way Handshake and sometimes
there is a reply. As I said in the beginning it should be a security
feature from the AP ???

> That
> is a frame I would like to see in the wireless sniffer log that is
> captured from another host observing this handshake.
> 
I attached the sniffer log in a private mail.


Matthieu CASTET

[1]
WPA: RX EAPOL-Key - hexdump(len=139): 02 03 00 7f fe 03
91 00 20 00 00 00 00 00 00 00 07 47 09 4b b3 da f9 41 dc 3e 22 45 a9 5a
7a 93 d1
   f8 9a 3f 34 ee 02 26 17 e9 26 e5 e6 9e fc cb d8 f8 9a 3f 34 ee 02 26
17 e9 26 e
5 e6 9e fc cb dd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 de
e1 6e 71
6a 66 98 d9 d2 0f 42 41 97 30 b9 00 20 84 08 42 02 73 64 7d ea 96 8b 99
09 25 c5
   6d ca b2 c9 f6 6b 39 dd 12 c1 5e a7 1b 92 25 ff 37 82 88 60 73 8e d7
05 ac 23
Oct 16 19:26:53.618209: WPA: ignoring 8 bytes after the IEEE 802.1X data




More information about the HostAP mailing list