<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2604" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Howdy,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I'm working on my own TKIP WPA-PSK client.
I'm having trouble with message 2 of the four way handshake.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Specifcally, using Ethereal I can verify that I
correctly send EAPOL start, and that I correctly parse Message 1 from the Access
point to the supplicant.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I compose Message 2 according to the spec. My
routines for calculating the password hash, pairwise temporal key, and HMAC-MD5
hash produce the correct answers when using the spec test vectors.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>When I send Message 2 it is ignored by the AP, and
ethereal complains that it is a malformed packet.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here is my Message 2 as captured:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>=================================</FONT></DIV>
<DIV><FONT face=Arial size=2>No.
Time
Source
Destination Protocol
Info<BR> 14 38.256563
172.16.1.6
D-Link_bc:28:e9 EAPOL
Key[Malformed Packet]</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Frame 14 (121 bytes on wire, 121 bytes
captured)<BR> Arrival Time: Mar 29, 2005
16:22:20.661177000<BR> Time delta from previous packet:
1.250820000 seconds<BR> Time since reference or first frame:
38.256563000 seconds<BR> Frame Number:
14<BR> Packet Length: 121 bytes<BR> Capture
Length: 121 bytes<BR>Ethernet II, Src: 00:02:8a:c8:33:2a, Dst:
00:0d:88:bc:28:e9<BR> Destination: 00:0d:88:bc:28:e9
(D-Link_bc:28:e9)<BR> Source: 00:02:8a:c8:33:2a
(172.16.1.6)<BR> Type: 802.1X Authentication
(0x888e)<BR>802.1x Authentication<BR> Version:
1<BR> Type: Key (3)<BR> Length:
121<BR> Descriptor Type: EAPOL WPA key
(254)<BR> Key Information:
0x0109<BR> .... .... .... .001 = Key
Descriptor Version: HMAC-MD5 for MIC and RC4 for encryption
(1)<BR> .... .... .... 1... = Key
Type: Pairwise key<BR> .... .... ..00
.... = Key Index: 0<BR> .... .... .0..
.... = Install flag: Not set<BR> ....
.... 0... .... = Key Ack flag: Not
set<BR> .... ...1 .... .... = Key MIC
flag: Set<BR> .... ..0. .... .... =
Secure flag: Not set<BR> .... .0..
.... .... = Error flag: Not set<BR>
.... 0... .... .... = Request flag: Not
set<BR> ...0 .... .... .... =
Encrypted Key Data flag: Not set<BR> Key Length:
32<BR> Replay Counter: 3<BR> Nonce:
FCFB4B2ADC5C314394AB890413628B3D1F571880369EE664...<BR> Key
IV: 00000000000000000000000000000000<BR> WPA Key RSC:
0000000000000000<BR> WPA Key ID:
0000000000000000<BR> WPA Key MIC:
5BC9C16E109AB8C9347A2156283A4396<BR> WPA Key Length:
26<BR>[Malformed Packet: EAPOL]</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>0000 00 0d 88 bc 28 e9 00 02 8a c8 33 2a 88
8e 01 03 ....(.....3*....<BR>0010 00 79 fe 01 09 00 20 00 00
00 00 00 00 00 03 fc .y.... .........<BR>0020 fb 4b 2a dc 5c
31 43 94 ab 89 04 13 62 8b 3d 1f .K*.\1C.....b.=.<BR>0030 57
18 80 36 9e e6 64 16 38 38 97 84 fa fa 8e 00
W..6..d.88......<BR>0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................<BR>0050 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 5b ...............[<BR>0060 c9 c1 6e 10 9a b8 c9
34 7a 21 56 28 3a 43 96 00 ..n....4z!V(:C..<BR>0070 1a dd 18
00 50 f2 01 01
00
....P....<BR>======================================</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I am not sure what the problem is, but I have two
suspections:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>1) I may not be correctly calcuting the
MIC. Specifically, am I correct in saying that:</FONT></DIV>
<DIV><FONT face=Arial size=2> a) the MIC is calculated using
HMAC-MD5 ,</FONT></DIV>
<DIV><FONT face=Arial size=2> and</FONT> </DIV>
<DIV><FONT face=Arial size=2> b) </FONT><FONT face=Arial size=2>the
input to the HMAC-MD5 has function should be the frame as shown above
begining just past the destination and source address, that is starting with the
ethernet verison packet: 01, 03, 00, 79..... and continuing through
the end of the Information Element at the end of the packet? </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>As you see, Ethereal is truncating the IE for some
reason.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>2) I am returning the Information Element
exactly as I receive it from the access point. Is that correct, or should
I do some kind of processing on it?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thanks,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Jim Howard</FONT></DIV></BODY></HTML>