Got it
Huawei Enterprise Support Community
Community Forums WLAN
4-WAY HANDSHAKE PRINCIPLE...

4-WAY HANDSHAKE PRINCIPLE IN TKIP

Created: May 22, 2020 22:01:41Latest reply: May 24, 2020 14:40:37 1055 6 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hello everyone, I'm struggling to understand the 4-way handshake principle in TKIP key management process.

I will be very grateful to get help on it.

Like (0) Dislike (0) Favorite(0) Share Report
Previous: I can't enable wds in my router
Next: Huawei AP6310SN Introduction
Featured Answers

Best answer

Recommended answer

(2) (0)
wissal
MVE Created May 22, 2020 22:19:53

Hello,

WPA/WPA2


WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. This authentication method requires the same static key pre-configured on the server and client. Both the encryption mechanism and encryption algorithm can bring security risks to the network.

The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to overcome the shortcomings of WEP before more secure policies were provided in 802.11i. WPA still uses the RC4 algorithm, but it uses an 802.1X authentication framework and supports Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer Security (EAP-TLS) authentication, and defines the Temporal Key Integrity Protocol (TKIP) encryption algorithm.

Later, 802.11i defined WPA2. WPA2 uses Counter Mode with CBC-MAC Protocol (CCMP), a more secure encryption algorithm than those used in WPA.

Both WPA and WPA2 support 802.1X authentication and the TKIP/CCMP encryption algorithms, ensuring better compatibility. The two protocols provide almost the same security level and their difference lies in the protocol packet format.

The WPA/WPA2 security policy involves four steps:

  1. Link authentication

  2. Access authentication

  3. Key negotiation

  4. Data encryption

Link Authentication

Link authentication can be completed in open system authentication or shared key authentication mode. WPA and WPA2 support only open system authentication. For details, see "Link Authentication" in STA Access.

Access Authentication

WPA and WPA2 have an enterprise edition and a personal edition.

  • The WPA/WPA2 enterprise edition (WPA/WPA2-802.1X authentication) uses a RADIUS server and the EAP protocol for authentication. Users provide authentication information, including the user name and password, and are authenticated by an authentication server (generally a RADIUS server).

    Large-scale enterprise networks usually use the WPA/WPA2 enterprise edition.

    imgDownload?uuid=dbaaff730642458bb88f3e5b1f84a35a.gif NOTE:

    For details about 802.1X authentication, see Principles of 802.1X Authentication in the Configuration Guide - User Access and Authentication Configuration Guide.

    WPA/WPA2 implements 802.1X authentication using EAP-TLS and EAP-PEAP. Figure 11-1 and Figure 11-2 show the EAP-TLS 802.1X authentication and EAP-PEAP 802.1X authentication processes.

    Figure 11-1  EAP-TLS 802.1X authentication
    imgDownload?uuid=23964f7a9ed44683a096f3b53a14f807.png
    Figure 11-2  EAP-PEAP 802.1X authentication
    imgDownload?uuid=b2301caee6454580b393597d95cc6fcf.png

  • WPA/WPA2 personal edition:

    A dedicated authentication server is expensive and difficult to maintain for small- and medium-scale enterprises and individual users. The WPA/WPA2 personal edition provides a simplified authentication mode: pre-shared key authentication (WPA/WPA2-PSK). This mode does not require a dedicated authentication server. Users only need to set a pre-shared key (PSK) on each WLAN node (including WLAN server, wireless router, and wireless network adapter).

    A WLAN client can access the WLAN if its pre-shared key is the same as that configured on the WLAN server. The PSK is not used for encryption; therefore, it does not pose security risks like the 802.11 shared key authentication.

802.1X authentication can be used to authenticate wireless and wired users, whereas PSK authentication is specific to wireless users.

PSK authentication requires that a STA and an AC be configured with the same PSK. The STA and AC authenticate each other through key negotiation. During key negotiation, the STA and AC use their PSKs to decrypt the message sent from each other. If the messages are successfully decrypted, the STA and AC have the same PSK. If they use the same PSK, PSK authentication is successful; otherwise, PSK authentication fails.

Key Negotiation

802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The pairwise key hierarchy protects unicast data exchanged between STAs and APs. The group key hierarchy protects broadcast or multicast data exchanged between STAs and APs.

During key negotiation, a STA and an AC use the pairwise master key (PMK) to generate a pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt unicast packets, and the GTK is used to encrypt multicast and broadcast packets.

  • In 802.1X authentication, a PMK is generated in the process shown in Figure 11-1.

  • In PSK authentication, the method to generate a PMK varies according to the form of the PSK, which is configured using a command:

    • If the PSK is a hexadecimal numeral string, it is used as the PMK.

    • If the PSK is a character string, the PMK is calculated using a hash algorithm based on the PSK and service set identifier (SSID).

Key negotiation consists of unicast key negotiation and multicast key negotiation.

  • Unicast key negotiation

    Key negotiation is completed through a four-way handshake between a STA and an AC, during which the STA and AC send EAPOL-Key frames to exchange information, as shown in Figure 11-3.Figure 11-3  Unicast key negotiation
    imgDownload?uuid=5c5a14cac6b5427880dedb471d24baf1.png

    The unicast key negotiation process consists of the following steps:

  1. The AC sends an EAPOL-Key frame with a random value (ANonce) to the STA.

  2. The STA calculates the PTK using its own MAC addresses and the MAC address of the AC, the PMK, ANonce, and SNonce, and sends an EAPOL-Key frame to the AC. The EAPOL-Key frame carries the SNonce, robust security network (RSN) information element, and message integrity code (MIC) of the EAPOL-Key frame. The AC calculates the PTK using the MAC addresses of its own and the STA, PMK, ANonce, and SNonce, and validates the MIC to determine whether STA's PMK is the same as its own PMK.

  3. The AC sends an EAPOL-Key frame to the STA to request the STA to install the PTK. The EAPOL-Key frame carries the ANonce, RSN information element, MIC, and encrypted GTK.

  4. The STA sends an EAPOL-Key frame to the AC to notify the AC that the PTK has been installed and will be used. The AC installs the PTK after receiving the EAPOL-Key frame.

Multicast key negotiation

Multicast key negotiation is completed through a two-way handshake. The two-way handshake begins after the STA and AC generate and install a PTK through a four-way handshake. Figure 11-4 shows the two-way handshake process.Figure 11-4  Multicast key negotiation
imgDownload?uuid=39434ce25a7b426db42355659af11c99.png

The multicast key negotiation process consists of the following steps:

  1. The AC calculates the GTK, uses the unicast key to encrypt the GTK, and sends an EAPOL-Key frame to the STA.

  2. After the STA receives the EAPOL-Key frame, it validates the MIC, decrypts the GTK, installs the GTK, and sends an EAPOL-Key ACK frame to the AC. After the AC receives the EAPOL-Key ACK frame, it validates the MIC and installs the GTK.

Data Encryption

WPA and WPA2 support the TKIP and CCMP encryption algorithms.

  • TKIP

    Unlike WEP, which uses a static shared key, TKIP uses a dynamic key negotiation and management mechanism. Each user obtains an independent key through dynamic negotiation. User keys are calculated using the PTK generated in key negotiation, the MAC address of the sender, and the packet sequence number.

    TKIP uses MICs to ensure the integrity of frames received on the receiver and validity of data sent by the sender and receiver. This mechanism protects information integrity. A MIC is calculated using the MIC key generated during key negotiation, the destination MAC address, source MAC address, and data frame.

  • CCMP

    While WEP and TKIP use a stream cipher algorithm, CCMP uses an Advanced Encryption Standard (AES) block cipher. The block cipher algorithm overcomes defects of the RC4 algorithm and provides a higher level of security.


Thanks

View more
  • x
  • convention:

csk99
csk99 Created May 23, 2020 10:38:21 (0) (0)
helpful thanks  
All Answers
(2) (0)
2#
wissal
wissal MVE Created May 22, 2020 22:19:53

Hello,

WPA/WPA2


WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. This authentication method requires the same static key pre-configured on the server and client. Both the encryption mechanism and encryption algorithm can bring security risks to the network.

The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to overcome the shortcomings of WEP before more secure policies were provided in 802.11i. WPA still uses the RC4 algorithm, but it uses an 802.1X authentication framework and supports Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer Security (EAP-TLS) authentication, and defines the Temporal Key Integrity Protocol (TKIP) encryption algorithm.

Later, 802.11i defined WPA2. WPA2 uses Counter Mode with CBC-MAC Protocol (CCMP), a more secure encryption algorithm than those used in WPA.

Both WPA and WPA2 support 802.1X authentication and the TKIP/CCMP encryption algorithms, ensuring better compatibility. The two protocols provide almost the same security level and their difference lies in the protocol packet format.

The WPA/WPA2 security policy involves four steps:

  1. Link authentication

  2. Access authentication

  3. Key negotiation

  4. Data encryption

Link Authentication

Link authentication can be completed in open system authentication or shared key authentication mode. WPA and WPA2 support only open system authentication. For details, see "Link Authentication" in STA Access.

Access Authentication

WPA and WPA2 have an enterprise edition and a personal edition.

  • The WPA/WPA2 enterprise edition (WPA/WPA2-802.1X authentication) uses a RADIUS server and the EAP protocol for authentication. Users provide authentication information, including the user name and password, and are authenticated by an authentication server (generally a RADIUS server).

    Large-scale enterprise networks usually use the WPA/WPA2 enterprise edition.

    imgDownload?uuid=dbaaff730642458bb88f3e5b1f84a35a.gif NOTE:

    For details about 802.1X authentication, see Principles of 802.1X Authentication in the Configuration Guide - User Access and Authentication Configuration Guide.

    WPA/WPA2 implements 802.1X authentication using EAP-TLS and EAP-PEAP. Figure 11-1 and Figure 11-2 show the EAP-TLS 802.1X authentication and EAP-PEAP 802.1X authentication processes.

    Figure 11-1  EAP-TLS 802.1X authentication
    imgDownload?uuid=23964f7a9ed44683a096f3b53a14f807.png
    Figure 11-2  EAP-PEAP 802.1X authentication
    imgDownload?uuid=b2301caee6454580b393597d95cc6fcf.png

  • WPA/WPA2 personal edition:

    A dedicated authentication server is expensive and difficult to maintain for small- and medium-scale enterprises and individual users. The WPA/WPA2 personal edition provides a simplified authentication mode: pre-shared key authentication (WPA/WPA2-PSK). This mode does not require a dedicated authentication server. Users only need to set a pre-shared key (PSK) on each WLAN node (including WLAN server, wireless router, and wireless network adapter).

    A WLAN client can access the WLAN if its pre-shared key is the same as that configured on the WLAN server. The PSK is not used for encryption; therefore, it does not pose security risks like the 802.11 shared key authentication.

802.1X authentication can be used to authenticate wireless and wired users, whereas PSK authentication is specific to wireless users.

PSK authentication requires that a STA and an AC be configured with the same PSK. The STA and AC authenticate each other through key negotiation. During key negotiation, the STA and AC use their PSKs to decrypt the message sent from each other. If the messages are successfully decrypted, the STA and AC have the same PSK. If they use the same PSK, PSK authentication is successful; otherwise, PSK authentication fails.

Key Negotiation

802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The pairwise key hierarchy protects unicast data exchanged between STAs and APs. The group key hierarchy protects broadcast or multicast data exchanged between STAs and APs.

During key negotiation, a STA and an AC use the pairwise master key (PMK) to generate a pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt unicast packets, and the GTK is used to encrypt multicast and broadcast packets.

  • In 802.1X authentication, a PMK is generated in the process shown in Figure 11-1.

  • In PSK authentication, the method to generate a PMK varies according to the form of the PSK, which is configured using a command:

    • If the PSK is a hexadecimal numeral string, it is used as the PMK.

    • If the PSK is a character string, the PMK is calculated using a hash algorithm based on the PSK and service set identifier (SSID).

Key negotiation consists of unicast key negotiation and multicast key negotiation.

  • Unicast key negotiation

    Key negotiation is completed through a four-way handshake between a STA and an AC, during which the STA and AC send EAPOL-Key frames to exchange information, as shown in Figure 11-3.Figure 11-3  Unicast key negotiation
    imgDownload?uuid=5c5a14cac6b5427880dedb471d24baf1.png

    The unicast key negotiation process consists of the following steps:

  1. The AC sends an EAPOL-Key frame with a random value (ANonce) to the STA.

  2. The STA calculates the PTK using its own MAC addresses and the MAC address of the AC, the PMK, ANonce, and SNonce, and sends an EAPOL-Key frame to the AC. The EAPOL-Key frame carries the SNonce, robust security network (RSN) information element, and message integrity code (MIC) of the EAPOL-Key frame. The AC calculates the PTK using the MAC addresses of its own and the STA, PMK, ANonce, and SNonce, and validates the MIC to determine whether STA's PMK is the same as its own PMK.

  3. The AC sends an EAPOL-Key frame to the STA to request the STA to install the PTK. The EAPOL-Key frame carries the ANonce, RSN information element, MIC, and encrypted GTK.

  4. The STA sends an EAPOL-Key frame to the AC to notify the AC that the PTK has been installed and will be used. The AC installs the PTK after receiving the EAPOL-Key frame.

Multicast key negotiation

Multicast key negotiation is completed through a two-way handshake. The two-way handshake begins after the STA and AC generate and install a PTK through a four-way handshake. Figure 11-4 shows the two-way handshake process.Figure 11-4  Multicast key negotiation
imgDownload?uuid=39434ce25a7b426db42355659af11c99.png

The multicast key negotiation process consists of the following steps:

  1. The AC calculates the GTK, uses the unicast key to encrypt the GTK, and sends an EAPOL-Key frame to the STA.

  2. After the STA receives the EAPOL-Key frame, it validates the MIC, decrypts the GTK, installs the GTK, and sends an EAPOL-Key ACK frame to the AC. After the AC receives the EAPOL-Key ACK frame, it validates the MIC and installs the GTK.

Data Encryption

WPA and WPA2 support the TKIP and CCMP encryption algorithms.

  • TKIP

    Unlike WEP, which uses a static shared key, TKIP uses a dynamic key negotiation and management mechanism. Each user obtains an independent key through dynamic negotiation. User keys are calculated using the PTK generated in key negotiation, the MAC address of the sender, and the packet sequence number.

    TKIP uses MICs to ensure the integrity of frames received on the receiver and validity of data sent by the sender and receiver. This mechanism protects information integrity. A MIC is calculated using the MIC key generated during key negotiation, the destination MAC address, source MAC address, and data frame.

  • CCMP

    While WEP and TKIP use a stream cipher algorithm, CCMP uses an Advanced Encryption Standard (AES) block cipher. The block cipher algorithm overcomes defects of the RC4 algorithm and provides a higher level of security.


Thanks

View more
  • x
  • convention:

csk99
csk99 Created May 23, 2020 10:38:21 (0) (0)
helpful thanks  
(0) (0)
3#
ernesto_cupet6
ernesto_cupet6 Created May 22, 2020 23:00:53

Hello


The two major protocols in key management defined in 802.11i are the 4-way handshake protocol and multicast key upgrade protocol. The 4-way handshake protocol is used for unicast key negotiation. An STA and an AP dynamically negotiates a pairwise master key (PMK). The STA and AP then conduct a 4-way handshake to negotiate a unicast key based on this PMK. Each STA uses a different PMK to communicate with the AP and the PMK is updated periodically, ensuring communication security.

The 4-way handshake protocol is the most important part in the key management system. It is conducted to ensure that the STA and AP obtain the same PMK and that the PMK is the latest, so that the latest pairwise transient key (PTK) can be generated. The PMK is negotiated between the STA and AP after the authentication is implemented. The PTK can be upgraded periodically through the 4-way handshake initiated by an AP. In the case that the PMK remains unchanged, an STA can send a 4-way handshake initialization request to generate a new PTK. The key negotiation messages exchanged between the STA and AP are encapsulated with EAPOL-Key. The process of 4-way handshake is shown in the slide.


TKIP


SOURCE: HCIA-WLAN V2.0 Training Materials.pdf

Search for HCIA-WLAN Learning Resources at Huawei Certification and Learning Platform

https://e.huawei.com/en/talent/#/cert/product-details?certifiedProductId=155&authenticationLevel=CTYPE_CARE_HCIA&technicalField=IIC&version=2.0  


Best Regards


View more
  • x
  • convention:

csk99
csk99 Created May 23, 2020 10:38:54 (0) (0)
Thanks  
(0) (0)
4#
Sapte
Sapte Created May 23, 2020 17:26:18

Hi,


4-WAY Handhsake is an action for taken into EAP connections.

Here in the below you can see details


eap


View more
  • x
  • convention:
(0) (0)
5#
scarletT
scarletT Created May 24, 2020 14:40:37

Posted by wissal at 2020-05-22 22:19 Hello,WPA/WPA2WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. Th ...
think is great
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.