1 Introduction

Today's mobile phones generally use WPA2-PSK to connect to WIFI hotspots. This article discusses the authentication process of this method.

2. Authentication process

We call the party that needs to be connected a station, or STA for short. The party that provides the WIFI hotspot is the AP.

Before connecting, the station needs to know the AP's name (ssid) and password (PSK).

definition:

PMK = SHA1(ssid,psk), obviously both STA and AP know PMK.

definition:

PTK = PRF（PMK + ANonce + SNonce + Mac（AA） + Mac （SA））

In the calculation formula of PTK:

PRF is a well-known algorithm, and SNonce and ANonce are random numbers generated by STATION and AP respectively.

Before the authentication, the two parties have already known each other's MAC address by greeting each other, namely Mac (AA) and Mac (SA)

STEP 1：

The AP first sends the first message to the STA, the message body is ANonce, and ANonce is a random number produced by the AP.

STEP2:

STA receives ANonce, generates a SNonce by itself, and PMK is known. At this moment, STA already has all the five-tuple information (PMK + ANonce + SNonce + Mac (AA) + Mac (SA)) to calculate PTK, and can calculate PTK. Then use the first 16 bits of PTK to perform HASH calculation on the data packet (SNonce) to be sent soon (in fact, the calculation also uses an 802.1x data, for the sake of understanding, let’s not mention it for now) to get the MIC, and attach the MIC to the end of the packet Send it to the AP together, this is the second message.

STEP 3：

The AP receives the message from the STA and extracts the SNonce from the message. At this time, the AP also has all the five-tuple information (PMK + ANonce + SNonce + Mac (AA) + Mac (SA)), and successfully calculated PTK, and use the first 16 bits of PTK to calculate the received data to get the MIC, and compare the calculated MIC with the received MIC, if they are equal, it means that the AP and STA have the same PTK, and then it can be determined that both have the same PMK (PMK is an input parameter for calculating PTK), and then it can be determined that both have the same password.

AP sends the third message to STA, including encrypted GTK (used to encrypt broadcast data frame and multicast data frame) and MIC. MIC is the HASH summary (in the form of HMAC-HASH) made by PTK to GTK.

STEP 4：

STA receives the encrypted GTK, and since it already has PTK in hand, it can decrypt GTK from it. Then AP and STA install PTK and GTK, and the whole authentication and key exchange process ends here.

The above four steps can be expressed as the following picture:

I saw a picture that is easier to understand and posted it, as follows:

perhaps

3. Three questions

Regarding the WIFI connection, I thought of two questions, and I got the answer by studying the entire flow chart.

3.1 If a STA remembers the password of an AP hotspot and sets up a hotspot with the same name and password, will the STA connect successfully?

Answer: Yes, because they have the same PMK. To prove this conclusion. I connect to hotspot B from mobile phone A and remember the password, then create hotspot C, set it to the same SSID (username) and password as B, reduce the signal strength of B, and found that mobile phone A will automatically connect to hotspot C.

3.2 If we make an AP hotspot with the same name as an actual hotspot, can we easily find the plaintext password of the actual AP hotspot from the STA request and AP connection information?

Answer: no. The first time the AP hotspot contacts the password-related message is the MIC in the message received by STEP2. The MIC generation process utilizes a password. However, the password in the MIC generation process participates in two HASH calculations, so there is no way except brute force cracking.

3.3 If we create an AP hotspot with the same name as an actual hotspot, the STA will actively request to connect with the AP. Can the AP hotspot pretend that the password is correct and the connection is successful?

Answer: no. In STEP2, the AP receives the message sent by the STA. Although the AP can generate the GTK, it cannot calculate the PTK because it does not know the password (PSK/PMK). In this case, the digest MIC required in the STEP3 message cannot be calculated. In STEP3, the STA must not receive the correct MIC. In this way, there will be no STEP4, and then, this WIFI connection will not be successful.

4. Finally

The process related to WPA3 can refer to

Wifi authentication, association, four-way handshake (WPA/WPA2/WPA3-SAE)_wpa2 wpa3_Shaoge's Blog-CSDN Blog

Of course, WIFI connections are not watertight. In recent years, many papers have analyzed the attack methods they designed. You can read the following papers:

https://www.sciencedirect.com/science/article/pii/S0957417422015093