Scribd
Upload
13 views

CourseWork2 CST3510 Three Way Handshake Notes

Uploaded by

joemama478326483764
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
13 views

CourseWork2 CST3510 Three Way Handshake Notes

Uploaded by

joemama478326483764
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

# Notes: Wi-Fi 3-Way Handshake

## 1. **Introduction to Wi-Fi 3-Way Handshake**


The Wi-Fi 3-Way Handshake is a key process in the WPA (Wi-Fi Protected Access) and
WPA2 protocols that ensures secure communication between a client device (e.g.,
laptop, smartphone) and a wireless access point (AP). This process is essential for
establishing a secure connection, authenticating users, and generating encryption
keys to protect the data being transmitted over the wireless network.

The handshake takes place after the client device has successfully authenticated
with the access point, but before data transfer begins. It is called a "3-Way"
Handshake because it involves three main steps to complete.

---

## 2. **Goals of the 3-Way Handshake**

- **Authentication:** Verifying that the device attempting to connect to the


network is authorized to do so.
- **Key Exchange:** Establishing a secure shared key (Pairwise Transient Key, PTK)
for encrypting communications between the client and access point.
- **Data Encryption:** Ensuring that data transmitted over the air is encrypted and
secure, preventing eavesdropping or tampering.

---

## 3. **Overview of the Process**


The 3-Way Handshake process consists of three steps:

### **Step 1: AP → Client (Message 1)**


- **Message Type:** The Access Point (AP) sends a message called the **"Message
1"** (also known as the **"Authentication Request"**).
- **Content:**
- The AP sends a nonce (a random number used once) called **ANonce** to the
client.
- The AP’s identifier (SSID) and security protocols (WPA/WPA2) are also included.
- The purpose of this message is to initiate the handshake and inform the client
that the AP is ready for the key exchange process.
- **Action:** The client is now aware of the AP’s intention to perform the 3-Way
Handshake and proceeds with its part of the process.

### **Step 2: Client → AP (Message 2)**


- **Message Type:** The client responds to the AP with **"Message 2"** (also called
**"Authentication Response"**).
- **Content:**
- The client generates its own nonce, called **SNonce**.
- The client combines **ANonce** (received from the AP) and **SNonce** to create
the **Pairwise Master Key (PMK)**, which will later be used to derive the PTK.
- The client also uses the **PMK** to create a hash of the session keys, and then
it encrypts this information using the AP's public key.
- The client sends the **SNonce** back to the AP, along with a message integrity
code (MIC) to verify the integrity of the message.
- **Action:** The client sends the message back, effectively proving that it can
generate the key material to the AP, establishing a secure connection.

### **Step 3: AP → Client (Message 3)**


- **Message Type:** The Access Point sends **"Message 3"** (also called
**"Authentication Confirmation"** or **"Message Integrity Check"**).
- **Content:**
- The AP sends its own confirmation that it has successfully generated the
**Pairwise Transient Key (PTK)**.
- This is done by hashing the combined **ANonce**, **SNonce**, and the shared
secret (PMK) between the client and the AP.
- A **Message Integrity Code (MIC)** is also included to ensure that the message
was not tampered with.
- **Action:** The AP sends its confirmation that it is ready to establish an
encrypted session with the client.

---

## 4. **Key Generation**
At the core of the 3-Way Handshake is the generation of the **Pairwise Transient
Key (PTK)**, which is used to encrypt data between the client and the AP during the
session.

### PTK is derived using the following:


- **PMK (Pairwise Master Key):** A shared key, usually generated from a passphrase
or preshared key (PSK).
- **ANonce:** The nonce generated by the Access Point.
- **SNonce:** The nonce generated by the client.
- **MAC addresses:** The MAC addresses of both the client and the AP are also used
in the key derivation process.

The PTK is used to encrypt and protect communication between the client and the
access point during the session.

---

## 5. **Purpose of the Handshake**


The 3-Way Handshake is crucial for several reasons:

- **Authentication:** It helps confirm that both the client and AP know the shared
secret (PSK) or have completed a proper authentication procedure.
- **Security:** By using nonces (ANonce and SNonce), the handshake ensures that the
process is not replayable by attackers.
- **Key Exchange:** The handshake enables both the AP and client to generate a
fresh, unique session key (PTK) for data encryption.
- **Session Integrity:** The MICs included in each message ensure the integrity of
the messages, preventing man-in-the-middle attacks.

---

## 6. **Key Points to Remember**


- **ANonce:** Nonce generated by the Access Point and sent to the client.
- **SNonce:** Nonce generated by the client and sent to the Access Point.
- **PMK:** Shared key derived from the passphrase (or pre-shared key) that is used
to generate the PTK.
- **PTK:** The key used to encrypt data during the wireless session.
- **MIC (Message Integrity Code):** A checksum used to ensure the integrity of the
messages in the handshake.

---

## 7. **Security Considerations**

### a. **Replay Attacks**


The 3-Way Handshake is designed to prevent replay attacks. The use of nonces
(ANonce and SNonce) ensures that each handshake is unique. Even if an attacker
intercepts the messages, they cannot reuse them to establish a connection with the
AP.

### b. **Eavesdropping**
Although the handshake itself is not encrypted, the nonces (ANonce and SNonce) are
random values, making it difficult for attackers to predict and derive the key
material. The PTK is used to encrypt the actual data once the handshake is
complete.

### c. **Brute Force Attacks**


If a weak password (PSK) is used to derive the PMK, attackers may attempt to brute-
force it by guessing the password. This is why it is essential to use strong,
complex passwords in WPA2 networks.

---

## 8. **Conclusion**
The Wi-Fi 3-Way Handshake is a critical process for establishing secure
communication between a client and an access point in WPA and WPA2 networks. It
ensures that both parties are authenticated, a shared secret is exchanged, and a
secure encryption key is generated for protecting data transmitted over the
wireless network. Understanding how the handshake works is fundamental for anyone
working with wireless security and is a key concept in protecting Wi-Fi networks
from unauthorized access and attacks.

You might also like