WPA PSK-key length problem?
Holger Schurig
hs4233
Tue Mar 8 01:16:27 PST 2005
> Could you please verify with a wireless sniffer that the WPA IE in
> Association Request matches with this one?
Okay, I used ethereal and found out some stuff ...
The WPA IE is already send in the Beacon frames sent regularly by the AP.
They contain a field that I did not see in the packet dump:
Tag Number: 221 (Vendor Specific)
Tag length: 24
Tag interpretation: WPA IE, type 1, version 1
Tag interpretation: Multicast cipher suite: TKIP
Tag interpretation: # of unicast cipher suites: 1
Tag interpretation: Unicast cipher suite 1: TKIP
Tag interpretation: # of auth key management suites: 1
Tag interpretation: auth key management suite 1: PSK
Tag interpretation: Not interpreted
The relevant part of the hexdump start's at offset 0xf7. The extra bytes
are at offset 0x10f and 0x110.
0 1 2 3 4 5 6 7 8 9 a b c d e f
00f0 06 00 40 96 00 0d 00 dd 18 00 50 f2 01 01 00 00 .. at .......P.....
0100 50 f2 02 01 00 00 50 f2 02 01 00 00 50 f2 02 28 P.....P.....P..(
0110 00 dd 18 00 50 f2 02 01 01 04 00 03 a5 00 00 27 ....P..........'
0120 a5 00 00 42 54 5e 00 62 43 2f 00 dd 16 00 40 96 ...BT^.bC/.... at .
0130 04 00 04 07 a5 00 00 23 a5 00 00 42 54 00 00 62 .......#...BT..b
0140 43 00 00 dd 05 00 40 96 03 02 49 27 19 6c C..... at ...I'.l
Later in the ethereal dump, my device sends an 802.11 Association Request.
Here the last two bytes of the WPA IE are 00 00. The relevant part in the
hexdump starts at 0xbb, the two null bytes are at 0xd3 and 0xd4.
Tag Number: 221 (Vendor Specific)
Tag length: 24
Tag interpretation: WPA IE, type 1, version 1
Tag interpretation: Multicast cipher suite: TKIP
Tag interpretation: # of unicast cipher suites: 1
Tag interpretation: Unicast cipher suite 1: TKIP
Tag interpretation: # of auth key management suites: 1
Tag interpretation: auth key management suite 1: PSK
Tag interpretation: Not interpreted
0 1 2 3 4 5 6 7 8 9 a b c d e f
00b0 46 55 4e 4b 32 01 04 02 04 0b 16 dd 18 00 50 f2 FUNK2.........P.
00c0 01 01 00 00 50 f2 02 01 00 00 50 f2 02 01 00 00 ....P.....P.....
00d0 50 f2 02 00 00 ef 8b ea e9 P........
The Cisco sends an Association Response back with the "Successfull" status
code.
The the Cisco sends an EOPOL packet, starting at offset 0xb0:
802.1x Authentication
Version: 1
Type: Key (3)
Length: 95
Descriptor Type: EAPOL WPA key (254)
Key Information: 0x0089
.... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC and
RC4 for encryption (1)
.... .... .... 1... = Key Type: Pairwise key
.... .... ..00 .... = Key Index: 0
.... .... .0.. .... = Install flag: Not set
.... .... 1... .... = Key Ack flag: Set
.... ...0 .... .... = Key MIC flag: Not set
.... ..0. .... .... = Secure flag: Not set
.... .0.. .... .... = Error flag: Not set
.... 0... .... .... = Request flag: Not set
...0 .... .... .... = Encrypted Key Data flag: Not set
Key Length: 32
Replay Counter: 1
Nonce: 0CB616E7D5688837AAAFB8D41D420096DD1F492CD3512852...
Key IV: 00000000000000000000000000000000
WPA Key RSC: 0000000000000000
WPA Key ID: 0000000000000000
WPA Key MIC: 00000000000000000000000000000000
WPA Key Length: 0
0 1 2 3 4 5 6 7 8 9 a b c d e f
00b0 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._.... .......
00c0 01 0c b6 16 e7 d5 68 88 37 aa af b8 d4 1d 42 00 ......h.7.....B.
00d0 96 dd 1f 49 2c d3 51 28 52 cc 89 c6 c5 db 13 b0 ...I,.Q(R.......
00e0 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 4e 97 74 00
and my device answers with some EOP frame, starting at offset 0xb0 as
well:
802.1x Authentication
Version: 1
Type: Key (3)
Length: 119
Descriptor Type: EAPOL WPA key (254)
Key Information: 0x0109
.... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC and
RC4 for encryption (1)
.... .... .... 1... = Key Type: Pairwise key
.... .... ..00 .... = Key Index: 0
.... .... .0.. .... = Install flag: Not set
.... .... 0... .... = Key Ack flag: Not set
.... ...1 .... .... = Key MIC flag: Set
.... ..0. .... .... = Secure flag: Not set
.... .0.. .... .... = Error flag: Not set
.... 0... .... .... = Request flag: Not set
...0 .... .... .... = Encrypted Key Data flag: Not set
Key Length: 32
Replay Counter: 1
Nonce: 3E96D3191E67841EB0CA741892A8B7D02BEBBD13955010B1...
Key IV: 00000000000000000000000000000000
WPA Key RSC: 0000000000000000
WPA Key ID: 0000000000000000
WPA Key MIC: 4D65B298D68E98B8B321F5C1EE64C3B2
WPA Key Length: 24
WPA Key: DD160050F20101000050F20201000050F20201000050F202
Tag Number: 221 (Vendor Specific)
Tag length: 22
Tag interpretation: WPA IE, type 1, version 1
Tag interpretation: Multicast cipher suite: TKIP
Tag interpretation: # of unicast cipher suites: 1
Tag interpretation: Unicast cipher suite 1: TKIP
Tag interpretation: # of auth key management suites: 1
Tag interpretation: auth key management suite 1: PSK
0 1 2 3 4 5 6 7 8 9 a b c d e f
00b0 01 03 00 77 fe 01 09 00 20 00 00 00 00 00 00 00 ...w.... .......
00c0 01 3e 96 d3 19 1e 67 84 1e b0 ca 74 18 92 a8 b7 .>....g....t....
00d0 d0 2b eb bd 13 95 50 10 b1 ed 8e f4 f3 46 08 bd .+....P......F..
00e0 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >...............
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 4d 65 b2 98 d6 8e 98 b8 b3 21 f5 c1 ee 64 c3 .Me.......!...d.
0110 b2 00 18 dd 16 00 50 f2 01 01 00 00 50 f2 02 01 ......P.....P...
0120 00 00 50 f2 02 01 00 00 50 f2 02 5e d8 12 9e ..P.....P..^...
But here the two bytes at the end, might they be 00 00 or 28 00, are
missing :-(
So I guess it's my kernel driver that sends a truncated WPA IE in it's
association event and so wpa_supplicant in turn doesn't send the right
WPA IE.
More information about the Hostap
mailing list