802.1x, EAP-TLS -PEAP

Jouni Malinen j
Tue Jun 16 11:05:29 PDT 2009

On Tue, Jun 16, 2009 at 01:45:49PM +0530, Harsha gowda wrote:

> I want to decrypt the TLS tunnel data,
> So far i have extracted client Key exchange message.
> Which has pre master Key,Decrypted with Root Private Key,
> Got 48 bytes of
> (MK)*Master_key*=PRF(Pre-Master-Key,"*master key*
> ",Client.random|Server.random).
> And derived 64 bytes
> (TK)*TunnelKey* (Master-Key,"*Client EAP encryption*
> ",Client.random|Server.random)
> Which is the key to encrypt/decrypt TLSV1 application data.
> Is tunnel Key is used to encrypt decrypt data.

The master key is used to derive a set of keys and related values
("key_block") and those keys/parameters are used to encrypt/decrypt TLS

The key you call TK (the 64 octet long key is the TLS PRF output) could
be used, e.g., with WPA2-Enterprise as the PMK for 4-way handshake.
However, since you call this TK, I would assume you are looking into
PEAP cryptobinding case where this key is used to derive some additional
key for binding the tunneled methods together.

What are you trying to do? It would probably be easier to run through
another authentication and just look at the supplicant (or
authentication server) debug log to see what data was sent.. For
example, wpa_supplicant can show you that data in the debug log.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list