802.11 EAPOL-Key Frames

The 4-way handshake uses EAPOL-Key frames, as explained in the EAPOL lesson. It has been modified, however, so we can use it for 802.11 frames. Here are the fields you find in the EAPOL-Key frame that we use for the WPA 4-way handshake.

Key Descriptor Type

This indicates the type of the key descriptor used, such as WPA or WPA2.

Key Information

The key information field contains several subfields with flags that provide information about the key type and how it should be used. Some of these bits are used in the 4-way handshake. For example:

  • key type (pairwise or group)
  • key index
  • install flag
  • key acknowledge
  • key MIC
  • secure flag
  • error flag
  • request flag
  • encryption key data

Note: Compare with the capture file.

Key Length

This field specifies the length of the key in bytes.

Replay Counter

The replay counter is used to prevent replay attacks and this field will increment with each EAPOL-Key frame sent. The only exception is when a frame is sent in response to an ACK request, in that case, the replay counter value will be the same.

Key Nonce

The random nonce value that the client and AP generate and which is required as one of the attributes to derive the PTK.

Key IV (Initialization Vector)

This field is used for encryption/decryption in some EAPOL-Key frames when you use WPA (not WPA2). The GTK is encrypted using the KEK together with this IV value.

Key RSC (Receive Sequence Counter)

This field is used in group key messages to inform all associated wireless clients of the current sequence number for multicast and broadcast frames.

Key ID

This field is not used for WPA.

Key MIC (Message Integrity Code)

This contains the integrity check value.

Key Data Length

This field contains the length (in bytes) of the key data field.

Key Data

This field contains key material and other information. The length is specified by the key data length field. For example, when the AP sends the GTK, this field contains the encrypted GTK.