802.11 EAPOL-Key Frames
The 4-way handshake uses EAPOL-Key frames, as explained in the EAPOL lesson. It has been modified, however, so we can use it for 802.11 frames. Here are the fields you find in the EAPOL-Key frame that we use for the WPA 4-way handshake.
Key Descriptor Type
This indicates the type of the key descriptor used, such as WPA or WPA2.
Key Information
The key information field contains several subfields with flags that provide information about the key type and how it should be used. Some of these bits are used in the 4-way handshake. For example:
- key type (pairwise or group)
- key index
- install flag
- key acknowledge
- key MIC
- secure flag
- error flag
- request flag
- encryption key data
Note: Compare with the capture file.
Key Length
This field specifies the length of the key in bytes.
Replay Counter
The replay counter is used to prevent replay attacks and this field will increment with each EAPOL-Key frame sent. The only exception is when a frame is sent in response to an ACK request, in that case, the replay counter value will be the same.
Key Nonce
The random nonce value that the client and AP generate and which is required as one of the attributes to derive the PTK.
Key IV (Initialization Vector)
This field is used for encryption/decryption in some EAPOL-Key frames when you use WPA (not WPA2). The GTK is encrypted using the KEK together with this IV value.
Key RSC (Receive Sequence Counter)
This field is used in group key messages to inform all associated wireless clients of the current sequence number for multicast and broadcast frames.
Key ID
This field is not used for WPA.
Key MIC (Message Integrity Code)
This contains the integrity check value.
Key Data Length
This field contains the length (in bytes) of the key data field.
Key Data
This field contains key material and other information. The length is specified by the key data length field. For example, when the AP sends the GTK, this field contains the encrypted GTK.