On Wed, Jan 04, 2017 at 04:23:00PM -0800, Ben Greear wrote: > [resend, seems list ate the first??] I see no sign of the previous email nor this newer email on the list for that matter.. Not even in the moderation queue. > I am trying to figure out if hostapd/supplicant is doing the right thing > when using WPA. Neither the 3/4 or 4/4 messages have the Secure bit > set. I found this code in hostapd, which looks pertinent, but I don't > know if it is correct or not. As far as I know, the implementation is correct. > I looked in the 802.11i-2004.pdf document, and found this text > on page 94. IEEE Std 802.11i-2004 does not define WPA (v1).. > 7) Secure (bit 9) is set once the initial key exchange is complete. > The Authenticator shall set the Secure bit to 0 in all EAPOL-Key frames sent before the > Supplicant has the PTK and the GTK. The Authenticator shall set the Secure bit to 1 in all > EAPOL-Key frames it sends to the Supplicant containing the last key needed to complete the > Supplicant’s initialization. But even if it were, please note the "and the GTK" part there.. > Does the 3/4 message not have the 'last key needed' to complete supplicant's initialization? Not in WPA. > If not, then what packet does? In WPA, the GTK is not delivered as part of the 4-way handshake; it is delivered in group key handshake following that, i.e., the group key msg 1/2 which is sent after the 4-way handshake message 4/4 is the first frame that provides the full set of keys to the station. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
