Failed to receive WPA Group Message after 4-way handshake

Posted on 2006-04-19
Last Modified: 2013-12-09

I am trying to write a user-mode WPA supplicant apps. The configuration
for both STA and AP is WPA-PSK.
Here is what I did for 4-way handshake:
1) Initiate 4-way handshake by sending EAPOL-Start message.
2) Receive message A from AP and got ANonnce.
3) Generating SNonce and calc PTK and MIC based on the algorithms by
IEEE 802.11i and send Message B to AP.
4) Receive message C and verify that AP knows the PMK.
5) Send message D to AP and Install the PTK with OID_802_11_ADD_KEY.
Everything seems successful.
Now I try to receive group key, but it failed to receive it, instead I
always receive packet similar to message A.
So one of 2 things could be wrong:
A) Install PTK with OID_802_11_ADD_KEY, which I have following code:
DWORD SetPairwiseKey(const u8 *bssid, const UCHAR *pKey, int nKeyLen,
u8 *pKeyRsc)
int nSize = sizeof(NDIS_OID) + FIELD_OFFSET(NDIS_802_11_KEY,
KeyMaterial) + KeyLen;
UCHAR *SetBuffer = new UCHAR[nSize];
ZeroMemory(SetBuffer, nSize);
pSetOid = (PNDISPROT_SET_OID)SetBuffer;
pSetOid->Oid = OID_802_11_ADD_KEY;
NDIS_802_11_KEY *p80211Key = (NDIS_802_11_KEY*)&(pSetOid->Data[0]);
p80211Key->Length = FIELD_OFFSET(NDIS_802_11_KEY, KeyMaterial) +
p80211Key->KeyIndex = 0xe0000000;
memcpy(&p80211Key->KeyRSC, pKeyRsc, LEN_KEY_DESC_RSC);
memcpy(p80211Key->BSSID, bssid, MAC_ADDR_LEN);
p80211Key->KeyLength = nKeyLen;
memcpy(p80211Key->KeyMaterial, pKey, nKeyLen);
DWORD dwErr = SetOidValue(SetBuffer, nSize, "ADD_KEY");
delete SetBuffer;
return dwErr;


the return value is 0, so it seems OK

B) Message D I sent out is wrong, here is the packet frame from
802.1X Authentication
    Version: 1
    Type: Key (3)
    Length: 95
    Descriptor Type: EAPOL WPA key (254)
    Key Information: 0x0109
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC
and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .0.. .... = Install flag: Not set
        .... .... 0... .... = Key Ack flag: Not set
        .... ...1 .... .... = Key MIC flag: Set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 0
    Replay Counter: 3
    Nonce: 000000000000000000000000000000000000000000000000...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 2781D5942427AF9C44B30C98AE6374CE
    WPA Key Length: 0

So it looks OK to me too.
Any idea why group message is not being received.
Thx so much in advance.
BTW, I am using NDISUIO and ReadFile/WriteFile to send/receive EAPOL packet.
I can provide the proto type project too.

-Andy Huang

Question by:ah6511
    LVL 4

    Expert Comment


    You assign to nSize the sum of sizeof(NDIS_OID) + FIELD_OFFSET(NDIS_802_11_KEY, KeyMaterial) + KeyLen. Is KeyLen intented or you meant to use nKeyLen?

    Your code looks okay to me. There is another question that is very similar to yours:

    It may help you. It could be a question of assigning the correct packet size to the structure.

    Author Comment

    Yes, KenLen means nKeyLen. And I already looked at
    I just used the PCAGizmo tool to compare my result from OID_802_11_ADD_KEY with the result from WZCSVC, they are same. So I am sure my OID_802_11_ADD_KEY usage is correct.
    Now I suspect some steps I may have missed.
    1) I set the Infrastructure mode to Ndis802_11Infrastructure
    2) I set authentication mode to Ndis802_11AuthModeWPAPSK
    3) I set encryption mode to Ndis802_11Encryption2Enabled
    4) I associated the AP with NDIS_802_11_SSID
    The I started 4-way handshake.
    Should I wait for Association complete, then do 4-way handshake?
    If it help you to solve my problem, Can i Email you my prototye project.

    -Andy Huang

    LVL 4

    Expert Comment


    I'm sure you are doing the right thing. Have you checked whether the AP supports WPA?

    The "IEEE 802.11 Network Adapter Design Guidelines for Windows XP" says that "If the authentication mode is set to WPA or WPA-PSK mode, the NIC should not associate with a non-WPA access point."

    The other thing I can think of is about the packet length. The link I mentioned before uses sizeof(NDIS_802_11_KEY) plus the key size. FIELD_OFFSET(NDIS_802_11_KEY, KeyMaterial) does the same but it could be worth test that way.


    Author Comment

    Yes, the AP supports WPA-PSK, Windows XP WZC works. Also like I mentioned, the the result from OID_802_11_ADD_KEY looks correct because I compared it with the result from WZC with PCAGizmo.
    I am totally lost and frustrated. If you can try my prototype project, then that will be very helpful.
    Thx for the response.

    -Andy Huang
    LVL 4

    Expert Comment

    OK. I'll try your prototype project. I'm sure there must be a little detail missing.
    My email is


    Author Comment

    I figured out why it failed, I had to send Message 4 before install the PTK with OID_802_11_ADD_KEY, I don't know why it mattered though. Thx anyway.

    -Andy Huang
    LVL 4

    Expert Comment

    You're welcome.


    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Suggested Solutions

    This article shows how to setup the internet connectivity on Windows Mobile Emulator.   I assume that you already have Microsoft Visual Studio, Microsoft Windows Mobile SDK's and the emulator installed. The emulator is available with Visual Studi…
    Preface: This article is part of a series focused on cross platform mobile app development (specifically Android and iOS) using the Alloy framework and Titanium Studio made by Appcelerator ( This article presumes a wor…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now