Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3563
  • Last Modified:

Failed to receive WPA Group Message after 4-way handshake


I am trying to write a user-mode WPA supplicant apps. The configuration
for both STA and AP is WPA-PSK.
Here is what I did for 4-way handshake:
1) Initiate 4-way handshake by sending EAPOL-Start message.
2) Receive message A from AP and got ANonnce.
3) Generating SNonce and calc PTK and MIC based on the algorithms by
IEEE 802.11i and send Message B to AP.
4) Receive message C and verify that AP knows the PMK.
5) Send message D to AP and Install the PTK with OID_802_11_ADD_KEY.
Everything seems successful.
Now I try to receive group key, but it failed to receive it, instead I
always receive packet similar to message A.
So one of 2 things could be wrong:
A) Install PTK with OID_802_11_ADD_KEY, which I have following code:
DWORD SetPairwiseKey(const u8 *bssid, const UCHAR *pKey, int nKeyLen,
u8 *pKeyRsc)
int nSize = sizeof(NDIS_OID) + FIELD_OFFSET(NDIS_802_11_KEY,
KeyMaterial) + KeyLen;
UCHAR *SetBuffer = new UCHAR[nSize];
ZeroMemory(SetBuffer, nSize);
pSetOid = (PNDISPROT_SET_OID)SetBuffer;
pSetOid->Oid = OID_802_11_ADD_KEY;
NDIS_802_11_KEY *p80211Key = (NDIS_802_11_KEY*)&(pSetOid->Data[0]);
p80211Key->Length = FIELD_OFFSET(NDIS_802_11_KEY, KeyMaterial) +
p80211Key->KeyIndex = 0xe0000000;
memcpy(&p80211Key->KeyRSC, pKeyRsc, LEN_KEY_DESC_RSC);
memcpy(p80211Key->BSSID, bssid, MAC_ADDR_LEN);
p80211Key->KeyLength = nKeyLen;
memcpy(p80211Key->KeyMaterial, pKey, nKeyLen);
DWORD dwErr = SetOidValue(SetBuffer, nSize, "ADD_KEY");
delete SetBuffer;
return dwErr;


the return value is 0, so it seems OK

B) Message D I sent out is wrong, here is the packet frame from
802.1X Authentication
    Version: 1
    Type: Key (3)
    Length: 95
    Descriptor Type: EAPOL WPA key (254)
    Key Information: 0x0109
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC
and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .0.. .... = Install flag: Not set
        .... .... 0... .... = Key Ack flag: Not set
        .... ...1 .... .... = Key MIC flag: Set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 0
    Replay Counter: 3
    Nonce: 000000000000000000000000000000000000000000000000...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 2781D5942427AF9C44B30C98AE6374CE
    WPA Key Length: 0

So it looks OK to me too.
Any idea why group message is not being received.
Thx so much in advance.
BTW, I am using NDISUIO and ReadFile/WriteFile to send/receive EAPOL packet.
I can provide the proto type project too.

-Andy Huang

  • 4
  • 3
1 Solution

You assign to nSize the sum of sizeof(NDIS_OID) + FIELD_OFFSET(NDIS_802_11_KEY, KeyMaterial) + KeyLen. Is KeyLen intented or you meant to use nKeyLen?

Your code looks okay to me. There is another question that is very similar to yours:


It may help you. It could be a question of assigning the correct packet size to the structure.
ah6511Author Commented:
Yes, KenLen means nKeyLen. And I already looked at http://www.ureader.com/message/312094.aspx.
I just used the PCAGizmo tool to compare my result from OID_802_11_ADD_KEY with the result from WZCSVC, they are same. So I am sure my OID_802_11_ADD_KEY usage is correct.
Now I suspect some steps I may have missed.
1) I set the Infrastructure mode to Ndis802_11Infrastructure
2) I set authentication mode to Ndis802_11AuthModeWPAPSK
3) I set encryption mode to Ndis802_11Encryption2Enabled
4) I associated the AP with NDIS_802_11_SSID
The I started 4-way handshake.
Should I wait for Association complete, then do 4-way handshake?
If it help you to solve my problem, Can i Email you my prototye project.

-Andy Huang


I'm sure you are doing the right thing. Have you checked whether the AP supports WPA?

The "IEEE 802.11 Network Adapter Design Guidelines for Windows XP" says that "If the authentication mode is set to WPA or WPA-PSK mode, the NIC should not associate with a non-WPA access point."

The other thing I can think of is about the packet length. The link I mentioned before uses sizeof(NDIS_802_11_KEY) plus the key size. FIELD_OFFSET(NDIS_802_11_KEY, KeyMaterial) does the same but it could be worth test that way.

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

ah6511Author Commented:
Yes, the AP supports WPA-PSK, Windows XP WZC works. Also like I mentioned, the the result from OID_802_11_ADD_KEY looks correct because I compared it with the result from WZC with PCAGizmo.
I am totally lost and frustrated. If you can try my prototype project, then that will be very helpful.
Thx for the response.

-Andy Huang
OK. I'll try your prototype project. I'm sure there must be a little detail missing.
My email is opanza@yahoo.es

ah6511Author Commented:
I figured out why it failed, I had to send Message 4 before install the PTK with OID_802_11_ADD_KEY, I don't know why it mattered though. Thx anyway.

-Andy Huang
You're welcome.

PAQed with points refunded (500)

Community Support Moderator

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now