Failed to receive WPA Group Message after 4-way handshake


I am trying to write a user-mode WPA supplicant apps. The configuration
for both STA and AP is WPA-PSK.
Here is what I did for 4-way handshake:
1) Initiate 4-way handshake by sending EAPOL-Start message.
2) Receive message A from AP and got ANonnce.
3) Generating SNonce and calc PTK and MIC based on the algorithms by
IEEE 802.11i and send Message B to AP.
4) Receive message C and verify that AP knows the PMK.
5) Send message D to AP and Install the PTK with OID_802_11_ADD_KEY.
Everything seems successful.
Now I try to receive group key, but it failed to receive it, instead I
always receive packet similar to message A.
So one of 2 things could be wrong:
A) Install PTK with OID_802_11_ADD_KEY, which I have following code:
DWORD SetPairwiseKey(const u8 *bssid, const UCHAR *pKey, int nKeyLen,
u8 *pKeyRsc)
int nSize = sizeof(NDIS_OID) + FIELD_OFFSET(NDIS_802_11_KEY,
KeyMaterial) + KeyLen;
UCHAR *SetBuffer = new UCHAR[nSize];
ZeroMemory(SetBuffer, nSize);
pSetOid = (PNDISPROT_SET_OID)SetBuffer;
pSetOid->Oid = OID_802_11_ADD_KEY;
NDIS_802_11_KEY *p80211Key = (NDIS_802_11_KEY*)&(pSetOid->Data[0]);
p80211Key->Length = FIELD_OFFSET(NDIS_802_11_KEY, KeyMaterial) +
p80211Key->KeyIndex = 0xe0000000;
memcpy(&p80211Key->KeyRSC, pKeyRsc, LEN_KEY_DESC_RSC);
memcpy(p80211Key->BSSID, bssid, MAC_ADDR_LEN);
p80211Key->KeyLength = nKeyLen;
memcpy(p80211Key->KeyMaterial, pKey, nKeyLen);
DWORD dwErr = SetOidValue(SetBuffer, nSize, "ADD_KEY");
delete SetBuffer;
return dwErr;


the return value is 0, so it seems OK

B) Message D I sent out is wrong, here is the packet frame from
802.1X Authentication
    Version: 1
    Type: Key (3)
    Length: 95
    Descriptor Type: EAPOL WPA key (254)
    Key Information: 0x0109
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC
and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .0.. .... = Install flag: Not set
        .... .... 0... .... = Key Ack flag: Not set
        .... ...1 .... .... = Key MIC flag: Set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 0
    Replay Counter: 3
    Nonce: 000000000000000000000000000000000000000000000000...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 2781D5942427AF9C44B30C98AE6374CE
    WPA Key Length: 0

So it looks OK to me too.
Any idea why group message is not being received.
Thx so much in advance.
BTW, I am using NDISUIO and ReadFile/WriteFile to send/receive EAPOL packet.
I can provide the proto type project too.

-Andy Huang

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


You assign to nSize the sum of sizeof(NDIS_OID) + FIELD_OFFSET(NDIS_802_11_KEY, KeyMaterial) + KeyLen. Is KeyLen intented or you meant to use nKeyLen?

Your code looks okay to me. There is another question that is very similar to yours:

It may help you. It could be a question of assigning the correct packet size to the structure.
ah6511Author Commented:
Yes, KenLen means nKeyLen. And I already looked at
I just used the PCAGizmo tool to compare my result from OID_802_11_ADD_KEY with the result from WZCSVC, they are same. So I am sure my OID_802_11_ADD_KEY usage is correct.
Now I suspect some steps I may have missed.
1) I set the Infrastructure mode to Ndis802_11Infrastructure
2) I set authentication mode to Ndis802_11AuthModeWPAPSK
3) I set encryption mode to Ndis802_11Encryption2Enabled
4) I associated the AP with NDIS_802_11_SSID
The I started 4-way handshake.
Should I wait for Association complete, then do 4-way handshake?
If it help you to solve my problem, Can i Email you my prototye project.

-Andy Huang


I'm sure you are doing the right thing. Have you checked whether the AP supports WPA?

The "IEEE 802.11 Network Adapter Design Guidelines for Windows XP" says that "If the authentication mode is set to WPA or WPA-PSK mode, the NIC should not associate with a non-WPA access point."

The other thing I can think of is about the packet length. The link I mentioned before uses sizeof(NDIS_802_11_KEY) plus the key size. FIELD_OFFSET(NDIS_802_11_KEY, KeyMaterial) does the same but it could be worth test that way.

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

ah6511Author Commented:
Yes, the AP supports WPA-PSK, Windows XP WZC works. Also like I mentioned, the the result from OID_802_11_ADD_KEY looks correct because I compared it with the result from WZC with PCAGizmo.
I am totally lost and frustrated. If you can try my prototype project, then that will be very helpful.
Thx for the response.

-Andy Huang
OK. I'll try your prototype project. I'm sure there must be a little detail missing.
My email is

ah6511Author Commented:
I figured out why it failed, I had to send Message 4 before install the PTK with OID_802_11_ADD_KEY, I don't know why it mattered though. Thx anyway.

-Andy Huang
You're welcome.

PAQed with points refunded (500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Smartphone Programming

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.