Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] WPA decryption?

From: Solomon Peachy <solomon@xxxxxxxxxxxxxx>
Date: Fri, 8 Sep 2006 12:00:11 -0400
On Fri, Sep 08, 2006 at 09:19:43AM -0500, Queisser, Andrew (Tonnerre de Brest!) wrote:
> I found only one tool (aircrack/airdecap) that supposedly is capable of
> doing this (so far it hasn't worked for me) but I'm wondering if anyone
> is working on adding WPA decryption to wireshark in the same way it
> already decrypts WEP.

The problem with WPA/WPA2 is that it uses dynamic keys derived from a 
hanshake sequence.  If you don't have all of the information needed to 
generate that dynamic keydata, then you won't be able to generate the 
per-packet encryption key and decrypt the frame.  Oh, and each pair of 
communication stations use a unique keyset.

With WPA[2]-PSK, obtaining this dynamic key information is possible if
you sniffed the initial handshake and knew the PSK, but if they're using
WPA[2]-EAP, the "shared secret" is generated on either end using the
authentication credentials via a secure channel.  While there are attack
vectors for this information... it's a monumental undertaking.

All that said, all you strictly need to decode TKIP or AES traffic is
the PTK (derived from the PMK/PSK+handshake data), so if you know that,
(presumably via AP or STA logs) decoding the payload is possible.  

 - Solomon
-- 
Solomon Peachy                        solomon@xxxxxxxxxxxxxx
AbsoluteValue Systems                 http://www.linux-wlan.com
721-D North Drive                     +1 (321) 259-0737  (office)
Melbourne, FL 32934                   +1 (321) 259-0286  (fax)

Attachment: pgpqQFHXDWP5k.pgp
Description: PGP signature