Wireshark-bugs: [Wireshark-bugs] [Bug 1420] 802.11 WPA/WPA2-PSK Unable to decode Group Keys
Date: Wed, 2 Apr 2008 21:16:09 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1420


Brian Stormont <nospam@xxxxxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1610|                            |review_for_checkin?
               Flag|                            |




--- Comment #3 from Brian Stormont <nospam@xxxxxxxxxxxxxxx>  2008-04-02 21:16:00 GMT ---
Created an attachment (id=1610)
 --> (http://bugs.wireshark.org/bugzilla/attachment.cgi?id=1610)
This is a patch for proposed group key support for WPA and WPA2 PSK

This is my first attempt at submitting a patch for Wireshark.  If I didn't
follow the proper conventions or did something wrong, please let me know.

Although this patch successfully recognizes group keys and decrypts packets
properly using the group key, there is a limitation.  If an AP is using key
rotation, clicking on individual packets in a trace may not properly decrypt a
packet encrypted with a group key.  This is because the current structure used
in Wireshark only supports one active unicast and one active group key.  If a
new key has been seen, but you are looking at a packet encrypted with an older
key, it will not decrypt.  The summary lines, however, do show the packets
properly decrypted.

I've written up a much longer and more detailed explanation in a comment in the
code, along with a proposed idea for a solution, plus a clunky work-around in
the GUI when using the current code.

I also suspect there might still be a problem with decrypting TKIP groups keys
that are sent using WPA2 authentication.  In the most common operation, if you
are using WPA2, you'll also be using AES keys. It's not a common AP
configuration to use WPA2 with TKIP. In fact, most APs don't seem to support
it.  Since it is an uncommon setup, I haven't put aside the time to test this
patch against such an AP.   I do have access to an AP that supports this, so
when I have the time I'll test it and if needed, will submit another patch to
handle that odd-ball condition.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.