in reply to [SOLVED] HMAC_SHA1 Implementation for WPA

Hi, The IEEE 802.11i-2004 says: 
 
The PTK is generated by concatenating the following attributes: PMK, A
+P nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC add
+ress.
You should better check this as the order is important.

[download]
This isn't exactly what you are doing here : 
my $a = "Pairwise key expansion"; # application-specific data
my $b = $amac.$smac.$snonce.$anonce;
my $r = "";
    for(my $i=0;$i<4;$i++){
        my $data = $a."\x00".$b.$i;

[download]
The product is then put through PBKDF2-SHA1 as the cryptographic hash function. The PBKDF2 key derivation function has five input parameters: 
DK = PBKDF2(PRF, Password, Salt, c, dkLen)

[download]
where:
  • PRF is a pseudorandom function of two parameters with output length hLen (e.g. a keyed HMAC)
  • Password is the master password from which a derived key is generated
  • Salt is a cryptographic salt
  • c is the number of iterations desired
  • dkLen is the desired length of the derived key
  • DK is the generated derived key

    • For more on pbkdf2 used in perl check this link PBKDF2 crypt
    Here's some code used to do this pbkdf2.pl

    Replies are listed 'Best First'.
    Re^2: HMAC_SHA1 Implementation for WPA
    by return0 (Acolyte) on Jun 23, 2014 at 23:11 UTC
      Hi, there actually have been quite a few amendments since 2004, thankfully. You may want to look into a more updated document. As far as "five input parameters" goes, can you not see my 5 parameters? Also, I know that the order is important, as all documentation on building the string data to send to the HMAC-SHA1 uses min() max() functions in its concatentation syntax. This is why I have them hard-coded at the moment. 
      In a similar way, the computation of the pairwise temporal keys is wri
+tten:
PRF-512(PMK, "Pairwise key expansion", MAC1||MAC2||Nonce1||Nonce2)
Here MAC1 and MAC2 are the MAC addresses of the two devices where MAC1
+ is the smaller (numerically) and MAC2 is the larger of the two addre
+sses. Similarly, Nonce1 is the smallest value between ANonce and SNon
+ce, while Nonce2 is the largest of the two values.

      [download]

      During my more recent research however, I did find a Python implementation which shows similar difficulties, and might shed some insight on your documentation problem - as he did successfully calculate the PTK in Python in a *very* similar way. http-stackoverflow.com-questions-12018920/
      Maybe this is a key, but I do use the pack() function, which seems to be the same. I am going to read the .cap file directly using Net::Pcap now and check if the "string" is somehow causing the issue.

      Thanks.
    		[reply]
    [d/l]
    Re^2: HMAC_SHA1 Implementation for WPA
    by return0 (Acolyte) on Jun 24, 2014 at 03:12 UTC
      I have added code into aircrack-ng.c from the latest sauce which writes the pke[] array to a file as so: 
      FILE *pkef;
                pkef=fopen("pke.txt", "a");
                for(j=0; j<nparallel; ++j)
                {
                        /* compute the pairwise transient key and the 
+frame MIC */

                        for (i = 0; i < 4; i++)
                        {
                                pke[99] = i;
                                HMAC(EVP_sha1(), pmk[j], 32, pke, 100,
+ ptk[j] + i * 20, NULL);
                                int kk = 0;
                                fprintf(pkef,"==> ");
                                for(kk = 0;kk<=99;kk++){
                                        fprintf(pkef, "%i ",pke[kk]);
                                }
                                fprintf(pkef,"\n---------------------\
+n");
                        }

      [download]
      After which I converted it to hex, and the output was exactly that which it should be: "Pairwise key expansion" . 0x00 . $mac1 . $mac2 . $nonce1 . $nonce2 . 0x00; # where $mac1 < $mac2 && $nonce1 < $nonce2. Now, I used this hex in Perl and tried hmac_sha1 and even PBKDF2 again, to no avail (using the pre-computed PMK as the key just like Aircrack-ng). I have tried 1 and 4096 passes, I know I am using CCMP-WPA2, I know what cowpatty and aircrack-ng produce, i have also tried reading the raw bytes directly from Net::Pcap but I cannot seem to get the correct first 128 bits of the PTK.. I bet it has to do with not being able to replicate that danged HMAC() C function properly. There's a description of it in the openSSL documentation as: 
      unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
               int key_len, const unsigned char *d, int n,
               unsigned char *md, unsigned int *md_len);

      [download]
      Could it simply not be possible? Thanks monks! :)
    		[reply]
    [d/l]
    [select]
    Re^2: HMAC_SHA1 Implementation for WPA
    by return0 (Acolyte) on Jun 28, 2014 at 03:44 UTC
      Okay, so I feel like I am getting a bit closer. I got the Python program from the link (http-stackoverflow.com-questions-12018920) to work, even though I don't know python, and watched exactly what it was doing. 
      import hmac
import hashlib
from hashlib import sha1
import binascii
import sys

A           = "Pairwise key expansion"
APmac       = binascii.a2b_hex("001dd0f694b0")
Clientmac   = binascii.a2b_hex("489d2477179a")
ANonce      = binascii.a2b_hex("87f2718bad169e4987c94255395e054bcaf77c
+8d791698bf03dc85ed3c90832a")
SNonce      = binascii.a2b_hex("143fbb4333341f36e17667f88aa02c5230ab82
+c508cc4bd5947dd7e50475ad36")
B           = min(APmac,Clientmac)+max(APmac,Clientmac)+min(ANonce,SNo
+nce)+max(ANonce,SNonce)

def customPRF512(key,A,B):
    blen = 64
    i    = 0
    R    = ''
    while i<=((blen*8+159)/160):
        hmacsha1 = hmac.new(key,A+chr(0x00)+B+chr(i),sha1)
        i+=1
        R = R+hmacsha1.digest()
        print "R: ",binascii.b2a_hex(hmacsha1.digest()),"\n"
    return R[:blen]

pmk = binascii.a2b_hex("9051ba43660caec7a909fbbe6b91e4685f1457b5a2e236
+60d728afbd2c7abfba")

ptk = customPRF512(pmk,A,B)
print "pmk:\t\t",binascii.b2a_hex(pmk),"\n"
print "ptk:\t\t",binascii.b2a_hex(ptk[0:16]),"\n"

print "A: ",binascii.b2a_hex(A),"\n"
print "CHR(0x00): ",chr(0x00),"\n"
print "B: ",binascii.b2a_hex(B),"\n"
print "key: ",binascii.b2a_hex(pmk),"\n"
print "CHR(0): ",chr(0),"\n"
i = 0
string = A+chr(0x00)+B+chr(i)
print "STRING: ",binascii.b2a_hex(string);

      [download]

      It produced the correct PTK from my PMK using the hmac_sha1 class. You can see it from "directly from python loop" in the code. 
      #!/usr/bin/perl -w
use strict;
use Digest::HMAC_SHA1 qw(hmac_sha1 hmac_sha1_hex);
my $pmk = pack("H*","9051ba43660caec7a909fbbe6b91e4685f1457b5a2e23660d
+728afbd2c7abfba");
my $a;
foreach(split("","Pairwise key expansion")){
        $a .= sprintf("%x",ord($_));
} # 5061697277697365206b657920657870616e73696f6e OK
my $i = 0x00; # 00 in hex
my $smac = pack("H*","489d2477179a");
my $amac = pack("H*","001dd0f694b0");
my $snonce = pack("H*","143fbb4333341f36e17667f88aa02c5230ab82c508cc4b
+d5947dd7e50475ad36");
my $anonce = pack("H*","87f2718bad169e4987c94255395e054bcaf77c8d791698
+bf03dc85ed3c90832a");
my $b = $amac.$smac.$snonce.$anonce;
 # Directly from Python code in for loop (without spaces):
        # 5061697277697365206b657920657870616e73696f6e 00 001dd0f694b0
+ 489d2477179a1
        # 43fbb4333341f36e17667f88aa02c5230ab82c508cc4bd5947dd7e50475a
+d36
        # 87f2718bad169e4987c94255395e054bcaf77c8d791698bf03dc85ed3c90
+832a 00
my $hd = $a.$i.$b.$i;
my $digest = hmac_sha1($hd,$pmk);
print unpack("H*",$digest)."\n"; # according to docs: $digest = hmac_s
+ha1($data, $key);
 # does not come out as 9287f887faade9257f5a806309a2bac8956fcbec like 
+hmac_sha1 from Python ?

      [download]
      I am almost sure that the pack() fucntion in Perl is similar to his a2b_hex() method as I have altered his Python code to print it for each iteration. As you can see the "Pairwise key expansion" is turned into hex via each character's ascii code, which I did with sprintf and ord. That comes out to:

      5061697277697365206b657920657870616e73696f6e

      which is correct. Is the pack() function argument wrong? is the hmacsha1 not the same as in Python? I am so lost right now. :( Thanks monks!
    		[reply]
    [d/l]
    [select]
        I am trying to generate hmac_sha256 PTK for 11w client . Can anybody provide similar function for sha256_prf ?
    		[reply]
    [reply]

          Show us your code.

    		[reply]

    In Section Seekers of Perl Wisdom