An Empirical Analysis of the 4-way Hand-shake1

1
An Empirical Analysis of the 4-way Hand-shake1

• Nick Petroni, Jr.
• npetroni_at_waa-assoc.com
• William A. Arbaugh
• waa_at_waa-assoc.com
• WAA Associates, LLC.

1. This work funded under a contract with the
U.S. Defense Information Systems Agency (DISA)
2
Experiment Equipment

• Tested equipment
• Access Points from 3 vendors
• Client cards from 4 vendors
• 4 software clients (1 card-specific)
• STA
• 1.8GHz Pentium 4m Laptop
• 256 MB RAM
• Windows XP Professional Service Pack 1
• Measurement host
• Identical hardware to client host
• WildPackets AiroPeek NX 2.0

3
Test Procedure

• Power up first AP on channel 1 in RF free
  environment.
• STA associates to first AP
• Power up second AP on channel 6
• Power down first AP to force reassociation with
  second AP
• Timing host listens on channel 6.

4
Layout
AP1
5 feet
10 feet
10 feet
AP2
7 feet
3 feet
5
Interoperability Matrix
6
Problems Encountered

• Client Problems
• Multiple clients sent EAPOL Start in response to
  first EAPOL Key Packet
• One client occasionally sent EAPOL Key response
  (second message) to the previous AP, even after
  receiving first key message from new AP

7
Problems Encountered

• Card Problems
• Multiple cards did full Association instead of
  Reassociation

8
Problems Encountered

• Interoperability Problems
• One client could not successfully authenticate
  with one AP regardless of card used.
• One client/card combination failed to
  interoperate
• One combination of client/card/AP consistently
  resulted in
• Reassociation
• 4-way handshake
• Deauthentication
• Full Association
• 4-way handshake
• Two cards used (seemingly) proprietary means with
  the same AP, failing to ever do a 4-way HS

9
Results- Client Comparison
10
Results- Client1
11
Results- Client1
12
Results- Client2
13
Results- Client3
14
Results- Client3
15
Results- Client4
16
Results- Client4
17
Results- Effect of AP
18
Results- Effect of AP
19
Results- Effect of Card
20
Results- Effect of Card
21
Summary of Results

• Interoperability problems were MUCH larger than
  expected.
• An optimized client on a Pentium 4 (we didnt
  have a client for a PDA to test) has a 20ms
  latency for the 4-way.

22
Conclusions

• A 4-way latency of 20ms in the best case (no RF
  contention, fast processor, no RADIUS delay as in
  PMK caching) creates a total layer 2 latency that
  will likely exceed 50ms when combined with the
  probe phase latency.
• Weve already dropped 2.5 VoIP packets and we
  havent added in the layer 3 latency yet.

23
Recommendations

• WECA should consider a bake off to quickly
  identify interoperability problems.
• TGi should consider splitting the PAR into two
  working groups. The first would complete the
  current draft components, and the second would
  define a fast hand-off specification that
  utilizes the current key hierarchy.

24
Thanks

• Vendors for providing TKIP equipment.
• Tim Moore and Nancy Cam-Winget for answering
  questions.
• Wildpackets for providing Airopeek NX v2 for
  testing.
• DISA for funding the work.