Re: Cannot Decrypt Fast BSS Transition (802.11r) Packets

[Mikael Kanstrup <mikael.kanstrup () gmail com>]

Den fre 15 maj 2020 19:44Richard Sharpe <realrichardsharpe () gmail com> skrev:

> On Fri, May 15, 2020 at 10:27 AM Mikael Kanstrup
> <mikael.kanstrup () gmail com> wrote:
> > Hi,
> >
> > Fast BSS Transitioning decryption is unfortunately not supported by
> Wireshark.
> > Wireshark uses passphrase/PSK/PMK together with 4-way handshake to
> derive PTK and GTK. FT key hierarchy and key derivation is not handled by
> the decryption engine so PTK remains unknown which makes decryption fail.
> And unfortunately directly entering PTK for decryption is not supported
> either.
>
> It could be but it would take some work :-)


Yes. I think TK user input would be quite easy to implement and would cover
both this case and a few more. I did some prototyping on this today but I'm
not sure when I'll have time to complete it.

The idea is to allow user to enter TK as decryption key. When decrypting
packets if no valid SA exist either due to 4WHS missing in packet capture
or due to non supported AKMS Wireshark would try decrypting using all user
entered TKs and all supported ciphers. If a packet can be successfully
decrypted an SA would be formed from the inputs used. Then on subsequent
packets the SA already exists and decryption can continue without repeated
attempts. Performance should be acceptable I hope.

/Mikael

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe