To generate a valid pairwise master key for a WPA2 network a router uses the PBKDF2-HMAC-SHA1 algorithm. I understand that the sha1 function is performed 4096 times to derive the PMK, however I have two questions about the process.
Excuse the pseudo code.
1) How is the input to the first instance of the SHA1 function formatted? SHA1("network_name"+"network_name_length"+"network_password")
Is it formatted in that order, is it the hex value of the network name, length and password or straight ASCII?
Then from what I gather the 160 bit digest received is fed straight into another round of hashing without any additional salting. Like this: SHA1("160bit digest from last round of hashing") Rise and repeat.
2) Once this occurs 4096 times 256 bits of the output is used as the pairwise master key. What I don't understand is that if SHA1 produces 160bit output, how does the algorithm arrive at the 256bits required for a key?
Thanks for the help.
yeah thats right, the algorithm to generate a binary key for a WPA network is:
key = PBKDF2(passphrase, ssid, 4096, 256)
PBKDF2 is described in http://www.ietf.org/rfc/rfc2898.txt
It uses the HMAC algorithm to create a digest of the input. HMAC can use any hash function, here the spec calls for SHA1 as you mentioned. The hash is done on an intermediate state within the HMAC algorithm:
H(K XOR opad, H(K XOR ipad, text))
(H=the chosen hash function, K is the passphrase, text would be ssid)
This HMAC process is repeated 4096 times by PBKDF2.
HMAC algorithm: http://www.ietf.org/rfc/rfc2104
There's a source example here of deriving a key:
https://www.codeblog.org/viewsrc/openssl-engine-0.9.6a/crypto/evp/p5_crpt2.c
int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
80: unsigned char *salt, int saltlen, int iter,
81: int keylen, unsigned char *out)
salt is the SSID, pass is the password.