Wireshark-dev: Re: [Wireshark-dev] Cannot Decrypt Fast BSS Transition (802.11r) Packets

From: Mikael Kanstrup <mikael.kanstrup@xxxxxxxxx>
Date: Sat, 16 May 2020 00:38:45 +0200
Den fre 15 maj 2020 19:44Richard Sharpe <realrichardsharpe@xxxxxxxxx> skrev:
On Fri, May 15, 2020 at 10:27 AM Mikael Kanstrup
<mikael.kanstrup@xxxxxxxxx> wrote:
>
> Hi,
>
> Fast BSS Transitioning decryption is unfortunately not supported by Wireshark.
>
> Wireshark uses passphrase/PSK/PMK together with 4-way handshake to derive PTK and GTK. FT key hierarchy and key derivation is not handled by the decryption engine so PTK remains unknown which makes decryption fail. And unfortunately directly entering PTK for decryption is not supported either.

It could be but it would take some work :-)

Yes. I think TK user input would be quite easy to implement and would cover both this case and a few more. I did some prototyping on this today but I'm not sure when I'll have time to complete it.

The idea is to allow user to enter TK as decryption key. When decrypting packets if no valid SA exist either due to 4WHS missing in packet capture or due to non supported AKMS Wireshark would try decrypting using all user entered TKs and all supported ciphers. If a packet can be successfully decrypted an SA would be formed from the inputs used. Then on subsequent packets the SA already exists and decryption can continue without repeated attempts. Performance should be acceptable I hope.

/Mikael