Figure 55: The WPA2 four-way handshake
                 (e.g., a password). One of their tasks will be to derive a shared symmetric session key, KM-AP,
                 which will be used to encrypt/decrypt frames that are later transmitted between the mobile
                 device (M) and the AP.

                 Mutual authentication and shared symmetric session-key derivation are accomplished in the first
                 two steps, a and b, of the four-way handshake shown in Figure 8.31. Steps c and d are used to
                 derive a second key used for group communication; see [Kohlios 2018; Zou 2016] for details.

                 a. In this first step, the authentication server (AS) generates a nonce, NonceAS, and sends it to
                 the mobile device. Recall that nonces are used to avoid playback attacks and prove the “liveness”
                 of the other side being authenticated.

                 b. The mobile device, M, receives the nonce, NonceAS, from the AS and generates its own nonce,
                 NonceM. The mobile device then generates the symmetric shared session key, KM-AP, using
                 NonceAS, NonceM, the initial shared secret key KAS-M, its MAC address, and the MAC address
                 of the AS. It then sends its nonce, NonceM, and an HMAC-signed (see Figure 8.9) value that
                 encodes NonceAS and the original shared secret.

                 The AS receives this message from M. By looking at the HMAC-signed version of the nonce it had
                 just recently sent, NonceAS, the authentication server knows the mobile device is live; because
                 the mobile device was able to encrypt using the shared secret key, KAS-M, the AS also knows
                 that the mobile device is indeed who it claims to be (i.e., a device that knows the shared initial
                 secret).

                 The AS has thus authenticated the mobile device! The AS can also now perform the exact same
                 computation as the mobile device to derive the shared symmetric session-key, KM-AP, using the
                 NonceM it received, NonceAS, the initial shared secret key KAS-M, its MAC address and the MAC
                 address of the mobile device. At this point both the mobile device and the authentication server
                 have computed the same shared symmetric key, KM-AP, which will be used to encrypt/decrypt
                 frames transmitted between the mobile device and the AP.
                 The AS informs the AP of this key value in Step 3 in Figure 8.30. WPA3 was released in June 2018
                 as an update to WPA2. The update addresses an attack on the four-way handshake protocol that
                 could induce the reuse of previously used nonces [Vanhoef 2017] but still permits the use of the





                                                                 292