VerifHub

VerifHub allows Verifpal® users to easily share and discuss Verifpal models of cryptographic protocols. The VerifHub service provides unique URIs for each shared model which includes a syntax-highlighted model, an automatically generated diagram and a summary of the analysis results.

Switch to Diagram View

4_way_handshake_wpa2.vp

Submitted on 15 Oct 23 15:21 UTC.

attacker[passive]

principal Ap[
	knows public ssid
	knows private gtk
	knows password psk
	pmk_a = HASH(ssid, psk)
]

principal Client[
	knows public ssid
	knows password psk
	pmk_c = HASH(ssid, psk)
]

principal Ap[
	generates a_nonce
	generates counter
]

Ap -> Client: a_nonce, counter

principal Client[
	generates s_nonce
	ptk_c = HASH(pmk_c, a_nonce, s_nonce)
	mac_m1 = MAC(ptk_c, CONCAT(s_nonce, counter))
]

Client -> Ap: s_nonce, mac_m1

principal Ap[
	ptk_a = HASH(pmk_a, a_nonce, s_nonce)
	_ = ASSERT(mac_m1, MAC(ptk_a, CONCAT(s_nonce, counter)))?
	generates nonce_gtk
	m3 = ENC(ptk_a, CONCAT(gtk, nonce_gtk))
	counter_2 = HASH(counter)
	mac_m3 = MAC(ptk_a, CONCAT(m3, counter_2))
]

Ap -> Client: m3, counter_2, mac_m3

principal Client[
	_ = ASSERT(mac_m3, MAC(ptk_c, CONCAT(m3, counter_2)))?
	gtk_c, nonce_gtk_c = SPLIT(DEC(ptk_c, m3))
	mac_m4 = MAC(ptk_c, counter_2)
]

Client -> Ap: mac_m4

principal Ap[
	_ = ASSERT(mac_m4, MAC(ptk_a, counter_2))?
]

phase[1]

principal Client_b[
	knows private gtk
	knows private ptk_b
]

principal Client[
	generates arp_query
	broadcast_req = ENC(ptk_c, arp_query)
]

Client -> Ap: broadcast_req

principal Ap[
	broadcast_msg = ENC(gtk, DEC(ptk_a, broadcast_req))
]

Ap -> Client_b: broadcast_msg

principal Client_b[
	arp_query_received = DEC(gtk, broadcast_msg)
]

queries[
	confidentiality? psk
	confidentiality? ptk_a
	confidentiality? gtk
]

Switch to Model View

Title:4_way_handshake_wpa2.vp Note over Ap: knows public ssid\n knows private gtk\n knows password psk\n pmk_a = HASH(ssid, psk)\n Note over Client: knows public ssid\n knows password psk\n pmk_c = HASH(ssid, psk)\n Note over Ap: generates a_nonce\n generates counter\n Ap -> Client: a_nonce, counter Note over Client: generates s_nonce\n ptk_c = HASH(pmk_c, a_nonce, s_nonce)\n mac_m1 = MAC(ptk_c, CONCAT(s_nonce, counter))\n Client -> Ap: s_nonce, mac_m1 Note over Ap: ptk_a = HASH(pmk_a, a_nonce, s_nonce)\n _ = ASSERT(mac_m1, MAC(ptk_a, CONCAT(s_nonce, counter)))?\n generates nonce_gtk\n m3 = ENC(ptk_a, CONCAT(gtk, nonce_gtk))\n counter_2 = HASH(counter)\n mac_m3 = MAC(ptk_a, CONCAT(m3, counter_2))\n Ap -> Client: m3, counter_2, mac_m3 Note over Client: _ = ASSERT(mac_m3, MAC(ptk_c, CONCAT(m3, counter_2)))?\n gtk_c, nonce_gtk_c = SPLIT(DEC(ptk_c, m3))\n mac_m4 = MAC(ptk_c, counter_2)\n Client -> Ap: mac_m4 Note over Ap: _ = ASSERT(mac_m4, MAC(ptk_a, counter_2))?\n Note left of Ap:phase 1 Note over Client_b: knows private gtk\n knows private ptk_b\n Note over Client: generates arp_query\n broadcast_req = ENC(ptk_c, arp_query)\n Client -> Ap: broadcast_req Note over Ap: broadcast_msg = ENC(gtk, DEC(ptk_a, broadcast_req))\n Ap -> Client_b: broadcast_msg Note over Client_b: arp_query_received = DEC(gtk, broadcast_msg)\n

Analysis Results

The model submitter provided the following analysis results:

Query 1 (Confidentiality): FAIL
Query 2 (Confidentiality): FAIL
Query 3 (Confidentiality): FAIL

Please note that these results are not verified to be accurate. The model submitter may choose to provide false analysis results if they so desire. It is strongly recommended that you re-run the analysis of this model locally if you wish to verify the authenticity of the analysis results above.

Discuss This Model

© Copyright 2019- Nadim Kobeissi. All Rights Reserved. “Verifpal” and the “Verifpal” logo/mascot are registered trademarks of Nadim Kobeissi. Verifpal software is provided as free and open source software, licensed under the GPLv3. Verifpal User Manual, as well as this website, are provided under the CC BY-NC-ND 4.0 license. Published by Symbolic Software.