11-10-2012, 10:22 AM
(11-09-2012, 11:46 PM)qweasd Wrote: What's also confusing is that rainbow tables are made for WPA2 by taking the ESSID, adding the PSK at the end, and then hashing it 4096 times. Where does that come from? I see no mention of the ESSID in the context of the four way handshake.
The ESSID is not appended. It is the data part of the HMAC. In HMAC you have two inputs, like in a cipher: The data and the key. The key is the plaintext password, the data is the ESSID. This thing is iterated 4096 just to make the process slow.
(11-09-2012, 11:46 PM)qweasd Wrote: What I don't get however is how to derive the PMK from the PTK.
There is a final HMAC transformation which uses MD5 in WPA1 and SHA1 in WPA2 (its the only difference between them). This time the key is the the result of the 4096 iteration (truncated) and the data is all the stuff from above you already mentioned.