4-way handshake

Some 802.11i and 802.11acWLANs use a four-stage handshake procedure for authentication, which offers greater security than the two- and three-way handshake. In the multi-stage handshake, the handshake occurs between the WLAN client, which is the supplicant, and the access point( AP), which is the authenticator.

At the beginning of a handshake, the access point generates a digit that can be used once: the nonce, which is derived from Number Used Once. In terms of the authenticator, this is the Authenticator Nonce, ANonce. This digit, which is used for the first time, is generated by a random number function(PRF) and is used for repeat protection. It has not been used before by the Pairwise Master Key( PMK). This first message is sent from the access point to the WLAN client. The WLAN station calculates the Pairwise Transient Key ( PTK) from the ANonce of the access point and the Pairwise Master Key(PMK).

As a second message, the WLAN station sends its nonce, the SNonce (Supplicant Nonce) and a Message Integrity Check( MIC) to check the PMK key to the access point. The access point now has both nonces, its own and that of the WLAN station, and uses them to generate the PTK key for unicast transmissions and the Group Transient Key( GTK) for multicasting. The following third message to the WLAN station includes the MIC data set and the Pairwise Transient Key (PTK), the Group Transient Key (GTK) and a digit of the Receive Sequence Counter (RSC), which the station can use to detect repetitive broadcast messages. The WLAN station installs these messages and, as the fourth and last message, sends a Message Integrity Check (MIC) confirmation to the access point that it installs.