OID_802_11_ADD_KEY Functionality

Discussion in 'Wireless Networking' started by jwh20, Mar 9, 2005.

  1. jwh20

    jwh20 Guest

    I'm trying to understand the use of OID_802_11_ADD_KEY and configuring
    an adapter to use WPA-PSK.

    After spending some time using SoftICE and capturing calls to
    DeviceIoControl() when the OID_802_11_ADD_KEY function is being passed
    to the driver, I'm confused as to what exactly is sent when. From the
    information I got out of the Wi-Fi Protected Access (V3.1)
    Specification, it seems to indicate that a hmac-sha1 hashed 256 key is
    sent to the driver. Clearly, however, this is not what is going on.

    I'm seeing at least two calls to OID_802_11_ADD_KEY. The first and
    (optional it seems) second one both have the KeyIndex set to 0xE0000000
    which indicates a PWK transmit key. The last call to
    OID_802_11_ADD_KEY has the KeyIndex set to 0x20000001 which is another
    a group key with index = 1.

    In neither case, however, can I figure out what process generated the
    KeyMaterial. I've noted that the first and 2nd (if present) calls are
    always unique where the last call (i.e. the one with KeyIndex =
    0x20000001) is always the same.

    Any guidance would be greatly appreciated.

    Thanks in advance.
    jwh20, Mar 9, 2005
    1. Advertisements

  2. jwh20

    jwh20 Guest

    Just to close this out and provide some information to someone else
    having this same question and suffering from the same confusion...

    The process of using OID_802_11_ADD_KEY is significantly MORE complex
    than using OID_802_11_ADD_WEP. In spite of their similar appearance,
    they are very different.

    Here is an outline of the process of associating with an AP using
    WPA-PSK (i.e. Pre-shared key). The process of straight WPA is similar
    but was not in the scope of what I was doing so it's left as an
    exercise to the reader. ;-)

    Background information. There are MULTIPLE specs covering this process
    and (unfortunately) they all supercede each other. So you need to
    refer to all of them at once. What I collected and used were:

    1) Microsoft's IEEE 802.11 Network Adapter Design Guidelines for
    Windows XP document. Get this free from:


    2) Wi-Fi Protected Access (WPA) Version 3.1. Get it for US$25.00 from:


    See the link titled "WPA Specification Documentation (Version 3.1)" at
    the left of the page. No free copies of this but you'll need it to
    understand the difference between WPA and 802.11i.

    3) IEEE 802.11 spec. Free from:


    4) IEEE 802.11i spec. Free from:


    5) IEEE 802.1X spec. Free from:


    (this is the 2001 version which is free. There is a 2004 version out
    that is US$70.00 if you want the latest and greatest.)

    Another useful resource is a network sniffer to capture packets being
    sent between your WiFi card and the AP. You can, of course, spend lots
    of money on an overpriced commercial packet capture tool but I've found
    the free Analyzer tool works great:


    I also found CompuWare's SoftICE debugger helpful to snoop on what WZC
    was doing on the programming side. It's commercial and expensive but I
    keep my copy up-to-date all the time since it comes in so hande. I
    don't need it often but when I do need it, it's worth every bit of its
    cost. (I think WinDbg can do some of the same stuff now but I'm too
    familiar with SoftICE to change now.)

    Code snippets are really handy for some of the encryption code needed
    to do WPA in your client. A good source for all the code you will need


    In particular the 802.11i PRFs code, the 802.11i Password Hashing code,
    and the test vectors in TKIP MSDU example, with fragmentation.

    Platform. This works ONLY on Windows XP (or Windows 2003 Server) since
    earlier version of Windows lack driver support for wireless devices.
    In other words Windows versions older than XP don't support wireless.
    Vendors can support wireless functions themselves but Windows doesn't
    know about it. Windows uses a combination of Wireless Zero
    Configuration (WZC) and NDIS Usermode I/O (NDISUIO or NDISPROT on 2003
    Server) to accomplish this. Some claim that you should not use NDISUIO
    yourself but should go through the headache of making your own protocol
    driver from the DDK sample (see the NDISPROT sample in the 2003 Server
    DDK). It's been my observation that use of NDISUIO by 3rd parties has
    already become common (since the alternative is a major headache) and
    while Microsoft may change it in the future, they will break a lot of
    things if they do so. Note also that there are some minor differences
    between XP and XP SP1 in using NDISUIO so your application should be
    aware of them. See:


    for details and a differing opinion on using NDISUIO. Note, however,
    that this company has an interest in you not using NDISUIO since they
    sell a product that lets you access the NDIS driver without NDISUIO.

    Now to the process... Prior to using OID_802_11_ADD_KEY (which is
    actually the LAST step in this process) you must exchange security
    information with the AP (called the AUTHENTICATOR in the specs) using
    what is referred to as the "4 way handshake." Actually this is a 5-way
    handshake since you must start the process with another packet. The
    main information on this process is the 802.1X spec. Note, however,
    that you must use the 802.11i (which supercedes 802.1X) and also the
    WPA spec (which supercedes 802.11i). So when examining any item be
    sure you check the other specs if what you are seeing is confusing.

    To start the authentication process, your wireless card (called the
    SUPPLICANT in the specs) sends an EAPOL-Start (EAPOL - Extensible
    Authentication Protocol Over LAN) packet to the AP. You do this by
    forming the packet itself using the MAC address of the AP and your WiFi
    card (you may have to scan the APs to get the MAC) and sending it
    through NDISUIO using the WriteFile() WIN32 API.

    Once you do that, the AP will respond with the #1 message of the 4-way
    handshake. You get this from NDISUIO using the ReadFile() API. (By
    the way, using either of these on NDISUIO is demonstrated in the
    NDISPROT DDK sample.)

    Now you have enough information to take your hashed WPA-PSK password
    and the locally generated SNonce (a random number) and the ANonce
    received from the AP and calculate the Pairwise Transient Key (PTK)
    using the PRF-512 function from the deadhat.com web site above. This
    gives you pieces of data that will be needed to respond to the AP with
    #2 message of the 4-way handshake.

    After that you again use ReadFile() on NDISUIO to get the #3 message
    from the AP which will have in it the Groupwise Transient Key (GTK).
    Finally you reply with message #4 which is mainly for confirming

    Now you have in your possession the TWO things needed for
    OID_802_11_ADD_KEY which, if you used SoftICE, would know is called
    twice, once with a pairwise key and once with a group key. The
    pairwise key is the PTK and the group key is the GTK both of which were
    generated as a result of the 4-way handshake with the AP.

    Obviously there is a bit more to this that I've outlined above but when
    I first got into this I knew almost nothing. If I had seen a writeup
    similar to the above it would have saved me days of struggle.

    Hope this is helpful to you. If so, please let me know.
    jwh20, Mar 15, 2005
    1. Advertisements

  3. jwh20

    inf009 Guest

    Hi jwh20,

    thank you for your input in this thread.
    I' am also trying to configure an adapter to use WPA-PSK. I don't know
    if you are familiar with WRAPI v2.0 but I am trying to use it to
    configure my adapter.


    Unfortunally, WRAPI only allows me to configure WEP though
    OID_802_11_ADD_WEP. Thus, I am trying to set OID to OID_802_11_ADD_KEY
    and then make a DeviceIoControl() call for configuring WPA-PSK.

    I've installed Windows DDK "windows xp sp1 ddk" (2600.1106), but in the
    file C:\WINDDK\2600.1106\inc\wxp\ntddndis.h OID_802_11_ADD_KEY is not
    defined, do you know why?

    I would appreciate any input.

    inf009, Jan 18, 2006
  4. jwh20


    Apr 30, 2007
    Likes Received:

    Hi, i'm trying to use OID_802_11_ADD_KEY with wpa_psk.
    According to jwh20, i have to do a "4way handshake" before using OID_802_11_ADD_KEY with WriteFile() and ReadFile() functions.
    I don't know how do these functions work?
    In my application i use the DeviceIoControl function. Can i use it to do the 4 way handshake?
    if someone could give me a code example i would appreciate it.

    Thanks in advance.
    titi, Apr 30, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.