As the title says, while sniffing WPA protected packet in my WiFi network using Wireshark, if I decrypt them with Wireshark tool, I can analyze them, but I found that there are always 12 byte of overhead that lack in the crypted packet and haven't any tag in Wireshark menu. Thanks
Asked
Active
Viewed 92 times
-1
-
1sorry is there a question here somewhere? – jimmy8ball Jun 21 '17 at 14:47
-
I do not understand what those 12 bytes are....because this bytes are present only in the decrypted packet but aren't present in the same crypted packet – Giuliano Fagiani Jun 22 '17 at 06:58
1 Answers
1
if you are saying the decrypted packed is smaller than the encrypted packed that is probably padding... which is added to make a whole block so it can perform whole block operations on the cipher and be used as a sanity check on decrypt... ie. assume 16 byte blocksize (aes) if you have a payload that is len(payload) % 16 = 4 then you will need to add 12 bytes of padding...
in PKCS7 padding you would add the octet 0x0c 12 times before you encrypt it, and strip the padding when you decrypt it.
Grady Player
- 14,399
- 2
- 48
- 76
-
but my problem is right the opposite. i mean that the encrypted packet has 12 bytes less than the decrypted packet – Giuliano Fagiani Jun 22 '17 at 07:05
-
@GiulianoFagiani I think you will have to give us an example, hex of each and a key, if you can do it in a way that doesn't compromise your security. – Grady Player Jun 22 '17 at 13:06
-
thank you for the answer, I solved my problem because the 12 bytes are due to the TKIP algorithm. – Giuliano Fagiani Jun 23 '17 at 14:51