WiFi Handshake: How the Connection Process Works

Many users encounter a situation where the router shows network availability, but the connection status gets stuck on "Obtaining IP address" or "Authentication." At this point, a complex process known as Handshake WiFi or "handshake." This mechanism underlies the security of modern wireless networks and ensures that data does not fall into the hands of unauthorized persons.

Understanding how it works WPA2 or WPA3, allows you to not only troubleshoot connection errors but also properly configure your home network security. We'll break down the technical aspects of the process so you know exactly what happens between your smartphone and the access point in those split seconds.

What is a four-way handshake?

WiFi handshake isn't just a password check; it's a process of mutual authentication and encryption key generation. When you enter a password on a device, it's not transmitted in cleartext. Instead, a cryptographic protocol is used, which in the WPA2/WPA3 standard consists of four stages of service frame exchange.

The main goal of this process is to create a unique PTK (Pairwise Transient Key), which will be used to encrypt traffic between your device and the router. Even if an attacker intercepts this process, they won't be able to discover your real password, although they could theoretically try to brute-force it using the intercepted hashes.

⚠️ Warning: Handshake capture is a standard security audit procedure, but using this data for unauthorized access to other people's networks is prohibited by law.

It's important to distinguish between a simple connection and a secure handshake. On open networks, it happens instantly and without keys, while on corporate or home networks, it's encrypted. WPA2-Personal A full key exchange is required to confirm access rights.

Why is it called a "handshake"?

The term originates from computer networks, where two devices "greet" each other, exchange identification data, and agree on the rules of communication (protocol and encryption keys) before transmitting payload data.

Technical stages of personnel exchange

The authentication process is strictly regulated by IEEE 802.11i standards. The client (your laptop or phone) and the access point (router) exchange four messages. In the first stage, the router sends a random number (ANonce), which the client uses to calculate an intermediate key.

The client then generates its random number (SNonce) and sends it to the router along with confirmation that it knows the correct password (PSK). The router verifies this data and, if correct, sends the confirmation and the group key for broadcast messages. At this stage, GTK (Group Temporal Key).

The final step is confirming the key installation. After the fourth frame is successfully completed, both devices enter the "associated" state and begin encrypting all traffic. Any disruption to the sequence or a timeout results in the connection being terminated and an attempt to restart the process.

  • 📡 Frame 1: The router transmits ANonce (random number) to the client.
  • 📱 Frame 2: The client calculates the PTK and sends SNonce + MIC (message integrity code).
  • 🔑 Frame 3: The router checks the MIC, installs the keys and transmits the GTK.
  • Frame 4: The client confirms receipt and readiness for work.

The Role of PMK and PTK in Network Security

The security is based on the master key concept. The source material is PSK (Pre-Shared Key) — the same password you enter when connecting. The PSK and the network name (SSID) are used to calculate PMK (Pairwise Master Key)This key is stored in the memory of both devices and is never transmitted over the air.

The PMK itself is too heavy to be used continuously in every data packet. Therefore, a PMK is generated based on it during the handshake. PTK (Pairwise Transient Key)The uniqueness of PTK is that it is recreated each time a connection is established and can even be updated during a long session (rekeying), making interception and decryption of traffic extremely difficult.

Key type Purpose Is it transmitted over the network?
PMK Master key for generating session keys No
PTK Encrypting traffic between the client and the router No (generated locally)
GTK Encryption of broadcast messages Yes (encrypted)
Nonce Random numbers for session uniqueness Yes (in the open)

The presence of a PMK allows the device to automatically reconnect to a known network without re-entering the password. The device simply takes the saved PMK and initiates the process of generating a new PTK. If the password in the router settings is changed, the old PMK will become invalid, and the handshake will be interrupted at the MIC verification stage.

📊 Have you ever encountered the "Incorrect Password" error even though you entered it correctly?
Yes, it happened more than once
No, it always connects the first time.
Only on older devices
I don't know, I have an open network

Differences between WPA2 and WPA3

Standard WPA3, which replaced WPA2, radically changes the approach to the handshake, eliminating its main vulnerabilities. WPA2 used the PSK method, which was susceptible to dictionary attacks if the password was weak. An attacker could intercept a four-way handshake and attempt to guess the password offline.

WPA3 has implemented a protocol SAE (Simultaneous Authentication of Equals)Here, the handshake process is different: devices exchange data confirming knowledge of the password, but the password itself (or its derivatives) are not involved in any interceptable computations. This makes brute-forcing the password impossible, even with complete traffic interception.

⚠️ Note: For WPA3 to work, both the router and the client device (smartphone, laptop) must support it. Older devices may not connect to a network set to "WPA3 Only."

Furthermore, WPA3 provides Forward Secrecy. Even if an attacker somehow learns your password in the future, they won't be able to decrypt traffic intercepted in the past, since session keys weren't directly dependent on the static cleartext password.

Diagnosing connection problems

If the handshake fails, you'll encounter a loop of connection attempts. This can happen for a variety of reasons, from a simple time mismatch on the device to radio interference. Often, the problem is that the router isn't receiving a response from the client, or the response is distorted.

For diagnostics, you can use router logs or specialized software on your PC. For example, logs often contain entries like "Deauthenticated" or "4-Way Handshake Timeout." This indicates that packets are being lost or keys are mismatched. It's also worth checking whether MAC address filtering is enabled, which would block the connection after successful authentication.

☑️ Checklist for connection problems

Completed: 0 / 5

Distance and obstacles are important to consider. The signal may be sufficient to detect the network, but too weak to reliably exchange handshake frames, which require high data integrity. In such cases, moving closer to the router or installing a repeater can help.

The influence of interference and router settings

Channel width and encryption type settings directly impact handshake success. Using mixed modes (e.g., WPA/WPA2 Mixed) sometimes causes conflicts with modern devices that try to use a more secure protocol while the router waits for the older one. It is recommended to set the "WPA2/WPA3 Personal" mode and encryption AES.

Interference from neighboring networks, microwave ovens, and Bluetooth devices can clog the airwaves. If a packet containing a nonce or key confirmation is lost, the timeout expires and the process starts over. If a significant number of losses occur, the device may be temporarily blocked by the router to protect against DoS attacks.

It's also worth paying attention to the WPS function. It simplifies connection, but often uses simplified authentication methods that can conflict with the standard four-step handshake or create security holes. For stable network operation, it's best to disable WPS.

Frequently Asked Questions (FAQ)

Can a virus intercept a handshake and steal a password?

While a virus on your device can read saved passwords from the system, intercepting a handshake is only useful to an attacker if they are within WiFi range and using a traffic sniffer. Without a complex brute-force attack, an intercepted handshake is useless.

Why does a handshake last longer than usual?

Delays can be caused by communication channel congestion, when the router physically cannot process requests from all clients, or by problems with the DHCP server, which issues IP addresses after the encryption stage is completed.

Do I need to change my password if someone intercepts my handshake?

If you have a complex password (more than 12 characters, mixed uppercase and lowercase, and numeric), handshake interception poses no threat, as brute-forcing such a password is virtually impossible. For weak passwords, changing them is recommended.

Does shaking hands affect internet speed?

The handshake process only occurs upon connection. It doesn't affect data transfer speed while using the network, as the heavy key calculations have already been completed and a lightweight encryption stream is used.