I don't undertand what you're trying to say here. Ralink doesn't have a seed. It doesn't use a pseudo-random number for ES-1 and ES-2. It uses a constant (ES-1 = ES-2 = 0).Originally Posted by kcdtv
Broadcom has a pseudo-number generator. Its seed (for ES-1 and ES-2) can be bruteforced using the nonce as a reference: when using a certain number (initial seed) we get the same sequence of the nonce we know that we can find the ES-1 and ES-2 sequences because they're calculated right after the nonce.
The PIN is provided by the Registrar (the attacker) on M4 and it's not relevant (for the pixie dust attack purposes). Quoting Bongard: the right PIN is provided by the Enrollee (AP) with M3 in two "Safes". The first one contains the first half of the PIN and it's lock combination is ES-1. The second one contains the second half of the PIN and it's lock combination is ES-2. The attack consists in bruteforcing the seed of the Broadcom's PRNG to get the two combinations (ES-1 and ES-2).
If you look on page 55 on Bongard's slides.
- "do not generate new random enrollee nonce in case of we have prebuild enrollee nonce"
- "It should not generate new key pair if we have prebuild enrollee nonce"
So on some implementations the nonce and the the keys don't change in different sessions. This is not about entropy, it's about vendor/manufacturer's implementations.
