PMK lifetime

Jouni Malinen jkmaline at cc.hut.fi
Sat Jul 22 00:13:44 EDT 2006


On Thu, Jul 13, 2006 at 11:54:48AM +0300, Kolatker Hagit-BHK010 wrote:

> *	What is the PMK lifetime for supplicant, is it hard-coded ? And
> what does it do when its expires?

In the current implementation, there is no mechanism for using a PMK
lifetime in wpa_supplicant. In addition, neither IEEE 802.1X nor IEEE
802.11i/WPA deliver the key lifetime to the supplicant, so if this were
to be implemented, a value would need to be hardcoded. The current
implementation does not have such a timeout, but if it had, it would
likely try to re-authenticate (EAP authentication) to generate a new PMK
some time before the expiry of the old key.

> *	And same for AP - What is the PMK lifetime for AP, is it
> hard-coded, or taken from RADIUS message? And what does it do when its
> expires?

The RADIUS authentication server can define a re-authentication timeout
by including Session-Timeout attribute. hostapd uses this as the
re-authentication period, if included in the RADIUS message. If not,
eap_reauth_period from the local configuration is used.

This is not strictly PMK lifetime, but in practice, it forces
re-authentication and generation of a new PMK after the session timeout
has been reached.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list