Offtopic: WPA-PSK: Every client connection from AP has own key?

Bryan Kadzban bryan at kadzban.is-a-geek.net
Mon May 29 08:47:28 EDT 2006


Beat Meier wrote:
> If using wpa-psk every client has an other key to encrypt data 
> transfer or all have the same?

Each client has its own PTK, but (in almost all AP implementations
anyway) all clients share the same PMK.

There are two (actually probably three) "levels" of keys.  The PMK is
used in the 4-way handshake (along with some random data sent in
plaintext) to generate a PTK, which is used as the "master" for the TKIP
algorithm.

> I.e. data transfers can be decrypted from one client which is for an
> other client?

If the one client sniffs the 4-way handshake of another client, and the
AP in use makes you configure one PSK for all clients, then yes, any
client that knows the PSK/PMK can decrypt unicast frames that are
intended for another client.  Because the "attacking" client can
generate the PTK for the "attacked" client, and the PTK is all you need
to set up TKIP.  (Or CCMP, actually.  It's not immune to this either.)

> The Preshared key is what is called master key from which the PMK is 
> generated?

No, the pre-shared key *is* the PMK.  It gets converted to hex (or used
as hex from the start, if given to the AP or client that way), then used
as the PMK in the 4-way handshake.  But it's exactly the same keying
material.

> Some thread say the all have the same enc. key (only EAP-TLS has 
> different keys) other they have all the own key ...

Not exactly true.  EAP-TLS does have different PMKs for each client and
each (re)association, but so does EAP-PEAP (and any other RADIUS method
that supports key negotiation).

WPA-PSK is the only setup where clients share PMKs.

> If every client has an own key where is this key stored i.e. how is 
> this encryption done in hw if every client has own key?

The PTK is "stored" in the NIC somewhere (or in the driver).  NDIS, for
instance, has an OID value that you can use to program the PTK into the
wireless driver, and the driver will either store it away somewhere if
it does the decryption, or it'll program it into the card if the card
does the decryption.  I believe Linux Wireless Extensions has a similar
setup.

The PMK/PSK itself is stored in the supplicant's config somewhere, if
you're using PSK mode.  If you aren't, then the supplicant and RADIUS
server have a conversation, and after the supplicant is authenticated,
the server sends it a (randomly generated) PMK to use.  It stores this
in the driver, see above.  The RADIUS server also sends this key to the
AP, and the AP stores it away.  The 4-way handshake makes sure that both
ends got the same key.

> Where can I get more infos about that?

The IEEE 802.11i spec would be a good place (seeing as it's the standard
;-)), but it's probably not that easy to understand.  It took me a week
or so to finally figure out what it was talking about in several places.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060529/2fa663ac/attachment.pgp 


More information about the HostAP mailing list