WPA2-personal: rsn preauth?

Jouni Malinen j at w1.fi
Fri Sep 24 12:44:04 EDT 2010


On Fri, Sep 24, 2010 at 11:37:52AM +0200, Thomas Osterried wrote:
> There are mainly three approaches to minimize roaming delay:
> * pre-authentication (via current AP to the next AP the STA likes to roam to)
> * opportunistic caching (distribute a PMKSA to all APs in the network)
> * PMK caching (AP caches the PMK for the situation the STA roams back to the AP he's currently associated with)

There is no point in using any of these in WPA2-Personal networks since
these are used to skip the EAP authentication part in WPA2-Enterprise
and only do the 4-way handshake. In other words, they would not change
anything for WPA2-Personal.

> We've not considered 802.11r since we researched that there are only very few STAs in the wild supporting this standard.

That's really your only option to get rid of the 4-way handshake.

> 3. 4-way-handshake (for PTK/GTK) always necessary?
> Somewhere I read of mechanisms which even allow the 4-way-authentication to be omited (or reduced to 2-way). It's a myth, isn't it?

FT protocol (IEEE 802.11r) provides and option to merge the needed key
management into the 802.11 authentication and association frames and
with it, there would not be additional 4-way handshake after
association. All IEEE 802.11i -based mechanisms for RSN do require 4-way
handshake for each association.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list