consequences of turning on extra key_mgmt flags

Olsson, Ola Ola.Olsson at
Fri May 31 04:36:05 EDT 2013

Thanks for the fast reply Jouni. It was very helpful.



Message: 2
Date: Thu, 30 May 2013 00:56:11 +0300
From: Jouni Malinen <j at>
Subject: Re: consequences of turning on extra key_mgmt flags
To: hostap at
Message-ID: <20130529215611.GD11969 at>
Content-Type: text/plain; charset=us-ascii

On Wed, May 29, 2013 at 03:21:23PM +0200, Olsson, Ola wrote:
> I use an external connection manager to talk to the supplicant and when I add a PSK network I might not know if the AP supports 11R and PMF. What would the negative implications be if I add "FT-PSK WPA-PSK-SHA256" to the key_mgmt in supplicant.conf whenever I add a PSK network?

For most purposes, this should not have any negative effect. In theory, this could open up some attacks _if_ an issue were to be found with any of the enabled options. There are no known such issues with FT-PSK or
WPA-PSK-SHA256 as compared to WPA-PSK (i.e., those are actually considered to be more secure than WPA-PSK rather than the opposite).

The main practical issue that could happen (but is not known to be present today) is an interoperability issue with an AP that adds support for one of the new options in the future and then turns out to be behaving incorrectly with the newer options (or well, it would not need to be even an incorrect behavior, but an interop issue of some sort). If you only have WPA-PSK enabled, you would limit your risk of hitting such issues. However, that would come at the price of not being able to upgrade networks easily.

> To be clear, whenever I add a network, which is supposed to look like:
> network={
>                 ssid="test"
>                 psk="1234567890"
>                 key_mgmt=WPA-PSK
>                 priority=4000002
> }
> Would it hurt to implicitly make it look like the following?
> network={
>                 ssid=" test "
>                 psk="1234567890"
>                 key_mgmt=WPA-PSK FT-PSK WPA-PSK-SHA256
>                 ieee80211w=1
>                 priority=4000002
> }

I think the latter would be a better default option. If there is a mechanism for doing "advanced configuration" to select smaller subset of options, that could be used to cover some possible, even if unlikely, issues mentioned above.

Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list