This topic is to discuss the following lesson:
Hello, everyone.
From what I understand (let’s stay at WPA Personal for simplicity). The PSK is fed into a function that creates a 256-bit PMK. This PMK together with MAC addresses and nonces is then used to derive the PTK that is then used for the actual encryption and integrity of data.
Considering that you use nonces and MAC addreses in the equation, the resulting key for encryption/decryption will be different for each client.
However, this comes with a flaw. If I was to know what the PSK is and generate a PMK, I could use the PMK and capture someone’s 4-way handshake (to find out the nonces and MAC addresses) and just decrypt their traffic.
This is pretty much solved with WPA Enterprise which is also why it’s the recommended solution for enterprises?
Correct me if I am wrong here but the AAA server will generate an MSK from the provided credentials, then derive the PMK and send it to the AP and the client.
Since each client’s credentials (username/password or maybe even a digital cert) are unique, that means that the resulting PMK will also be unique, right?
Also, how exactly does the PTK protect the 4-way handshake when it isn’t known before it? It’s derived during the 4-way handshake.
Thank you.
David
Hello David
Your understanding of the WPA key hierarchy is mostly accurate, and your analysis correctly highlights the security differences between WPA Personal (PSK) and WPA Enterprise. Let me expand on your points with some clarifications and additional context:
Yes, that is correct. The PMK is derived by combining the PSK with the SSID (using PBKDF2-SHA1). This generates the 256-bit Pairwise Master Key (PMK). This PMK is static for all clients using the same PSK and SSID. The Pairwise Transient Key (PTK) is then dynamically derived using the PMK, client/AP MAC addresses, and nonces (from the 4-way handshake). This ensures unique PTKs per session/client, protecting individual data exchanges.
Now the flaw you mention is that if an attacker obtains the PSK (e.g., through brute-force/dictionary attacks, social engineering, or leakage), they can capture the 4-way handshake, derive the PTK (using the known PMK and handshake parameters), and decrypt traffic for any client on the network.
This is a systemic weakness in WPA-PSK, as all clients share the same PMK. Strong PSKs mitigate risk but do not eliminate it.
Yes that is correct. WPA Enterprise uses unique PMKs Per Client/Session. The PMK is a 256-bit subset of the MSK, generated uniquely per authentication session. Even if the same credentials are reused, the MSK (and thus PMK) changes with each session. The RADIUS server sends the PMK to the AP, while the client calculates it locally. The PMK is never transmitted over the air.
Yes, and that adds to the security benefits. Each client uses a unique PMK. Compromising one PMK (e.g., via AP vulnerabilities) doesn’t affect other clients.
This is a good point, and is often misunderstood. The PTK is derived during the handshake, so it can’t be used to protect the entire handshake. You can check out the sequence of events at this NetworkLessons note. A quick step by step process is shown here:
- Message 1: AP sends ANonce to client.
- Message 2: Client sends SNonce + MIC (Message Integrity Code) back, using KCK, part of PTK derived just now. This proves to the AP that the client has the PMK.
- Message 3: AP sends GTK and other info, encrypted using KEK, and includes its own MIC (with PTK).
- Message 4: Client acknowledges.
So, the handshake starts in the clear, but MICs in messages 2 and 3 verify that both sides have derived the same PTK, and from that point forward, encryption (data protection) begins.
I hope this has been helpful!
Laz