Introduction to WPA Key Hierarchy

Lessons Discussion
3

Hello David

Your understanding of the WPA key hierarchy is mostly accurate, and your analysis correctly highlights the security differences between WPA Personal (PSK) and WPA Enterprise. Let me expand on your points with some clarifications and additional context:

Yes, that is correct. The PMK is derived by combining the PSK with the SSID (using PBKDF2-SHA1). This generates the 256-bit Pairwise Master Key (PMK). This PMK is static for all clients using the same PSK and SSID. The Pairwise Transient Key (PTK) is then dynamically derived using the PMK, client/AP MAC addresses, and nonces (from the 4-way handshake). This ensures unique PTKs per session/client, protecting individual data exchanges.

Now the flaw you mention is that if an attacker obtains the PSK (e.g., through brute-force/dictionary attacks, social engineering, or leakage), they can capture the 4-way handshake, derive the PTK (using the known PMK and handshake parameters), and decrypt traffic for any client on the network.

This is a systemic weakness in WPA-PSK, as all clients share the same PMK. Strong PSKs mitigate risk but do not eliminate it.

Yes that is correct. WPA Enterprise uses unique PMKs Per Client/Session. The PMK is a 256-bit subset of the MSK, generated uniquely per authentication session. Even if the same credentials are reused, the MSK (and thus PMK) changes with each session. The RADIUS server sends the PMK to the AP, while the client calculates it locally. The PMK is never transmitted over the air.

Yes, and that adds to the security benefits. Each client uses a unique PMK. Compromising one PMK (e.g., via AP vulnerabilities) doesn’t affect other clients.

This is a good point, and is often misunderstood. The PTK is derived during the handshake, so it can’t be used to protect the entire handshake. You can check out the sequence of events at this NetworkLessons note. A quick step by step process is shown here:

  1. Message 1: AP sends ANonce to client.
  2. Message 2: Client sends SNonce + MIC (Message Integrity Code) back, using KCK, part of PTK derived just now. This proves to the AP that the client has the PMK.
  3. Message 3: AP sends GTK and other info, encrypted using KEK, and includes its own MIC (with PTK).
  4. Message 4: Client acknowledges.

So, the handshake starts in the clear, but MICs in messages 2 and 3 verify that both sides have derived the same PTK, and from that point forward, encryption (data protection) begins.

I hope this has been helpful!

Laz