This topic is to discuss the following lesson:
Hello Rene,
just to verify a few things here.
First of, I heared that both sides not only know the PMK but also the GMK, that is why the GTK can derived right? Essentially the entities on both sides (STA, AP) know the PMK and the GMK, correct?
My understanding is that in the 4-way handshake nothing is encrypted and basically open. So if anyone will throw up a wireshark anywhere and sees those messages in the air, and also knows the PMK somehow. He would be able to read all the data the client sends back and forth no?
So why exactly is the 4-way handshake considered secure? Is it because of the MIC and the replay counter? Am I missunderstanding something here?
Thanks in advance!
Kind regards,
Mirko
Hello Mirko
You’re correct in your understanding that both the STA and AP know the PMK and the GMK. However, let me clarify a few things.
In the 4-way handshake, the PMK is used to derive the PTK, and the GMK is used to derive the GTK. The PTK is then used to encrypt unicast communication between the STA and AP, while the GTK is used to encrypt multicast and broadcast traffic from the AP to all STAs.
The 4-way handshake is considered secure, even though the handshake itself is not encrypted. This is because the handshake is designed in such a way that it verifies the possession of the PMK without revealing it. Even if an attacker intercepts the handshake packets, they wouldn’t be able to obtain the PMK or decrypt the communication.
Additional security parameters are employed including the Message Integrity Check (MIC) which is used to ensure the integrity of the handshake messages, preventing tampering or forgery, and the replay counter is used to prevent replay attacks where an attacker might try to resend a previously captured packet.
So, even if someone were to capture the 4-way handshake using a tool like Wireshark, they would not be able to derive the PMK or decrypt the communication without the pre-shared key (PSK) or the output of the EAP authentication, or the MAC address of the client, or the proper MIC algorithm, and even if they were able to do all that, the replay counter would be used if an attacker attempts to resend a “valid” packet.
All of this is enough to make the 4-way handshake sufficiently secure.
I hope this has been helpful!
Laz
1 Like
Hello Rene, I hope you’re doing great.
I’m concerned about this lesson, because i don’t see it on the CCNP topic lists. However, what i see is EAPOL (4-way Handshake) not WPA2 (4-way handshake).
Hello Chris
Indeed the WPA2 4-way handshake is not explicitly stated in the Cisco blueprint, however, in typical Cisco style, they always state a disclaimer of some sort that typically says that although these are the topics that are likely to be covered, there may still be others that are related that can also be included.
In any case, because the WPA2 4-way handshake is an integral part of how wireless networks securely operate, it has been included here to ensure that this process is understood. Although not explicitly stated in the blueprint, it may be a related topic that can be good to know.
As for the EAPOL 4-way handshake, yes that is indeed included, and you can find out more about it here:
I hope this has been helpful!
Laz
1 Like
Hello, everyone.
I don’t understand a few things here. A cisco document defines the process as follows:
An MSK is derived from the EAP authentication phase when 802.1X/EAP security is used, or from the PSK when WPA/WPA2-PSK is used as the security method.
From this MSK, the client and WLC/AP derive the Pairwise Master Key (PMK), and the WLC/AP generates a Group Master Key (GMK).
The NW lesson for the WPA Key Hierarchy says
The AAA key is also called the Master Session Key (MSK).
However, in the cisco document above, it’s implying that an MSK is also used with PSK authentication? Which doesn’t use AAA.
Next, the GMK. NW says the following:
The group master key (GMK) is a 128-bit key at the top of the hierarchy for broadcast and multicast traffic. The AP generates a cryptographic-quality random number. The “cryptographic quality” part is important because some functions that generate random numbers are predictable.
How exactly is this key derived? Randomly? The Cisco document again says that the MSK is used to derive it.
From this MSK, the client and WLC/AP derive the Pairwise Master Key (PMK), and the WLC/AP generates a Group Master Key (GMK).
I thought the PSK is fed through a key derivation function and directly creates the PMK.
This leads to another thing that confuses me. If the AP/WLC does generate the GMK, does it actually send it to the client or not? My book says that both devices know the PMK and the GMK.
I thought the AP would create a GMK, derive the GTK, and send it to the client for installation. It doesn’t make sense to me for the client to know what the GMK is. This second image says the opposite
When a lightweight architecture is used, does the WLC participate in the 4-way handshake instead of the AP? And then once the keys are figured out, the AP encrypts/decrypts the data.
And the final question.
The GTK is sent in an encrypted format. In the case of PTK, a partition of it is used to generate a MIC which basically ensures that both sides are using the same key if they end up with the same value. Does the client do anything to verify the same, but with the GTK instead?
Thank you.
David
Hello David
I’ll do my best to address each of your questions:
Cisco’s MSK definition applies to both the PSK and the 802.1X/EAP modes. In 802.1X/EAP, the MSK is generated during EAP authentication and sent from the AAA server to the AP/WLC. In PSK mode, the MSK is derived directly from the pre-shared password (via PBKDF2-SHA1), bypassing AAA entirely.
In Rene’s explanation, the AAA key is referred to as the MSK specifically in 802.1X context where AAA is used.
The GMK is generated randomly by the AP/WLC in PSK mode, not directly derived from the MSK. In 802.1X mode, the GMK is derived hierarchically from the MSK (MSK → GMK). The Cisco statement you mention may be an oversimplification or may be misunderstood. It may be saying that the MSK is used to derive the PMK, but then the GMK is generated independently and indeed randomly by the AP/WLC. The wording is not quite clear.
You’re absolutely right. In WPA2/WPA3-Personal mode, the PSK is not used directly as the PMK, but is fed through a key derivation function (KDF) to produce the PMK.
However, the Cisco statement:
“From this MSK, the client and WLC/AP derive the Pairwise Master Key (PMK), and the WLC/AP generates a Group Master Key (GMK).”
is 100% correct in the context of WPA2-Enterprise, not WPA2-Personal.
The GMK itself is never sent to the client. Instead, the AP/WLC derives the GTK from the GMK and sends the GTK to the client, which is encrypted with the PTK during the 4-way handshake. The client only receives the GTK, not the GMK. Both parties derive the GTK independently.
In lightweight AP (CAPWAP) deployments, the WLC handles the 4-way handshake, not the AP. The WLC generates and manages all keys (PTK, GTK) and securely forwards them to the AP for frame encryption/decryption. The AP acts as a “dumb” radio, relying on the WLC for key negotiation.
Unlike the PTK, the GTK does not use a Message Integrity Code (MIC) for verification.
The GTK is encrypted with the PTK during transmission (ensuring confidentiality and integrity). Clients assume the GTK is valid if decryption succeeds, as the PTK’s integrity checks already validate the handshake.
I hope this has been helpful!
Laz
PS I have removed the copyrighted material from your post… Just making sure that NWL complies with the related laws… Thanks for understanding! 
Hello Laz.
All is clear, thank you.
So the MSK is only derived from the AAA credentials, not during PSK?
Sorry for the material, it’s a force of habit for me to send a screenshot to provide more clarity. Is it generally considered a problem if there is just a single screenshot from the book?
If I have to refer to a screenshot, can I mention the book name and the page instead?
That’s all, thank you.
David
Hello David
Yes, that is correct. The MSK is generated during the EAP authentication process between the client and the AAA server.
Concerning the screenshots of material, I understand that it is very convenient and simple to do, but to be sure that we comply with all of the copyright rules, we have to remove them. Of course you can mention the book and the page number, or if the resource is online you can share a link to it.
I hope this has been helpful!
Laz