Nov 2, 2007

Pairwise Master Key (PMK) vs Parewise Transient Key(PTK) vs PseudoRandom Function(PRF) vs GTK (Groupwise Transient Key)

The IEEE's initial attempt at wireless LAN security was Wired Equivalent Privacy. This turned out to be a quite unfortunate moniker, as WEP was quickly shown to provide very little of the privacy it advertised.

802.11i improves on WEP by using completely new encryption algorithms and key-derivation techniques. This wireless security standard, finalized in 2004, makes it possible to safeguard over-the-air communications at Layer 2.

A key called the Pairwise Master Key (PMK) is established between the wireless station and the access point. This key is typically generated using 802.1X, which is authentication of the user to a RADIUS or other authentication server using Extensible Authentication Protocol. Both the station and RADIUS server derive identical keys, and the RADIUS server returns that key to the access point.

Next, the station and access point exchange a sequence of four messages, called the "four-way handshake." In this exchange, the PMK and freshly generated random values from both station and access point are used to derive a new key, called the Pairwise Transient Key. This key is subdivided into several keys: one to sign four-way handshake messages; one to secure data packets transmitted between station and access point; and one to encrypt a "group key" to the station during the four-way handshake. The group key lets the access point broadcast one multicast packet to all stations, rather than send a separately encrypted packet to each station.

During the four-way handshake, the station and access point negotiate the type of encryption to be used for the data connection. Two encryption ciphers are negotiated: The pairwise cipher is used for unicast data between station and access point, and the group cipher is used for broadcast/multicast traffic from the access point to multiple stations.

Pseudorandom Function(PRF) is used to compute the PTK as a function of client and access point random numbers and the MAC addresses of the access point and client.

The Four-Way Handshake
The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange has provided the shared secret key PMK (Pairwise Master Key). This key is however designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address and STA MAC address. The product is then put through a cryptographic hash function.

The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:

1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC.
3. The AP sends the GTK and a sequence number together with another MIC. The sequence number is the sequence number that will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
4. The STA sends a confirmation to the AP.

As soon as the PTK is obtained it is divided into five separate keys:

PTK (Pairwise Transient Key – 64 bytes)

1. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
2. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.

The Group Key Handshake
The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.

To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:

1. The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA and protects the data from being tampered using a MIC.
2. The STA acknowledges the new GTK and replies to the AP.

GTK ( Groupwise Transient Key – 32 bytes)

1. 16 bytes of Group Temporal Encryption Key – Used to encrypt Multicast data packets
2. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on Multicast packet transmitted by AP
3. 8 bytes of Michael MIC Authenticator Rx Key – This is currently not used as stations do not send multicast traffic

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.
Post a Comment