Wi-Fi is a Passion


Authentication and Key Management

Authentication and Key Management (AKM) is a service that is defined in 802.11-2012 standard. It consists of a set of one or more algorithms for authentication and key management. We already discussed a couple of the authentication methods in previous blogs: EAP with the 802.1X framework, pre-shared key (PSK), and simultaneous authentication of equals (SAE).

There are two goals with the 802.1X framework. Authentication is for validating the credentials and the second one is authorization. Authorization is for which resources are allowed to access for the specific client. Encryption is for encrypting the MSDU data as told in the previous blog about RSN. AKM services covers both and links them together—first the authentication and second the generation of the dynamic encryption keys. The seeding material for the encryption keys is generated from the authentication.

The AKM process is as follows, first there is the discovery (beacon frames or probe frames), then the authentication finds place (802.1X/EAP or PSK), after that the Master keys are created and the temporary keys are derived from that to create the PTK and the GTK during the 4-way handshake. After this you are authorized and the data will be encrypted. Let’s put this in more detail.

There needs to be a secure channel between the authenticator and the authenticator server, and there are many different kinds of EAP types that can establish a secure channel between those devices.

During the discovery part, the client listens passively to the beacon frames and looks in to the RSNIE for the security requirements, or with active scanning sending out probe requests and looking in to the probe response for the security requirements from the access point. The association and reassociation frames from the client to the access points include the security requirements from the client.

After this the authenticator starts with an EAP request (or an EAPOL-Start message from the supplicant) followed by an EAP response from the supplicant. The EAP frames are exchanged and the process ends with an access-accept.

The master key generation is the last step of the EAP exchange. The supplicant generates a pairwise master key (PMK) and the authentication server generates one. The PMK from the authentication server is sent to the supplicant through the secure channel with the authenticator.

After this the 4-way handshake process starts that uses the PMK to generate temporal keys and installs them. The control port opens and the supplicant can send encrypted frames with the PTK.

We mentioned a couple different types of keys: master keys and temporal keys. Let me explain those keys in more detail. This is also part of the AKM. The first key is the master session key (MSK). The MSK is generated from the 802.1X/EAP process or from the Passphrase-to-PSK mapping (the PSK authentication). The MSK is at least 64 octets in length.

The master keys are the keys that are derived from the MSK. There are two different types of master keys. The first one is the pairwise master key (PMK) and the second one is the group master key (GMK). The PMK is the first 256 bits (0-255) from the MSK. The PMK is already available on the supplicant and the authentication server (AS) since it is derived from the MSK. Every time a client (re)authenticates there is a new MSK generated and the PMK will be different as well, so it is unique per client per session. The PMK is sent from the AS over the secure channel and installed on the authenticator. The GMK is randomly created by the authenticator. A time interval can be configured to renew/regenerate the GMK, so the chance of being compromise is reduced. The GMK is used for multicast and broadcast traffic and the PMK for unicast. Those master keys are not for encrypting the data frames, those keys are seeding material for the 4-way handshake to generate the temporal keys.

During the 4-way handshake the pairwise transient key (PTK) is derived from the PMK and the group temporal key (GTK) is derived from the GMK. Those keys are used for encrypting and decrypting the data frames. The keys will be installed on the supplicant and the authenticator. The PTK is, like the PMK, unique per client per session. The GTK is not unique and shared between all the supplicants and a single authenticator.

The PTK has three sections:
Key Confirmation Key (KCK) is for data integrity during the 4-way handshake and the group key handshake.
Key Encryption Key (KEK) is used by the EAPol frames for data privacy during the 4-way handshake and group key handshake.
Temporal Key (TK) is the temporal encryption key used for encrypting and decrypting the data frames.

The GTK has only one section. This section is the Temporal Key (TK) and is for encrypting and decrypting multicast or broadcast traffic between one specific authenticator and multiple supplicants.

AKM is also possible with a pre-shared key. This process is different than discussed above. First is the discovery part. This part is equal to the discovery part that is described during the EAP process.

During the negotiation process the client associates with the access point. The PSK becomes the master session key (MSK) and is the seeding part for the pairwise master key (PMK).

After the negotiation process the 4-way handshake exchange finds place. During this process, the PMK is used for seeding material for the temporary keys (PTK) to encrypt the data frames.

As mentioned in the blog about PSK authentication, the PSK is created by a function called PBKDF (password based key generation function). This generates a 256-bit length key (64 characters in hex), and this key is used for all the clients within the BSS. The PBKFD is used to map the passphrase to the PSK.
PSK = PBKDF2 (PassPhrase, ssid, ssidLength, 4096, 256)

PassPhrase is the phrase that the user needs to fill in, and this is 8 to 63 ASCII characters.
SSID is the SSID name from the ESS or IBSS. This needs to be encoded as an octet string.
SsidLength is the number of octets of the ssid.
4096 is the amount of time that the passphrase is hashed.
256 is the number of bits that has output.