The 802.11i security association creates a number of security contexts. The different Security contexts and what they contain are provided below

PMKSA

The PMKSA stands for Pairwise Master Key Security Association – it is generated at the end of the EAP handshake (successful 802.1X negotiation) or when a PSK is configured. The PMKSA binds the PMK to a lifetime which can persist across multiple associations by a roaming Station. The PMKSA contains the following information –

  • PMK
  • Authenticator MAC address
  • PMK lifetime
  • Pairwise Master Key Identifier (PMKID)
  • AKMP
  • All additional authorization parameters – e.g. STA’s authorized SSID

When an 802.11 station roams to a different Access Point – a new PMKSA is generated for the new association. If the 802.11 Station roams back to the old Access Point – the PMKSA from the previous association to that Access Point can be used to skip the 802.1 X EAP handshakes and directly proceed to the EAPOL handshake

PMKID

The PMKID is a number that is linked to a Pairwise Master Key Security Association. The PMKID is used to identify a unique PMKSA and can be used by a station to request to reuse a former PMK security association

PTKSA

The PTKSA stands for Pairwise Transient Key Security Association – it is generated at the end of the 4-way EAPOL handshake, FT 4-way handshake, FT Protocol or FT resource request protocol. The PTKSA is relevant till the station is de-authenticated or for the lifetime of a PMKSA. The PTKSA contains the following

  • PTK
  • Supplicant MAC Address
  • Authenticator MAC Address
  • Pairwise cipher suite
  • Key ID
  • If FT key hierarchy is used,
    • R1KH-ID
    • S1KH-ID
    • PTKName

GTKSA

The GTKSA results from a successful 4-Way Handshake, FT 4-Way Handshake, FT Protocol, FT Resource Request Protocol or the Group Key Handshake and is unidirectional. In an infrastructure BSS, there is one GTKSA, used exclusively for encrypting group addressed MPDUs that are transmitted by the AP and for decrypting group addressed transmissions that are received by the STAs. The GTKSA contains the following elements

  • Direction vector (whether the GTK is used for transmit or receive).
  • Group cipher suite selector
  • GTK
  • Authenticator MAC address
  • Key ID.
  • All authorization parameters specified by local configuration. This might include parameters such as the STA’s authorized SSID. 

We shall look at wireless Capture example of a Pre-shared Key Mechanism in the coming article

Wireless Capture Example – Pre-shared Key Part 1

WEP Encryption – Key Mapping Keys

A Key-Mapping Key is a key which maps to a Transmitter address – Receiver address combination. That is, The Key-mapping key between a particular transmitter address and a receiver address can only be used between that [transmitter address, receiver address] combination and not with other transmitter or receiver address combinations. This is different from that […]

WEP Encryption

The 802.11 standard introduced the WEP (wired Equivalent Privacy) in the very first 802.11 standard as a means of providing security for WLAN packet transmissions. The WEP security as the name suggests was supposed to provide frame protection equivalent to a Wired Network. The WEP Encryption method provided two types of Encryption keys Default WEP […]

Enhanced Distributed Co-ordination Function (WMM) – Part 1

The Enhanced Distribution Co-ordination Function (EDCF) or also called as Enhanced Distribution Co-ordination Access (EDCA) is the modification of the basic Distributed Co-ordination Function (DCF)  that was developed by the IEEE 802.11 standard’s body initially. It was developed to provide priority queuing to different traffic classes. To understand the need for EDCA – refer here […]

Beacon Transmission in IBSS Mode

Beacon transmission in an IBSS network is slightly different. In an IBSS network – each station connected to the IBSS network competes to transmit the beacon at beacon interval time. At the start of each beacon period – there is a beacon generation window consisting of a number of slots. If the window is 0 […]

Beacons Explained

Before we discuss how a WLAN station associates to a network, it is important to understand how a beacon is transmitted and the important parameters that are a part of a beacon frame. This article provides an overview of the beacon mechanism in the 802.11 WLAN standard. 802.11 Beacons are broadcast transmissions. In WLAN Beacons […]

Introduction to WLAN – Part 3

WLAN networks employ CSMA/CA mechanism to gain access of the medium to transmit data packets. CSMA stands for Carrier Sense Multiple Access. All WLAN devices sense if the medium is idle. only if the medium is sensed to be idle, the 802.11 Station device can transmit the frame. The CA in CSMA/CA stands for Collision […]

Introduction to WLAN – part 2

WLAN or Wi-Fi primarily employs the following frequency bands for its operation – The 2.4 GHz band and The 5 GHz band. The 6 GHz band. The 2.4 GHz band channel centre frequencies are placed 5 MHz apart. The Channel width of each channel is 22 MHz.  Since the channel centre frequencies are 5 MHz […]

Introduction to WLAN

A Wireless Local Area Network (WLAN) is a Local area network where-in the endpoint devices do not connect via wires (i.e. an Ethernet Connection) to a network.  The user devices such as smart phones connect wirelessly. In most cases WLAN provides the end-point connectivity or provides a complete network in itself. WLAN uses the Industrial, Scientific […]