WPA and WPA2

Mutual entity authentication and key establishment

To avoid all the problems relating to the use of a shared, fixed WEP key, a key hierarchy is employed. The top key in this key hierarchy is known as the pairwise master key (PMK), which is a key shared between a device and a wireless access point. There are two ways in which this key PMK can be established:

1. During an AKE protocol run between a device and a central authentication server: Both WPA and WPA2 support using a central authentication server to provide authentication in a way that is scalable and can be tailored to fit the needs of the specific application environment. A wide range of authentication techniques is supported by the Extensible Authentication Protocol (EAP), which is a suite of entity authentication mechanisms including methods deploying SSL/TLS to secure a connection to an authentication server.

2. As a pre-shared key programmed directly into the device and the wireless access point: This is most suitable for small networks. The most common method for generating PMK is deriving it from a password. Any users requiring access to the WLAN must be aware of this password. A home user who purchases a wireless router may be provided with a (weak) default password from the manufacturer or service provider. This must be changed on the first installation to something less predictable.

Note: Even if a device has successfully authenticated itself to a central authentication server and this server has passed PMK to the wireless access point, it is still necessary for the device to authenticate itself to the access point. Regardless of how PMK has been established, it forms the basis for this entity authentication process between the device and the access point.

The master key PMK is also used to derive session keys using the following AKE protocol run between Alice (a device) and Bob (a wireless access point). This is shown in the illustration below: