Key Hierarchy Using AES?CCMP

Most of what has been described so far in this section applies to both AES?CCMP[5] and TKIP[6] cipher methods. The method of deriving and delivering keys applies across the board?using the four-way handshake for pairwise keys and the two-way handshake for group keys. However, there is a difference in one respect: the size and number of keys needed is different, depending on the encryption method in use.

[5] Details of AES?CCMP are given in Chapter 12.

[6] Details of TKIP are given in Chapter 11.

Given that AES?CCMP provides a higher level of security, you might expect that the AES?CCMP keys would be bigger or perhaps more numerous. However, in fact, the reverse is true. Whereas a total of 768 temporal key bits are needed for TKIP, only 512 are needed for AES?CCMP. The reason is because in AES?CCMP the integrity and encryption functions are combined into a single calculation, whereas with TKIP they are two quite distinct operations, each requiring a separate key.

For AES?CCMP, the pairwise temporal keys are:

  • Data Encryption/Integrity key (128 bits)

  • EAPOL-Key Encryption key (128 bits)

  • EAPOL-Key Integrity key (128 bits)

And the group temporal key is:

  • Group Encryption/Integrity key (128 bits)

The PMK and GMK are still created in the same way but, at the temporal key computation phase, fewer key bits are generated; otherwise, there is no difference in operations. While the four-way handshake is mandated for both WPA and 802.11i, it is possible that new key hierarchy schemes will be introduced for 802.11i in the future. The four-way handshake has been criticized for being slow because it can take several seconds to complete. The slow handshake presents problems for system that need rapid handover between access points such as voice-over-IP terminals.

    Part II: The Design of Wi-Fi Security