802.11r, fast roaming, FT Key Hierarchy, PMK-R0, PMK-R1, R0KH, R1KH
IEEE 802.11r-2008 is also known as “fast basic service set transition –FT” is defined for allow fast secure roaming.802.11r mechanism introduce multiple layer of PMKs that are cached in different devices and assign different roles (key holder roles) to different devices as listed below.
WLAN Controller : PMK-R0 key holder (R0KH)
Access Point : PMK-R1 key holder (R1KH)
Client Station : PMK-S0 key holder (S0KH)
Client Station : PMK-S1 key holder (S1KH)
802.11r defines a three-level key hierarcy
1. Pairwise Master Key R0(PMK-R0) : The first level key of the FT key hierarchy. This key is derived from master session key (MSK)
2. Pairwise Master key R1(PMK-R1) : The second level key of the FT key hierarchy.
3. Pairwise Transit Key (PTK) : The third-level key of the FT key hierarchy. The PTK is the final key used to encrypt 802.11 data frames.
In 802.11r, various levels of FT keys are derived & stored in different WLAN devices. 802.1X/EAP creates the master session key (MSK) & then MSK is used to create first-level master key (PMK-R0). PMK-R0 is cached on the WLAN controller.So WLAN controller is key holder for first-level key
The second level key, PMK-R1 is derived from PMK-R0 & sent from WLAN controller to the controller managed APs.So PMK-R1 keys are cached on the APs & APs ar the key holders for PMK-R1.
PMK-R1 is used to derive PTKs, which are used to encrypt data. Below diagram summarized the key hierarchy of WLAN controller infrastructure (page 266- CWSP Official Study Guide)
There are various level of FT keys derived and stored on the client stations. 802.1X/EAP creates MSK & then MSK is used to create first level of master key (PMK-R0). The PMK-R0 is cached on the supplicant/client station. So client station is the key holder for first-level key.
Using PMK-R0, client station will derives the second-level key PMK-R1. PMK-R1 is cached on the client station. So supplicants are key holder for the PMK-R1. PMK-R1 is used to derive PTKs, which are used to encrypt data.
Below diagram (Page 267 -CWSP Offical Study Guide) shows the Supplicant FT key hierarchy.
If client traffic encrypt/decrypt at the controller level (instead of AP level) then WLC functions as both the PMK-R0 key holder (R0KH) & PMK-R1 key holder (R1KH).
1. CWSP Official Study Guide
2. CWNP-RSN Fast BSS Transition (FT) white paper.
1. CWSP-802.11 Roaming Basics
2. CWSP-802.11r FT initial Association
3. CWSP-802.11r Over-the-Air-FT
4. CWSP-802.11r Over-the-DS-FT
Great Read. Thank you
Thanks for the feedback…
Tim Dmitrenko said:
You have a mistake in URL to CWNP Fast Transition White Paper doc. It has space at the end and returns 404 to me. Found it by accident 🙂 You can delete my comment after that as it won’t have any sense once fixed 🙂 Ta
Thanks Tim, I have corrected it. Will leave your comment to give you the credit of highlighting it.
why do we need 2 levels key pmkr0 and pmkr1.. just pmkr0 is enough right? could you please give some explanation on this
IIts not just one PMK-R1 created. WLC creates multiple PMK-R1’s unique to multiple WAP’s.
Why multiple PMK-R1’s? – If it is same, then there is potential security exposure while deriving PTK. Remember PTK formula? [PTK = PRF (PMK + ANonce + SNonce + AA + SPA)]
Why not just get rid of PMK-R1?
– I guess answer is same as above. PTK can be easily guessed if we have/obtain/capture other elements in formula. [PTK = PRF (PMK-R0 + ANonce + SNonce + AA + SPA)]