This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Difference between WPA-password and PSK

0

Hi forum

as i understand in a preshared-key network, the PSK (which is actually the PMK) can be derived from the WPA-password and the SSID...

Questions: If a user would like to join an AP and he is asked to enter a password, is this password called the WPA-password or is this the PSK?

Thank you very much for any clarifications!

Joe

asked 17 Dec '16, 06:00

joseph123's gravatar image

joseph123
119912
accept rate: 0%


One Answer:

1

Not really a Wireshark question, but anyway here is a view.

WiFi Alliance refers to it this way:

  • Enable WPA2-Personal (aka WPA2-PSK) with AES encryption

So 'Personal' would take a passphrase or password and derive a PSK through a process with example code given in 802.11-2012 Annex M.4, also loosely described in the wikipedia reference below. An example implementation is the Wireshark online calculator. I prefer the way they refer to it:

  • The Wireshark WPA Pre-shared Key Generator provides an easy way to convert a WPA passphrase and SSID to the 256-bit pre-shared ("raw") key used for key derivation.

The PSK would be the PMK in this case. In addition, 802.11-2012 describes how to use these:

  • 4.10.3.3 AKM Operations with a Password or PSK (and other places in the standard)

So to answer your specific question, I prefer to call it a passphrase. I like the term passphrase because from a security context, a passphrase is usually better than a password, but both are better than PSK because PSK is derived from this along with the SSID. But you will see all variants described in different ways.

In WPA2-Enterprise, the PMK is transferred from the RADIUS server after authentication and delivered to both the AP and the wireless client for use so there is no offline calculator. It makes decryption very difficult as well, because we need the four way handshake and the PMK from the authentication step; the PMK usually changes every session timeout period, which can be short (e.g. adjustable, but commonly 30 minutes or sometimes a few hours).

Some references:

https://en.wikipedia.org/wiki/IEEE_802.11i-2004 802.11-2012 specification (see IEEE website, it is free) http://www.wi-fi.org/node/7924

answered 17 Dec '16, 06:27

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

edited 17 Dec '16, 06:34