Saturday, October 5, 2013

STA-AP: WPA-PSK Connection Establishment (Sequence Diagram)


  • Probe response and beacon frames include the WPA IE (AP WPA capabilities)
  • Association request from STA includes the WPA IE (STA WPA capablities)
  • IEs in EAPOL messages and corresponding probe/beacon/assoc messages should match
  • WPA Pairwise Key (TKIP) is dervied from the following
    • STA MAC address
    • AP MAC address
    • PMK (Pairwise Master Key) (PMK = PSK (256 bits))
    • Authenticator (AP) Nonce (A random value genearted by AP)
    • Supplicant (STA) Nonce (A random value generated by STA)
  • Pairwise key consists of 
    • EAPOL KEK (128 bits)
    • EAPOL KCK (128 bits)
    • TKIP TK (128 bits)
    • TKIP MIC Key (128 bits)
  • WPA does not use KEK to encrypt the keys (Q:What is the purpose of KEK in TKIP?)
  • KCK is used for integrity protection of EAPOL messages
  • Group key messages are encrypted using TKIP TK
  • Group key consists of
    • Group Temporal Key (128 bits)
    • Group MIC (128 bits)
  • Group key may be periodically updated by the AP
  • Air-traces used to generate this diagram can be downloaded from here 


  1. This is apply to client server architecture right? From what diagram software you draw this sequence diagram ? If it is a platform independent software please specify.

    1. This applies to Infrastructure mode (See
      I generate the diagrams using

  2. Nice blog great information.

    Videocon is committed to building a diverse and inclusive team of professionals. All efforts are channelized to attract, retain and develop a customer-centric workforce. This diverse knowledge team is ably led by some of the most experienced and seasoned professionals of the Indian Telecom industry.