GTK和IGTK是同时产生的。IGTK是用于完整性保护的key,GTK是用于加密的key。完整性保护的key是指在进行完整性算法的时候加入了密钥进行加密,这个密钥就是IGTK,防止对完整性校验报文进行串改。GTK是用于对广播报文进行加密。
GTK:GTK是由GMK衍生出来的,经过一段时间会配置给AP 去减少数据的暴露。
GTK会在下面的情况下进行更新:
a) The Authenticator might change the GTK on disassociation or deauthentication of a STA.
b) An event within the SME might trigger a Group Key Handshake.
图1描述了如果经由GMK剑圣GTK,再由GTK产生TK,TK被MAC层使用用来保护是组播地址的交流。GTK被用在一个独立的Authenticator和所有的认证到这个Authenticator的所有station。当需要更新GTK时,Authenticator会发送新的GTK。
Group key握手是二次握手,流程是:
1.AP 使用Group Key 握手发送一个新的GTK,并且如果管理帧保护被协商,一个新的IGTK会被发送到station.
Message 1: Authenticator → Supplicant:
EAPOL-Key(1,1,1,0,G,0,Key RSC,0, MIC,GTK[N],IGTK[M])
Message 2: Supplicant → Authenticator: EAPOL-Key(1,1,0,0,G,0,0,0,MIC,0)
— Key RSC denotes the last frame sequence number sent using the GTK.
— GTK[N] denotes the GTK encapsulated with its key identifier as defined in 11.6.2 using the KEK
defined in 11.6.1.3 and associated IV.
— IGTK[M], when present, denotes the IGTK encapsulated with its key identifier as defined in 11.6.2
using the KEK defined in 11.6.1.3 and associated IV.
— The MIC is computed over the body of the EAPOL-Key frame (with the MIC field zeroed for the
computation) using the KCK defined in 11.6.1.3.
Station可以通过发送一个EAPOL-KEY帧并且Group Key位的request bit被设置为1来出发一次Group KEy的握手
所有的AP应该在Group key握手前先做四次握手。 AP不能做Group Key握手知道四次握手被完成。
11.6.7.2 Group Key Handshake Message 1
Message 1 uses the following values for each of the EAPOL-Key frame fields:
Descriptor Type = N – see 11.6.2
Key Information:
Key Descriptor Version = 1 (ARC4 encryption with HMAC-MD5) or 2 (NIST AES key wrap
with HMAC-SHA1-128) or 3 (NIST AES key wrap with AES-128-CMAC), in all other
cases 0
Key Type = 0 (Group/SMK)
SMK Message = 0
Install = 0
Key Ack = 1
Key MIC = 1
Secure = 1
Error = 0
Request = 0
Encrypted Key Data = 1
Reserved = 0
Key Length = 0
Key Replay Counter = n+2
Key Nonce = 0
EAPOL-Key IV = 0 (Version 2) or random (Version 1)
Key RSC = last transmit sequence number for the GTK
Key MIC = MIC(KCK, EAPOL)
Key Data Length = Cipher-suite-specific; see Table 11-4
Key Data = encrypted, encapsulated
— GTK and the GTK’s key identifier (see 11.6.2)
— When present, IGTK, IGTK’s key identifier, and IPN (see 11.6.2)
The Authenticator sends Message 1 to the Supplicant.
On reception of Message 1, the Supplicant:
a) Verifies that the Key Replay Counter field value has not yet been seen before, i.e., its value is
strictly larger than that in any other EAPOL-Key frame received thus far during this session.
b) Verifies that the MIC is valid, i.e., it uses the KCK that is part of the PTK to verify that there is no
data integrity error.
c) Uses the MLME-SETKEYS.request primitive to configure the temporal GTK and, when present,
IGTK into its IEEE 802.11 MAC.
d) Responds by creating and sending Message 2 of the Group Key Handshake to the Authenticator and
incrementing the replay counter.
NOTE—The Authenticator increments and uses a new Key Replay Counter field value on every Message 1
instance, even retries, because the Message 2 responding to an earlier Message 1 might have been lost. If the
Authenticator did not increment the replay counter, the Supplicant discards the retry, and no responding
Message 2 ever arrives.
11.6.7.3 Group Key Handshake Message 2
Message 2 uses the following values for each of the EAPOL-Key frame fields:
Descriptor Type = N – see 11.6.2
Key Information:
Key Descriptor Version = 1 (ARC4 encryption with HMAC-MD5) or 2 (NIST AES key wrap
with HMAC-SHA1-128) or 3 (NIST AES key wrap with AES-128-CMAC), in all other
cases 0 – same as Message 1
Key Type = 0 (Group/SMK) – same as Message 1
Install = 0
Key Ack = 0
Key MIC = 1
Secure = 1
Error = 0
Request = 0
Encrypted Key Data = 0
Reserved = 0
Key Length = 0
Key Replay Counter = n+2 – same as Message 1
Key Nonce = 0
EAPOL-Key IV = 0
Key RSC = 0
Key MIC = MIC(KCK, EAPOL)
Key Data Length = 0
Key Data = none required
On reception of Message 2, the Authenticator:
a) Verifies that the Key Replay Counter field value matches one it has used in the Group Key
Handshake.
b) Verifies that the MIC is valid, i.e., it uses the KCK that is part of the PTK to verify that there is no
data integrity error.
如下图2: