I have doubt about 802.11r - PMK's (R0 and R1)
From my understanding, 802.11r works by deriving two PMK's , PMK-R0 for WLAN controllers and PMK-R1 for the AP's for each clients association.
PMK-R0 is derived by the MSK and PMK-R1 is derived from PMK-R0
MSK > PMK-R0 > PMK-R1
MSK is obtained/derived by either PSK pasphrase or a 8021.x radius server
PTK and GTK are derived from PMK-R1
So what's the reason for having two PMK's (R0 and R1) in 802.11r, whereas pre-auth, okc, there was only one PMK's for each client. ?
Thats a good question and I always wonder why myself. PMK-R0 is really the PMK key. We know from OKC the PMK is moved to the APs for the 4way handshake to create the PTK. I will try and research this in my spare time. If you find the answer before me post it here ..
My guess we will find that this is used for pre authentication I bet ...
Its not just one PMK-R1 created. WLC creates multiple PMK-R1's unique to multiple WAP's.
Why multiple PMK-R1's? - If it is same, then there is potential security exposure while deriving PTK. Remember PTK formula? [PTK = PRF (PMK + ANonce + SNonce + AA + SPA)]
Why not just get rid of PMK-R1?
- I guess answer is same as above. PTK can be easily guessed if we have/obtain/capture other elements in formula. [PTK = PRF (PMK-R0 + ANonce + SNonce + AA + SPA)]