Re: 802.1x and dynamic WEP keying

From: Jouni Malinen (
Date: 2002-09-25 03:23:33 UTC

On Tue, Sep 24, 2002 at 10:10:19AM +0300, Vladimir Ivaschenko wrote:

> Ok, I still don't understand whether the WEP keys are really regenerated
> and how often. Is there a variable to control how often the unicast keys
> are regenerated? I took a brief look at the source and didn't find
> anything releated to key regeneration, is it supported in the current
> version of HostAP?

Yes, individual stations keys should regenerated every 3600 hour (check reAuthPeriod and reAuthEnabled flags of the reauthentication timer state machine, eapol_sm.h and eapol_sm.c). However, I haven't really tested this much. The station must be able to receive unencrypted EAPOL Key frames for this to succeed if remember correctly.

Current version of hostapd does not support regenerating broadcast key, but it shouldn't be that difficult to add a timer to update this periodically (and ask the EAPOL state machine to transmit the new key to the station).

> Another question is - is it possible for the AP to use a single unicast
> key for all the clients, so that firmware encryption can be used? As far
> as I understand it is impossible to support multiple unicast keys using
> firmware encryption at the moment.

Just enable broadcast key (-b5 or -b13) and only broadcast/default key is used (both for broadcast and unicast frames).  

Jouni Malinen                                            PGP id EFC895FA

This archive was generated by hypermail 2.1.4.