How is the Groupwise Transient Key used in WiFi networks?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












In Wifi WPA, I understand that during association, a 802.11 client and AP negotiate a Pairwise Transient Key (PTK), using which the Groupwise Transient Key(GTK) is provided to the station.



I understood recently that all communication from/to this client, including broadcast from the client to all other stations happen through the AP.



Why then does the client need to encrypt the broadcast using the GTK? Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?










share|improve this question









New contributor




Sush is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    2
    down vote

    favorite












    In Wifi WPA, I understand that during association, a 802.11 client and AP negotiate a Pairwise Transient Key (PTK), using which the Groupwise Transient Key(GTK) is provided to the station.



    I understood recently that all communication from/to this client, including broadcast from the client to all other stations happen through the AP.



    Why then does the client need to encrypt the broadcast using the GTK? Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?










    share|improve this question









    New contributor




    Sush is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      In Wifi WPA, I understand that during association, a 802.11 client and AP negotiate a Pairwise Transient Key (PTK), using which the Groupwise Transient Key(GTK) is provided to the station.



      I understood recently that all communication from/to this client, including broadcast from the client to all other stations happen through the AP.



      Why then does the client need to encrypt the broadcast using the GTK? Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?










      share|improve this question









      New contributor




      Sush is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      In Wifi WPA, I understand that during association, a 802.11 client and AP negotiate a Pairwise Transient Key (PTK), using which the Groupwise Transient Key(GTK) is provided to the station.



      I understood recently that all communication from/to this client, including broadcast from the client to all other stations happen through the AP.



      Why then does the client need to encrypt the broadcast using the GTK? Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?







      wireless ieee-802.11 layer2 access-point networking






      share|improve this question









      New contributor




      Sush is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Sush is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 1 hour ago









      Ron Maupin♦

      58.6k1056102




      58.6k1056102






      New contributor




      Sush is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 hours ago









      Sush

      1303




      1303




      New contributor




      Sush is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Sush is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Sush is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted











          Why then does the client need to encrypt the broadcast using the GTK?




          It doesn't. Since the AP broadcasts, not the client, the client doesn't use the GTK to encrypt the frame. The AP does.




          Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, ...




          Exactly. This is what happens.




          ... the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?




          Here is where the magic happens. By the standard, a broadcast frame is sent one time from the AP to all associated clients. If the AP used the PTK from one client, none of the other clients would be able to process the frame. So instead, the GTK is used by the AP for broadcasts and each client has been given the GTK to decrypt such frames.



          Now, if some sort of broadcast-to-unicast conversion takes place on the wireless infrastructure, then the PTK would be used by the AP for each corresponding client rather than the GTK.






          share|improve this answer



























            up vote
            1
            down vote













            A WAP doesn't convert a broadcast frame into unicast frames to each individual Wi-Fi client. It sends a single broadcast frame to all the Wi-Fi clients at the same time. Sending a frame to each client really defeats the purpose of broadcast. That is why the WAP will broadcast at the slowest possible rate. All the devices need to be able to receive the single broadcast frame, including those requiring slow rates.






            share|improve this answer




















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "496"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );






              Sush is a new contributor. Be nice, and check out our Code of Conduct.









               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f54236%2fhow-is-the-groupwise-transient-key-used-in-wifi-networks%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              3
              down vote



              accepted











              Why then does the client need to encrypt the broadcast using the GTK?




              It doesn't. Since the AP broadcasts, not the client, the client doesn't use the GTK to encrypt the frame. The AP does.




              Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, ...




              Exactly. This is what happens.




              ... the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?




              Here is where the magic happens. By the standard, a broadcast frame is sent one time from the AP to all associated clients. If the AP used the PTK from one client, none of the other clients would be able to process the frame. So instead, the GTK is used by the AP for broadcasts and each client has been given the GTK to decrypt such frames.



              Now, if some sort of broadcast-to-unicast conversion takes place on the wireless infrastructure, then the PTK would be used by the AP for each corresponding client rather than the GTK.






              share|improve this answer
























                up vote
                3
                down vote



                accepted











                Why then does the client need to encrypt the broadcast using the GTK?




                It doesn't. Since the AP broadcasts, not the client, the client doesn't use the GTK to encrypt the frame. The AP does.




                Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, ...




                Exactly. This is what happens.




                ... the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?




                Here is where the magic happens. By the standard, a broadcast frame is sent one time from the AP to all associated clients. If the AP used the PTK from one client, none of the other clients would be able to process the frame. So instead, the GTK is used by the AP for broadcasts and each client has been given the GTK to decrypt such frames.



                Now, if some sort of broadcast-to-unicast conversion takes place on the wireless infrastructure, then the PTK would be used by the AP for each corresponding client rather than the GTK.






                share|improve this answer






















                  up vote
                  3
                  down vote



                  accepted







                  up vote
                  3
                  down vote



                  accepted







                  Why then does the client need to encrypt the broadcast using the GTK?




                  It doesn't. Since the AP broadcasts, not the client, the client doesn't use the GTK to encrypt the frame. The AP does.




                  Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, ...




                  Exactly. This is what happens.




                  ... the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?




                  Here is where the magic happens. By the standard, a broadcast frame is sent one time from the AP to all associated clients. If the AP used the PTK from one client, none of the other clients would be able to process the frame. So instead, the GTK is used by the AP for broadcasts and each client has been given the GTK to decrypt such frames.



                  Now, if some sort of broadcast-to-unicast conversion takes place on the wireless infrastructure, then the PTK would be used by the AP for each corresponding client rather than the GTK.






                  share|improve this answer













                  Why then does the client need to encrypt the broadcast using the GTK?




                  It doesn't. Since the AP broadcasts, not the client, the client doesn't use the GTK to encrypt the frame. The AP does.




                  Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, ...




                  Exactly. This is what happens.




                  ... the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?




                  Here is where the magic happens. By the standard, a broadcast frame is sent one time from the AP to all associated clients. If the AP used the PTK from one client, none of the other clients would be able to process the frame. So instead, the GTK is used by the AP for broadcasts and each client has been given the GTK to decrypt such frames.



                  Now, if some sort of broadcast-to-unicast conversion takes place on the wireless infrastructure, then the PTK would be used by the AP for each corresponding client rather than the GTK.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 1 hour ago









                  YLearn♦

                  21k54196




                  21k54196




















                      up vote
                      1
                      down vote













                      A WAP doesn't convert a broadcast frame into unicast frames to each individual Wi-Fi client. It sends a single broadcast frame to all the Wi-Fi clients at the same time. Sending a frame to each client really defeats the purpose of broadcast. That is why the WAP will broadcast at the slowest possible rate. All the devices need to be able to receive the single broadcast frame, including those requiring slow rates.






                      share|improve this answer
























                        up vote
                        1
                        down vote













                        A WAP doesn't convert a broadcast frame into unicast frames to each individual Wi-Fi client. It sends a single broadcast frame to all the Wi-Fi clients at the same time. Sending a frame to each client really defeats the purpose of broadcast. That is why the WAP will broadcast at the slowest possible rate. All the devices need to be able to receive the single broadcast frame, including those requiring slow rates.






                        share|improve this answer






















                          up vote
                          1
                          down vote










                          up vote
                          1
                          down vote









                          A WAP doesn't convert a broadcast frame into unicast frames to each individual Wi-Fi client. It sends a single broadcast frame to all the Wi-Fi clients at the same time. Sending a frame to each client really defeats the purpose of broadcast. That is why the WAP will broadcast at the slowest possible rate. All the devices need to be able to receive the single broadcast frame, including those requiring slow rates.






                          share|improve this answer












                          A WAP doesn't convert a broadcast frame into unicast frames to each individual Wi-Fi client. It sends a single broadcast frame to all the Wi-Fi clients at the same time. Sending a frame to each client really defeats the purpose of broadcast. That is why the WAP will broadcast at the slowest possible rate. All the devices need to be able to receive the single broadcast frame, including those requiring slow rates.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered 1 hour ago









                          Ron Maupin♦

                          58.6k1056102




                          58.6k1056102




















                              Sush is a new contributor. Be nice, and check out our Code of Conduct.









                               

                              draft saved


                              draft discarded


















                              Sush is a new contributor. Be nice, and check out our Code of Conduct.












                              Sush is a new contributor. Be nice, and check out our Code of Conduct.











                              Sush is a new contributor. Be nice, and check out our Code of Conduct.













                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f54236%2fhow-is-the-groupwise-transient-key-used-in-wifi-networks%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?