dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
231613

snookumz
@rr.com

snookumz

Anon

What the heck is this "Group Key Renewal" thing???

Hello everyone.

I found this forum in my quest for finding the answer to a question about my WPA Security for my wireless lan.

Basically, I saw that alot of you guys know a great deal about securing wireless connections, and I figured it was worth a try to ask you guys.

All I want to know is: When setting up my WPA security, I have a couple of options. One of them is setting the Shared Key (which is obviously the password duuuhhhh) then there is another option to specify the Group Key Renewal (also known as the Re-Key Interval).

The default setting for the Group Key Renewal is 3600 seconds. The only thing is, I DONT KNOW WHAT THE HELL THIS OPTION DOES?!?!!?

I was literally talking to 4 of the the Live Chat support people at LinkSys.com and asked them about this. They are so clueless.. if you guys want to have some fun just go to the linksys live chat and ask them some simple questions and see how dumb they are. (where do they find these people??)

Anyways, I am hoping one of you guys can explain this group key renewal thing to me. What are the advantages/disadvantages of setting the interval higher or lower? And more importantly, what EXACTLY does this damn thing do???

localhost
Premium Member
join:2005-01-19
Cypress, CA

localhost

Premium Member

Re: What the heck is this "Group Key Renewal" thin

i don't know the specifics of the operation, but the term is basically what it sounds like.

my understanding is this: (someone who knows more can correct me if necessary)

one of the reasons that wpa is so secure is because it changes the key at a given interval. the key changed is the group key (which is what you are looking at). the shared key is used to generate the group key, which is in turn used to encrypt data going over the air.

hope that helps, and hope i'm right.

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords

MVM

said by localhost:

my understanding is this: (someone who knows more can correct me if necessary)

one of the reasons that wpa is so secure is because it changes the key at a given interval. the key changed is the group key (which is what you are looking at). the shared key is used to generate the group key, which is in turn used to encrypt data going over the air.
Yup. Close enough without getting very, very picky.

3600 is fine, I wouldn't change it. My router uses 1800 and gives me no way to change it -- and that number is fine too.

Don't set it for less then 300 (5 minutes, which is rediculously short anyway) because there are up to 4 60-second periods between negotiation retries before either the client or router locks the other out. You don't want to get inside that number.
jbibe
Premium Member
join:2001-02-22

3 edits

jbibe to snookumz

Premium Member

to snookumz

Re: What the heck is this "Group Key Renewal" thing???

said by snookumz:

All I want to know is: When setting up my WPA security, I have a couple of options. One of them is setting the Shared Key (which is obviously the password duuuhhhh) then there is another option to specify the Group Key Renewal (also known as the Re-Key Interval).

The default setting for the Group Key Renewal is 3600 seconds. The only thing is, I DONT KNOW WHAT THE HELL THIS OPTION DOES?!?!!?
The Group Key (Group Transient Key) is a shared key among all Supplicants connected to the same AP, and is used to secure multicast/broadcast traffic. It is not used for normal unicast traffic. A Pairwise Transient Key secures the unicast traffic.

Group Key Renewal controls how often the Group Transient Key is changed. The Group Key Renewal does not control the update period for the Pairwise Transient Key. The Pairwise Transient Key is changed each time the Supplicant authenticates, or re-authenticates.
DSLrgm
Premium Member
join:2002-08-22
Oak Park, MI

DSLrgm

Premium Member

Re: What the heck is this "Group Key Renewal" thin

said by jbibe:

said by snookumz:

All I want to know is: When setting up my WPA security, I have a couple of options. One of them is setting the Shared Key (which is obviously the password duuuhhhh) then there is another option to specify the Group Key Renewal (also known as the Re-Key Interval).

The default setting for the Group Key Renewal is 3600 seconds. The only thing is, I DONT KNOW WHAT THE HELL THIS OPTION DOES?!?!!?
The Group Key (Group Transient Key) is a shared key among all Supplicants connected to the same AP, and is used to secure multicast/broadcast traffic. It is not used for normal unicast traffic. A Pairwise Transient Key secures the unicast traffic.

Group Key Renewal controls how often the Group Transient Key is changed. The Group Key Renewal does not control the update period for the Pairwise Transient Key. The Pairwise Transient Key is changed each time the Supplicant authenticates, or re-authenticates.
Now to add to this:

There is no practical reason to rekey the group key, unless you have a streaming video device on your local network (streaming video over the Internet uses unicast). The reason to rekey the group key is one of policy, not key space exhaustion.

If a system leaves the wireless, it still has the current group key and can capture all broadcast/multicast traffic (including network neighborhood stuff). So vendors set the rekey at every hour. It does not hurt, unless you have lots of wireless devices on the AP (at least more than 20). If you have complete control over all the wireless devices on your AP, you could set this at once a week....

With PSK, there is NO justification to make it less than 1 hour. For 802.1X with many 'guests', a shorter time can be good policy.