pairwise vs group

Jouni Malinen jkmaline
Tue Dec 27 20:44:34 PST 2005


On Wed, Dec 28, 2005 at 04:18:56AM +0000, Lucia Di Occhi wrote:

> I have a linksys wrt54g configured with WPA2 and TKIP+AES which from what I 
> understand it means it will support both TKIP and AES.  My wpa_supplicant 
> configuration is as follows "just because it works" really :-)

WPA2?

> network={
>        ssid="myssid"
>        proto=WPA

This is not WPA2..

> I have noticed that I can change pairwise to TKIP and it will still work, 
> but it will not work at all if group is set to CCMP.  Now, my question is: 
> what in the word is my laptop doing, is it using AES? Any reason why it 
> will not work with group=CCMP?

In WPA and WPA2/802.11i, it is possible to configure the AP to support
multiple pairwise (unicast) ciphers. However, only one group cipher is
used and it will be the weakest of allowed pairwise ciphers since all
stations need to be able to receive the broadcast/multicast frames. This
is why you can use either TKIP or CCMP as pairwise cipher, but only TKIP
as group cipher. CCMP can be used as group cipher only if it is the only
allowed pairwise cipher.

> I guess my real question is what is the difference between group and 
> pairwise?

Group cipher is used for multicast (including broadcast) frames and it
must be understood by all associated stations. Pairwise cipher is used
for unicast frames and it needs to be understood by the AP and each
stations separately (i.e., different stations can use different pairwise
ciphers).

-- 
Jouni Malinen                                            PGP id EFC895FA




More information about the Hostap mailing list