gcmp priority!

[Jouni Malinen]

On Sat, Mar 22, 2025 at 10:45:39AM -0700, Adrian Chadd wrote:
> Anyway! I've noticed that while yes I can add GCMP to hostapd and
> wpa_supplicant configs, wpa_supplicant REALLY only wants to negotiate
> GCMP if it's the only cipher listed. If there's GCMP and CCMP
> available, wpa_supplicant reliably chooses CCMP.

That is not really a completely accurate description.. wpa_supplicant
prefers 256-bit version of CCMP and GCMP over 128-bit versions of
either. In other words, GCMP-256 will be selected over CCMP-128.

It should be noted that there is practically no deployment of CCMP-256
and deployment of GCMP-128 is limited to 60 GHz cases. In other words,
on 2.4, 5, and 6 GHz bands, only CCMP-128 and GCMP-256 are used vast
majority of deployments. Between those options, wpa_supplicant will
prefer GCMP-256 over CCMP-128 if both are allowed. In other words, I
think what you are describing here is quite a theoretical question.

> I think i've traced down where in the source this is happening, as
> it's choosing CCMP for default for non-11ad, and GCMP default for
> 11ad.

No, the RSNE default values for omitted fields has nothing to do with
this. wpa_pick_pairwise_cipher() is the place where the selection
happens. It is currently picking the first available cipher in this
order: CCMP-256, GCMP-256, CCMP-128, GCMP-128. I don't think there was
really any particular reason for this order as far as CCMP vs. GCMP is
concerned, i.e., this just happened to be the case when I added support
for GCMP in 2012.

Preferring the 256-bit variants over 128-bit variants is by design, but
GCMP vs. CCMP is arbitrary since there is no significant difference in
security. GCMP is more efficient for hardware implementation, so there
is a good reason to moving to it for newer cases and that is indeed what
is happening in practice since CCMP-256 is not being deployed.

> My questions however are with how the 802.11 specification
> could/should allow for cipher choices / priorities.
> 
> * I haven't found anything in 802.11-2020 section 12 (security) that
> indicates a formal cipher priority. Is there a formal cipher priority?

Not in the IEEE 802.11 standard (and not in the Wi-Fi Alliance WPA3
specification either).

> Is there anything stopping wpa_supplicant from choosing GCMP over CCMP
> if an AP advertises both?

As far as the protocol or security properties are concerned, not really.
As far as likelihood of hitting interop issues is concerned, I would
continue to prefer CCMP-128 over GCMP-128 on 2.4/5/6 GHz since GCMP-128
has limited very limited testing there. One could argue that with that
same logic, wpa_supplicant should preferred GCMP-256 over CCMP-256 and
that would seem like a reasonable change, i.e.,
wpa_pick_pairwise_cipher() could be modified to use this priority order:
GCMP-256 CCMP-256 CCMP-128 GCMP-128

> * Is it legal to have GCMP as a pairwise key and CCMP as a group key?

Yes

> * Has anyone else tried this, and found weird interoperability issues?

GCMP-256 as the pairwise cipher and CCMP-128 as the group cipher is
something that is quite likely used in many, if not most, Wi-Fi 7
deployments, so at least as far as Wi-Fi 7 enabled devices are
concerned, this is likely to work. There might be some theoretical
issues with older devices, but such devices would not likely support
GCMP-256 and that combined with GCMP-128 not being deployed makes this
likely worth not much consideration.

-- 
Jouni Malinen                                            PGP id EFC895FA