Is it possible to force greater than 128-bit strength when using AES-CCM mode?

Jouni Malinen j
Wed Sep 14 08:28:11 PDT 2011

On Wed, Sep 14, 2011 at 09:17:37AM -0400, Martes G Wigglesworth wrote:
> I was wondering why there is no switch or parameter to increase the
> "bit-strength" of the encryption algorithm under AES above 128-bit.

I'm assuming you are talking about CCMP here which is based on AES-CCM.
CCMP is defined to use 128-bit key and block size in the IEEE 802.11
standard ("All AES processing used within CCMP uses AES with a 128-bit
key and a 128-bit block size"). As such, there is not much point in
hostapd or wpa_supplicant to provide parameters for trying to do
something that has not even been defined.

> I also would like to know if I am simply misunderstanding the
> implementation.  The man page has always indicated that a "256-bit"
> hex key can be used in place of a passkey, however, I am a bit
> confused as to why the interface information always will indicate
> 128-bit AES-CCM.

That key is not the key used in CCMP; it is the key used during 4-way
handshake to derive keys (including the 128-bit TK that is used with

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list