Ralink AP的WIFI组密钥多久更新一次？

Ralink AP的WIFI组密钥多久更新一次？

答：

关于WIFI的组密钥，相关资料上的描述如下：

802.11i的密钥分为两类：成对密钥(用于客户端和AP之间的单播)和小组密钥(用于所有客户端和AP之间组播或者多播)；

成对密钥： 通过四次握手完成；

组密钥：通过两次握手完成；当工作站离开网络，不论是使用完毕或者被踢出网络，网络系统即可更新组密钥。当组密钥更新后，每个工作站都必须再进行一次组密钥交换。

组密钥通常由AP主导更新，不过工作站也可以主动发送确认消息来要求更新组密钥。

 

在Ralink AP上组密钥的更新策略，目前观察到的情况是:

* 3600秒，组密钥更新一次；

* 某个客户端离开AP，或者新的客户端加入AP都不会更新组密钥；

* 目前还没有捕获到过客户端要求更新组密钥的场景；

 

在AP的串口输出如下的信息，通常表示一个新的客户端连上了AP。 MIC Different in pairwise msg 2 of 4-way handshake! WPAInstallPairwiseKey : Pairwisekey Cipher Alg (4) AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES 表示OPU收到来自客户端的“成对密钥：四次握手”消息的第4个消息，并且验证OK；采用的WPA2或者WPA2PSK     在AP的串口输出如下的信息，通常更新了组密钥。 AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES 表示AP收到来自客户端的“组密钥：2次握手”消息的第2个消息，并且验证OK；采用的WPA2或者WPA2PSK；这里连着输出几个同样的打印，表示每个客户端都更新了组密钥。   在源码中，组密钥更新涉及到的数据结构如下： /* structure to define WPA Group Key Rekey Interval */ typedef struct GNU_PACKED _RT_802_11_WPA_REKEY {     ULONG ReKeyMethod;  /* mechanism for rekeying: 0:disable, 1: time-based, 2: packet-based */     ULONG ReKeyInterval;    /* time-based: seconds, packet-based: kilo-packets */ } RT_WPA_REKEY,*PRT_WPA_REKEY, RT_802_11_WPA_REKEY, *PRT_802_11_WPA_REKEY;     可以通过如下配置项来设置组密钥更新周期 9.3.14 RekeyMethod=Value AP(▼), STA() Value (for WPA/WPA2): TIME: Time rekey PKT: Packet rekey DISABLE: Disable rekey   9.3.15 RekeyInterval=Value AP(▼), STA() Value (for WPA/WPA2) 0 ~ 0x3fffff unit: 1 seconds/1000packets   在我的Ralink AP上的配置参数如下： RekeyInterval=3600;;;;;;; RekeyMethod=TIME;TIME;TIME;TIME;TIME;TIME;TIME;TIME   或者iwpriv来设置组密钥更新周期 9.4.10 RekeyMethod AP(▼), STA() Description: Set group rekey interval-unit's type. Value: TIME PKT     9.4.11 RekeyInterval AP(▼), STA() Description: Set group rekey interval. 0 to disable rekey. Unit:1seconds/1000packets dependent on Rekeytype. Value: 0~0x3FFFFFFF     /*     ==========================================================================     Description:         Set WPA rekey interval value     Return:         TRUE if all parameters are OK, FALSE otherwise     ========================================================================== */ INT Set_AP_RekeyInterval_Proc(     IN  PRTMP_ADAPTER   pAd,     IN  PSTRING         arg) {     POS_COOKIE  pObj = (POS_COOKIE) pAd->OS_Cookie;     UCHAR       apidx = pObj->ioctl_if;     INT32   val;       val = simple_strtol(arg, 0, 10);     if((val >= 10) && (val < MAX_REKEY_INTER))         pAd->ApCfg.MBSSID[apidx].WPAREKEY.ReKeyInterval = val;     else /* Default */         pAd->ApCfg.MBSSID[apidx].WPAREKEY.ReKeyInterval = 3600;       DBGPRINT(RT_DEBUG_TRACE, ("I/F(ra%d) Set_AP_RekeyInterval_Proc=%ld\n",                                 apidx, pAd->ApCfg.MBSSID[apidx].WPAREKEY.ReKeyInterval));     return TRUE; }       如果打开driver debug调试信息的话，log如下所示： Rekey Interval Excess, GKeyDoneStations=6 ===> WPAStart2WayGroupHS RTMPGetTxTscFromAsic : WCID(245) TxTsc 0x01-0x00-0x00-0x00-0x00-0x00 ===> ConstructEapolMsg for WPA2 Group Message 1              Body length = 127              Key length  = 0 <=== WPAStart2WayGroupHS : send out Group Message 1 Rekey interval excess, Update Group Key for  0 1a 97  1 a1 47 , DefaultKeyId= 2 ===> WPAStart2WayGroupHS RTMPGetTxTscFromAsic : WCID(245) TxTsc 0x01-0x00-0x00-0x00-0x00-0x00 ===> ConstructEapolMsg for WPA2 Group Message 1              Body length = 127              Key length  = 0 <=== WPAStart2WayGroupHS : send out Group Message 1 Rekey interval excess, Update Group Key for  0 ff 30  3d 2 3 , DefaultKeyId= 2 ===> WPAStart2WayGroupHS RTMPGetTxTscFromAsic : WCID(245) TxTsc 0x01-0x00-0x00-0x00-0x00-0x00 ===> ConstructEapolMsg for WPA2 Group Message 1              Body length = 127              Key length  = 0 <=== WPAStart2WayGroupHS : send out Group Message 1 Rekey interval excess, Update Group Key for  20 f8 5e  a0 21 65 , DefaultKeyId= 2 ===> WPAStart2WayGroupHS RTMPGetTxTscFromAsic : WCID(245) TxTsc 0x01-0x00-0x00-0x00-0x00-0x00 ===> ConstructEapolMsg for WPA2 Group Message 1              Body length = 127              Key length  = 0 <=== WPAStart2WayGroupHS : send out Group Message 1 Rekey interval excess, Update Group Key for  54 2a a2  4 7 f9 , DefaultKeyId= 2 ===> WPAStart2WayGroupHS RTMPGetTxTscFromAsic : WCID(245) TxTsc 0x01-0x00-0x00-0x00-0x00-0x00 ===> ConstructEapolMsg for WPA2 Group Message 1              Body length = 127              Key length  = 0 <=== WPAStart2WayGroupHS : send out Group Message 1 Rekey interval excess, Update Group Key for  c0 56 e3  9f 8 75 , DefaultKeyId= 2 ===> WPAStart2WayGroupHS RTMPGetTxTscFromAsic : WCID(245) TxTsc 0x01-0x00-0x00-0x00-0x00-0x00 ===> ConstructEapolMsg for WPA2 Group Message 1              Body length = 127              Key length  = 0 <=== WPAStart2WayGroupHS : send out Group Message 1 Rekey interval excess, Update Group Key for  0 95 69  7 4d e6 , DefaultKeyId= 2 Receive EAPOL-Key frame, TYPE = 3, Length = 95 WpaEAPOLKeyAction ===> Receive EAPoL-Key frame from STA 00-1A-97-01-A1-47 ===> PeerGroupMsg2Action AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES   Receive EAPOL-Key frame, TYPE = 3, Length = 95 WpaEAPOLKeyAction ===> Receive EAPoL-Key frame from STA 00-FF-30-3D-02-03 ===> PeerGroupMsg2Action AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES   Receive EAPOL-Key frame, TYPE = 3, Length = 95 WpaEAPOLKeyAction ===> Receive EAPoL-Key frame from STA 20-F8-5E-A0-21-65 ===> PeerGroupMsg2Action AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES   Receive EAPOL-Key frame, TYPE = 3, Length = 95 WpaEAPOLKeyAction ===> Receive EAPoL-Key frame from STA 54-2A-A2-04-07-F9 ===> PeerGroupMsg2Action AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES   Receive EAPOL-Key frame, TYPE = 3, Length = 95 WpaEAPOLKeyAction ===> Receive EAPoL-Key frame from STA C0-56-E3-9F-08-75 ===> PeerGroupMsg2Action AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES   Receive EAPOL-Key frame, TYPE = 3, Length = 95 WpaEAPOLKeyAction ===> Receive EAPoL-Key frame from STA 00-95-69-07-4D-E6 ===> PeerGroupMsg2Action AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(6)=AES   one second False CCA=334, fixed R66 at 0x28 AsicAddSharedKeyEntry BssIndex=0, KeyIdx=2 AsicAddSharedKeyEntry: AES key #2         Key = 02:2e:a8:aa:c8:93:1c:d5:da:e7:a8:a0:34:54:56:04         Rx MIC Key = 00:00:00:00:00:00:00:00         Tx MIC Key = 00:00:00:00:00:00:00:00 Read: SHARED_KEY_MODE_BASE at this Bss[0] KeyIdx[2]= 0x440 Write: SHARED_KEY_MODE_BASE at this Bss[0] = 0x440 AsicUpdateWCIDIVEIV: wcid(245) 0xa0000001, 0x00000000 AsicUpdateWcidAttributeEntry : WCID #245, KeyIndex #2, Alg=AES                 WCIDAttri = 0x8 one second False CCA=279, fixed R66 at 0x28