Security Association Contexts

The 802.11i security association creates a number of security contexts. The different Security contexts and what they contain are provided below


The PMKSA stands for Pairwise Master Key Security Association – it is generated at the end of the EAP handshake (successful 802.1X negotiation) or when a PSK is configured. The PMKSA binds the PMK to a lifetime which can persist across multiple associations by a roaming Station. The PMKSA contains the following information –

  • PMK
  • Authenticator MAC address
  • PMK lifetime
  • Pairwise Master Key Identifier (PMKID)
  • AKMP
  • All additional authorization parameters – e.g. STA’s authorized SSID

When an 802.11 station roams to a different Access Point – a new PMKSA is generated for the new association. If the 802.11 Station roams back to the old Access Point – the PMKSA from the previous association to that Access Point can be used to skip the 802.1 X EAP handshakes and directly proceed to the EAPOL handshake


The PMKID is a number that is linked to a Pairwise Master Key Security Association. The PMKID is used to identify a unique PMKSA and can be used by a station to request to reuse a former PMK security association


The PTKSA stands for Pairwise Transient Key Security Association – it is generated at the end of the 4-way EAPOL handshake, FT 4-way handshake, FT Protocol or FT resource request protocol. The PTKSA is relevant till the station is de-authenticated or for the lifetime of a PMKSA. The PTKSA contains the following

  • PTK
  • Supplicant MAC Address
  • Authenticator MAC Address
  • Pairwise cipher suite
  • Key ID
  • If FT key hierarchy is used,
    • R1KH-ID
    • S1KH-ID
    • PTKName


The GTKSA results from a successful 4-Way Handshake, FT 4-Way Handshake, FT Protocol, FT Resource Request Protocol or the Group Key Handshake and is unidirectional. In an infrastructure BSS, there is one GTKSA, used exclusively for encrypting group addressed MPDUs that are transmitted by the AP and for decrypting group addressed transmissions that are received by the STAs. The GTKSA contains the following elements

  • Direction vector (whether the GTK is used for transmit or receive).
  • Group cipher suite selector
  • GTK
  • Authenticator MAC address
  • Key ID.
  • All authorization parameters specified by local configuration. This might include parameters such as the STA’s authorized SSID. 

We shall look at wireless Capture example of a Pre-shared Key Mechanism in the coming article

Wireless Capture Example – Pre-shared Key Part 1

Leave a Reply

Your email address will not be published. Required fields are marked *