What is PMKID? Why would even a router give away the PMKID to an unauthorized stranger?

Question

I do have a general understanding of the 4-way handshake in WPA and WPA2 security. I know about PMK, PTK, GMK, GMK, SNONCE, etc terminologies. I also read about the new PMKID attack more silent than the legacy handshake capture method. What I don't understand is the PMKID, What is it? How is it different from the actual PMK. Why would even a router give away the PMKID to an unauthorized stranger?

Answer 1

What I don't understand is the PMKID, What is it?

PMKID is the unique key identifier used by the AP to keep track of the PMK being used for the client. PMKID is a derivative of AP MAC, Client MAC, PMK and PMK Name.

You could express it as this code:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

PMK caching is used to establish smooth roaming for time sensitive applications. Using PMKID caching the clients do not have to go through the entire authentication cycle and cuts down on the time needed for the client to authenticate to the new AP. This is especially important on WPA/WPA2-Enterprise networks that have authentication times of almost 1 second depending on authentication type being used.

How is it different from the actual PMK

The PMK itself is a hash that can be expressed as:

PMK = PBKDF2(Passphrase, SSID, 4096)

Why would even a router give away the PMKID to an unauthorized stranger?

The strength of the PMKID, and the PMK, depends on the strength of the Passphrase. Therefore it's counted to be as safe as the network itself.

Knowing the PMKID definitely increases an attacker’s advantage, on certain networks. The attacker can get what they need quicker and stealthier, but it doesn’t change the speed of the actual password cracking process. The attacker will still need to use conventional cracking tools, which will basically try a huge list of passwords against the captured data.

The appropriate defense is a lengthy and complex WPA2 password that would take decades to crack. Or just to upgrade to the new WPA3 encryption standard, if possible.

Useful references:

• New attack on WPA/WPA2 using PMKID
  This is the original announcement of the hack by hashcat. Note that he called it an attack and not a vulnerability. His work helps highlight the impact of using a weak password.

• Explanation of the new attack on WPA/WPA2 networks

• Wikipedia IEEE 802.11i-2004