42
CSP
CSP TYPE
GENERATION
STORAGE
And
ZEROIZATI
ON
USE
WPA2 PSK
16-64
character
shared secret
used to
authenticate
mesh
connections
and in
remote AP
advanced
configuration
CO configured
Encrypted in
flash using the
KEK; zeroized
by updating
through
administrative
interface, or by
the ‘ap wipe
out flash’
command.
Used to derive
the PMK for
802.11i mesh
connections
between APs
and in
advanced
Remote AP
connections;
programmed
into AP by the
controller over
the IPSec
session.
802.11i Pairwise Master
Key (PMK)
512-bit
shared secret
used to
derive
802.11i
session keys
Derived from WPA2
PSK
In volatile
memory only;
zeroized on
reboot
Used to derive
802.11i
Pairwise
Transient Key
(PTK)
802.11i Pairwise Transient
Key (PTK)
512-bit
shared secret
from which
Temporal
Keys (TKs)
are derived
Derived during 802.11i
4-way handshake
In volatile
memory only;
zeroized on
reboot
All session
encryption/dec
ryption keys
are derived
from the PTK
802.11i
EAPOL MIC Key
128-bit
shared secret
used to
protect 4-
way (key)
handshake
Derived from PTK
In volatile
memory only;
zeroized on
reboot
Used for
integrity
validation in 4-
way
handshake
802.11i EAPOL Encr Key
128-bit
shared secret
used to
protect 4-
way
handshakes
Derived from PTK
In volatile
memory only;
zeroized on
reboot
Used for
confidentiality
in 4-way
handshake
802.11i data AES-CCM
encryption/MIC key
128-bit AES-
CCM key
Derived from PTK
Stored in
plaintext in
volatile
memory;
zeroized on
reboot
Used for
802.11i packet
encryption and
integrity
verification
(this is the
CCMP or
AES-CCM
key)