WPA Group Key Rotation (ReKey)

[iJorgen]

Is there a way to manually trigger a WPA Group Key Rotation (ReKey) with a command from SSH, just like it default does every 3600 seconds?

 

[RMerlin]

Unlikely, since this is done internally by the wireless driver. The best you could probably do is restart the wireless interface.

 

[iJorgen]

Any tip how to restart the wireless interface from SSH?! I would like to learn...

I have read a lot about WiFi settings/security lately, but can't really find a satisfying answer about this topic. Is it really necessary to rotate encryption-keys every hour if using WPA2/WPA3 with a really long/random SSID-password (>32 chars) since it takes billions of years to crack or being paranoid seeing a white unmarked van permanently parked outside my house?

The article below says this is a legacy settings from the old WEP/WPA/TKIP days and not applicable to WPA2/WPA3. Also each time a device leaves/reconnects/restarts the encryption keys are renewed, so there are still key-rotations going on even if disabling the Group Key Rotation interval if I understand correct. My Google/Nest speakers sometimes stops streaming suddenly when a ReKey happens, so thinking about disabling this or maybe doing it once every 24 hours (at night-time, there for I asked about a command I could schedule with cru to control when ReKey happens).

Any wise thoughts?!

https://www.reddit.com/r/wifi/comments/enc9n5

 

[ColinTaylor]

My Google/Nest speakers sometimes stops streaming suddenly when a ReKey happens, so thinking about disabling this or maybe doing it once every 24 hours (at night-time, there for I asked about a command I could schedule with cru to control when ReKey happens).

If this is the reason for your question then go ahead and disable it or change it to something like 7 days. If you still have problems then it's not related to this setting.

I think the author of that Reddit post (given the similar names) posted a fuller description a few years earlier.

Why do some WiFi routers block multicast packets going from wired to wireless?

I have worked with dozens of consumer grade WiFi routers, and they have been really hit-or-miss with this, though it seems to be getting better. Example of issue: A device that can be discovered...

superuser.com

 

[iJorgen]

If this is the reason for your question then go ahead and disable it or change it to something like 7 days. If you still have problems then it's not related to this setting.

It sure is my main reason, since it's annoying the streaming stops often during a ReKey. I have quite a large setup of Google/Nest speakers (15 in total) so guess it struggles to keep the stream going when all devices are forced to change encryption-keys at once. If disabling it all works without issues, but thought there must be a reason to rotate keys since almost all manufacturers still use 3600 seconds as default in 2022, even though it seems like a legacy setting from the past before WPA2.

I also like my setup as clean/minimal as possible only using functions if there is a motivated reason for it.

 

[Kanji-San]

It sure is my main reason, since it's annoying the streaming stops often during a ReKey. I have quite a large setup of Google/Nest speakers (15 in total) so guess it struggles to keep the stream going when all devices are forced to change encryption-keys at once. If disabling it all works without issues, but thought there must be a reason to rotate keys since almost all manufacturers still use 3600 seconds as default in 2022, even though it seems like a legacy setting from the past before WPA2.

I also like my setup as clean/minimal as possible only using functions if there is a motivated reason for it.

For years I have set my Group Key Rotation Interval to 240 sec (= 4 minutes). I have never seen any problems with this. Are you sure this is the root cause of your problems?

 

[ColinTaylor]

It sure is my main reason, since it's annoying the streaming stops often during a ReKey. I have quite a large setup of Google/Nest speakers (15 in total) so guess it struggles to keep the stream going when all devices are forced to change encryption-keys at once. If disabling it all works without issues, but thought there must be a reason to rotate keys since almost all manufacturers still use 3600 seconds as default in 2022, even though it seems like a legacy setting from the past before WPA2.

I also like my setup as clean/minimal as possible only using functions if there is a motivated reason for it.

I believe it's just a legacy value that's more appropriate when using WPA with TKIP (which is still allowed for backward compatability).

The hostap documentation says of that value:

# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
# seconds. (dot11RSNAConfigGroupRekeyTime)
# This defaults to 86400 seconds (once per day) when using CCMP/GCMP as the
# group cipher and 600 seconds (once per 10 minutes) when using TKIP as the
# group cipher.
#wpa_group_rekey=86400

So for WPA2/AES (i.e. CCMP) a value of 1 day seems to be the recommendation. Although I'd argue that unless you think you're likely to be the target of a sophisticated hacking attempt the rotation interval is meaningless.

EDIT: I've just checked on my router and hostap doesn't have wpa_strict_rekey=1 set. It appears to default to 0 because when a station leaves it doesn't send a new key. If I manually set that value it does send a new key.

# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
# (dot11RSNAConfigGroupRekeyStrict)
#wpa_strict_rekey=1

 

[iJorgen]

For years I have set my Group Key Rotation Interval to 240 sec (= 4 minutes). I have never seen any problems with this. Are you sure this is the root cause of your problems?

I'm 100% sure, since the log is showing "WPA: group key handshake completed (RSN)" exactly when the streaming stops each time. Do you also have a bunch (15 or more) of Google/Nest speakers?! It seems like a fraction of a second it takes to change keys and doing a reconnect, is enough to make the stream collapse. Rotating all keys every 4 minutes seems really extreme (360 times on a day), but if it works for you it's great!

So for WPA2/AES (i.e. CCMP) a value of 1 day seems to be the recommendation. Although I'd argue that unless you think you're likely to be the target of a sophisticated hacking attempt the rotation interval is meaningless.

Thanks a lot for the info! Appreciated... I will test 1 day (86400 seconds) which seems like a reasonable compromise to get new encryption-keys every day. Plan B is to disable it, since I don't think my neighbours even know what we are talking about and using pre-configured routers provided from the ISP.

 

[iJorgen]

EDIT: I've just checked on my router and hostap doesn't have wpa_strict_rekey=1 set. It appears to default to 0 because when a station leaves it doesn't send a new key. If I manually set that value it does send a new key.

How do I set "wpa_strict_rekey=1" in hostap on my router (AX86U)? Checked nvram, but guess it's a file somewhere...

 

[ColinTaylor]

How do I set "wpa_strict_rekey=1" in hostap on my router (AX86U)? Checked nvram, but guess it's a file somewhere...

I manually edited the file and then killed and re-ran the process.

 

[iJorgen]

I manually edited the file and then killed and re-ran the process.

Can you guide me how to do this in detail?! Don't know what file to edit, how to kill the process and how to re-run it. Does it survive a reboot?!
Thanks in advance!

 

[ColinTaylor]

Can you guide me how to do this in detail?! Don't know what file to edit, how to kill the process and how to re-run it. Does it survive a reboot?!
Thanks in advance!

OK, but I'm not sure why you'd want to do this as it's what you don't want to happen. No it doesn't survive a reboot or any WiFi changes made through the GUI. It's purely a temporary change for debugging purposes.

1) Run ps w | grep hostapd to identify the pid and config file of the WiFi interface you want to change.
2) Edit the config file found in 1).
3) Add the wpa_strict_rekey=1 line after each occurrence of wpa_group_rekey that you want to affect.
4) Save the file.
5) Kill and restart the hostapd process using the pid you found in 1).

For exmaple:

# ps w | grep hostapd
1408 admin     7984 S    hostapd -B /tmp/wl0_hapd.conf
1411 admin     7984 S    hostapd -B /tmp/wl1_hapd.conf
# vi /tmp/wl0_hapd.conf
# kill -9 1408 ; hostapd -B /tmp/wl0_hapd.conf

 

[iJorgen]

OK, but I'm not sure why you'd want to do this as it's what you don't want to happen. No it doesn't service a reboot or any WiFi changes made through the GUI. It's purely a temporary change for debugging purposes.

Thanks a lot!! Just curious and want to learn deeper how stuff works "under the hood" in a router.