What's new

WPA Group Key Rotation (ReKey)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

iJorgen

Regular Contributor
Is there a way to manually trigger a WPA Group Key Rotation (ReKey) with a command from SSH, just like it default does every 3600 seconds?
 
Unlikely, since this is done internally by the wireless driver. The best you could probably do is restart the wireless interface.
 
Any tip how to restart the wireless interface from SSH?! I would like to learn... :)

I have read a lot about WiFi settings/security lately, but can't really find a satisfying answer about this topic. Is it really necessary to rotate encryption-keys every hour if using WPA2/WPA3 with a really long/random SSID-password (>32 chars) since it takes billions of years to crack or being paranoid seeing a white unmarked van permanently parked outside my house? ;)

The article below says this is a legacy settings from the old WEP/WPA/TKIP days and not applicable to WPA2/WPA3. Also each time a device leaves/reconnects/restarts the encryption keys are renewed, so there are still key-rotations going on even if disabling the Group Key Rotation interval if I understand correct. My Google/Nest speakers sometimes stops streaming suddenly when a ReKey happens, so thinking about disabling this or maybe doing it once every 24 hours (at night-time, there for I asked about a command I could schedule with cru to control when ReKey happens).

Any wise thoughts?!

 
My Google/Nest speakers sometimes stops streaming suddenly when a ReKey happens, so thinking about disabling this or maybe doing it once every 24 hours (at night-time, there for I asked about a command I could schedule with cru to control when ReKey happens).
If this is the reason for your question then go ahead and disable it or change it to something like 7 days. If you still have problems then it's not related to this setting.

I think the author of that Reddit post (given the similar names) posted a fuller description a few years earlier.

 
If this is the reason for your question then go ahead and disable it or change it to something like 7 days. If you still have problems then it's not related to this setting.
It sure is my main reason, since it's annoying the streaming stops often during a ReKey. I have quite a large setup of Google/Nest speakers (15 in total) so guess it struggles to keep the stream going when all devices are forced to change encryption-keys at once. If disabling it all works without issues, but thought there must be a reason to rotate keys since almost all manufacturers still use 3600 seconds as default in 2022, even though it seems like a legacy setting from the past before WPA2.

I also like my setup as clean/minimal as possible only using functions if there is a motivated reason for it. ;)
 
It sure is my main reason, since it's annoying the streaming stops often during a ReKey. I have quite a large setup of Google/Nest speakers (15 in total) so guess it struggles to keep the stream going when all devices are forced to change encryption-keys at once. If disabling it all works without issues, but thought there must be a reason to rotate keys since almost all manufacturers still use 3600 seconds as default in 2022, even though it seems like a legacy setting from the past before WPA2.

I also like my setup as clean/minimal as possible only using functions if there is a motivated reason for it. ;)
For years I have set my Group Key Rotation Interval to 240 sec (= 4 minutes). I have never seen any problems with this. Are you sure this is the root cause of your problems?
 
It sure is my main reason, since it's annoying the streaming stops often during a ReKey. I have quite a large setup of Google/Nest speakers (15 in total) so guess it struggles to keep the stream going when all devices are forced to change encryption-keys at once. If disabling it all works without issues, but thought there must be a reason to rotate keys since almost all manufacturers still use 3600 seconds as default in 2022, even though it seems like a legacy setting from the past before WPA2.

I also like my setup as clean/minimal as possible only using functions if there is a motivated reason for it. ;)
I believe it's just a legacy value that's more appropriate when using WPA with TKIP (which is still allowed for backward compatability).

The hostap documentation says of that value:
Code:
# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
# seconds. (dot11RSNAConfigGroupRekeyTime)
# This defaults to 86400 seconds (once per day) when using CCMP/GCMP as the
# group cipher and 600 seconds (once per 10 minutes) when using TKIP as the
# group cipher.
#wpa_group_rekey=86400
So for WPA2/AES (i.e. CCMP) a value of 1 day seems to be the recommendation. Although I'd argue that unless you think you're likely to be the target of a sophisticated hacking attempt the rotation interval is meaningless.

EDIT: I've just checked on my router and hostap doesn't have wpa_strict_rekey=1 set. It appears to default to 0 because when a station leaves it doesn't send a new key. If I manually set that value it does send a new key.
Code:
# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
# (dot11RSNAConfigGroupRekeyStrict)
#wpa_strict_rekey=1
 
Last edited:
For years I have set my Group Key Rotation Interval to 240 sec (= 4 minutes). I have never seen any problems with this. Are you sure this is the root cause of your problems?
I'm 100% sure, since the log is showing "WPA: group key handshake completed (RSN)" exactly when the streaming stops each time. Do you also have a bunch (15 or more) of Google/Nest speakers?! It seems like a fraction of a second it takes to change keys and doing a reconnect, is enough to make the stream collapse. Rotating all keys every 4 minutes seems really extreme (360 times on a day), but if it works for you it's great!

So for WPA2/AES (i.e. CCMP) a value of 1 day seems to be the recommendation. Although I'd argue that unless you think you're likely to be the target of a sophisticated hacking attempt the rotation interval is meaningless.
Thanks a lot for the info! Appreciated... I will test 1 day (86400 seconds) which seems like a reasonable compromise to get new encryption-keys every day. Plan B is to disable it, since I don't think my neighbours even know what we are talking about and using pre-configured routers provided from the ISP. ;)
 
Last edited:
EDIT: I've just checked on my router and hostap doesn't have wpa_strict_rekey=1 set. It appears to default to 0 because when a station leaves it doesn't send a new key. If I manually set that value it does send a new key.
How do I set "wpa_strict_rekey=1" in hostap on my router (AX86U)? Checked nvram, but guess it's a file somewhere...
 
I manually edited the file and then killed and re-ran the process.
Can you guide me how to do this in detail?! Don't know what file to edit, how to kill the process and how to re-run it. Does it survive a reboot?!
Thanks in advance! :)
 
Can you guide me how to do this in detail?! Don't know what file to edit, how to kill the process and how to re-run it. Does it survive a reboot?!
Thanks in advance! :)
OK, but I'm not sure why you'd want to do this as it's what you don't want to happen. No it doesn't survive a reboot or any WiFi changes made through the GUI. It's purely a temporary change for debugging purposes.

1) Run ps w | grep hostapd to identify the pid and config file of the WiFi interface you want to change.
2) Edit the config file found in 1).
3) Add the wpa_strict_rekey=1 line after each occurrence of wpa_group_rekey that you want to affect.
4) Save the file.
5) Kill and restart the hostapd process using the pid you found in 1).

For exmaple:
Code:
# ps w | grep hostapd
1408 admin     7984 S    hostapd -B /tmp/wl0_hapd.conf
1411 admin     7984 S    hostapd -B /tmp/wl1_hapd.conf
# vi /tmp/wl0_hapd.conf
# kill -9 1408 ; hostapd -B /tmp/wl0_hapd.conf
 
Last edited:
OK, but I'm not sure why you'd want to do this as it's what you don't want to happen. No it doesn't service a reboot or any WiFi changes made through the GUI. It's purely a temporary change for debugging purposes.
Thanks a lot!! Just curious and want to learn deeper how stuff works "under the hood" in a router.
 
Last edited:
Similar threads
Thread starter Title Forum Replies Date
T Security Key or PassKey support for admin login Asuswrt-Merlin 1

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top