PSK Family (AKM 2, 6, 20)¶
These three AKM suites derive the PMK from a passphrase using PBKDF2, making captured handshakes vulnerable to offline dictionary and brute-force attacks. They differ in the KDF and MIC algorithms used during the 4-way handshake.
Overview¶
AKM 2 is the original WPA/WPA2-Personal suite from 802.11i-2004. AKM 6 added SHA-256-based key derivation with 802.11w-2009. AKM 20, introduced in 802.11-2020, uses SHA-384 with longer key sizes for GCMP-256 deployments.
AKM Comparison¶
| AKM | Name | PTK KDF | MIC algorithm | KCK | KEK | TK (CCMP) | hashcat mode |
|---|---|---|---|---|---|---|---|
| 2 | PSK | PRF (HMAC-SHA1) | HMAC-MD5 (kv1) / HMAC-SHA1-128 (kv2) | 128 | 128 | 128 | 22000 |
| 6 | PSK-SHA256 | KDF-SHA-256 | AES-128-CMAC (kv3) | 128 | 128 | 128 | 22000 |
| 20 | PSK-SHA384 | KDF-SHA-384 | HMAC-SHA-384 (kv0) | 192 | 256 | 256 | none |
Key lengths per IEEE 802.11-2024 Table 12-11 (KCK/KEK) and Table 12-8 (TK).
PMK Derivation (PBKDF2)¶
All three AKMs use the same PMK derivation:
- Inner PRF: HMAC-SHA1 (always, regardless of AKM or keyver)
- Salt: SSID (0–32 bytes)
- Iterations: 4096 (fixed by spec)
- Output: 256 bits, same for AKM 2, 6, and 20
- Internally calls HMAC-SHA1 8192 times (4096 iterations × 2 PBKDF2 blocks)
The passphrase is 8–63 printable ASCII characters (code points 32–126), or exactly 64 hex characters for a raw 256-bit PSK.
PBKDF2 is the computational bottleneck: ~8192 HMAC-SHA1 calls per candidate. PTK derivation and MIC verification add ~0.1% overhead.
PTK Derivation¶
AKM 2: PRF-X (HMAC-SHA1)¶
PTK = PRF-X(PMK,
"Pairwise key expansion",
Min(MAC_AP, MAC_STA) || Max(MAC_AP, MAC_STA) ||
Min(ANonce, SNonce) || Max(ANonce, SNonce))
PRF internally constructs: Label || 0x00 || Context || counter per §12.7.1.2.
- X = 384 for CCMP (KCK 128 + KEK 128 + TK 128)
- X = 512 for TKIP (KCK 128 + KEK 128 + TK 256 including TMK)
AKM 6: KDF-SHA-256¶
PTK = KDF-SHA-256-384(PMK,
"Pairwise key expansion",
Min(MAC_AP, MAC_STA) || Max(MAC_AP, MAC_STA) ||
Min(ANonce, SNonce) || Max(ANonce, SNonce))
KDF constructs: counter_LE16(i) || Label || Context || size_LE16(384).
Two iterations needed for full PTK (ceil(384/256) = 2), but cracking only requires the first iteration to extract KCK.
AKM 20: KDF-SHA-384¶
Same structure as KDF-SHA-256 but using HMAC-SHA-384 internally. Full PTK = 704 bits per the spec (KCK 192 + KEK 256 + TK 256), requiring two iterations: ceil(704/384) = 2.
Cipher Suites¶
| Cipher suite | Value | Encryption | TK size | Used with |
|---|---|---|---|---|
| TKIP | 2 | RC4 + per-packet key mixing | 256 bits (128-bit encryption + 128-bit TMK) | AKM 2 (legacy, deprecated) |
| CCMP-128 | 4 | AES-128-CCM | 128 bits | AKM 2, 6 |
| GCMP-128 | 8 | AES-128-GCM | 128 bits | AKM 6 |
| GCMP-256 | 9 | AES-256-GCM | 256 bits | AKM 20 |
Cipher suite values from IEEE 802.11-2024 Table 9-188 (RSN cipher suite selectors). Note: GCMP-128 is suite type 8, GCMP-256 is suite type 9, distinct values.
Key Descriptor Versions¶
The Key Descriptor Version (bits 0–2 of Key Information) determines the MIC algorithm and key wrap cipher for EAPOL-Key frames:
| keyver | Key Info bits | MIC algorithm | Key Data encryption | Typical AKM |
|---|---|---|---|---|
| 1 | 0x01 | HMAC-MD5 | RC4 | AKM 2 + TKIP |
| 2 | 0x02 | HMAC-SHA1-128 | AES key wrap | AKM 2 + CCMP |
| 3 | 0x03 | AES-128-CMAC | AES key wrap | AKM 6 |
| 0 | 0x00 | AKM-defined | AES key wrap | AKM 20 |
For keyver 3 (AKM 6), the MIC is AES-128-CMAC over the full EAPOL frame with the MIC field zeroed. For keyver 1/2, the MIC is an HMAC truncated to 128 bits.
Real-World Combinations¶
| Common name | AKM | Cipher | keyver | Notes |
|---|---|---|---|---|
| WPA-PSK (TKIP) | 2 | TKIP (2) | 1 | Legacy, rarely seen in production |
| WPA2-PSK (CCMP) | 2 | CCMP (4) | 2 | Most common home/SOHO WiFi |
| WPA2-PSK-SHA256 | 6 | CCMP (4) | 3 | PMF-capable networks (802.11w required) |
| WPA3 Transition Mode | 2+8 | CCMP (4) | 2 | Mixed WPA2/WPA3 networks; AKM 2 still crackable |
| WPA3-PSK-384 | 20 | GCMP-256 (9) | 0 | High-security enterprise; not yet common |
Offline Attack Summary¶
Extract hashes with WPAWolf (recommended) or hcxpcapngtool.
The aux1–aux4 labels refer to hashcat's internal kernel functions within mode 22000: aux1 = HMAC-MD5 MIC (kv1), aux2 = HMAC-SHA1-128 MIC (kv2), aux3 = AES-128-CMAC MIC (kv3), aux4 = HMAC-SHA1-128 PMKID.
| AKM | Attack | hcxtools output | hashcat mode | Works? |
|---|---|---|---|---|
| 2 | PMKID | WPA01 | 22000 (aux4) | Yes |
| 2 | EAPOL kv1 | WPA02 | 22000 (aux1) | Yes |
| 2 | EAPOL kv2 | WPA02 | 22000 (aux2) | Yes |
| 6 | PMKID | WPA01 | 22000 (aux4) | Broken. aux4 uses SHA1, needs SHA256. See gap table. |
| 6 | EAPOL kv3 | WPA02 | 22000 (aux3) | Yes |
| 20 | PMKID/EAPOL | N/A | none | No module exists |
Spec References¶
- AKM suite selectors: IEEE 802.11-2024 Table 9-190
- PMK derivation (PBKDF2): Annex J.4.1, §12.7.1.3
- PTK derivation (PRF): §12.7.1.2; (KDF): §12.7.1.6.2
- Key descriptor versions: §12.7.2, Table 12-11
- Cipher suite selectors: Table 9-188
- Key lengths: Table 12-8 (TK), Table 12-11 (KCK/KEK)