PMK

Pairwise Master Key

Security
Introduced in Rel-13
The Pairwise Master Key (PMK) is a cryptographic key derived during authentication and key agreement procedures in wireless networks. It serves as the root key for generating session-specific encryption keys used to secure the link between a user device (UE) and a network access point. It is fundamental to the security of Wi-Fi (IEEE 802.11i) and 3GPP-WLAN interworking.

Description

The Pairwise Master Key (PMK) is a fundamental security key in authentication and key hierarchy frameworks, most prominently defined in IEEE 802.11i for Wi-Fi security and adopted by 3GPP for securing interworking between 3GPP systems and Wireless Local Area Networks (WLAN). The PMK is a 256-bit key that acts as the root or seed material from which all transient session keys used for encrypting and integrity-protecting data traffic are derived. Its generation is the culmination of a successful authentication process. In the context of 3GPP-WLAN interworking (e.g., S2a-based access via trusted WLAN), the authentication typically uses the Extensible Authentication Protocol (EAP) framework with a 3GPP-specific method like EAP-AKA or EAP-AKA'. During this EAP exchange, the UE (Supplicant) authenticates with the 3GPP core network (Authentication Server, typically the 3GPP AAA Server). Upon successful authentication, both the UE and the AAA server derive a Master Session Key (MSK) as specified by the EAP method. In 3GPP architectures, this MSK is then used to derive the PMK. The PMK is delivered from the AAA server to the WLAN Access Point (the Authenticator) that is serving the UE. The AP and the UE now share the same PMK. This shared secret is then used as input to the 4-way handshake defined in IEEE 802.11i. The 4-way handshake is a mutual authentication and key confirmation protocol that proves both parties possess the same PMK and, more importantly, derives fresh, session-specific Pairwise Transient Keys (PTKs). The PTK is generated by both parties using a pseudo-random function that takes the PMK, the AP's nonce (ANonce), the UE's nonce (SNonce), and the MAC addresses of the AP and UE as input. The PTK is then split into separate keys for encryption (e.g., Temporal Key for TKIP or CCMP) and integrity protection. The security of the entire subsequent data session hinges on the secrecy and strength of the original PMK. In pure 3GPP cellular contexts, the term PMK is also used within the key hierarchy for certain features, such as in Vehicle-to-Everything (V2X) communications or proximity-based services (ProSe), where it may be derived from long-term keys in the Universal Subscriber Identity Module (USIM) to secure direct device-to-device links.

Purpose & Motivation

The PMK exists to establish a strong, shared secret between a client and an access point *after* successful authentication, which can then be used to efficiently derive fresh, session-specific encryption keys. This separation of concerns is critical for security and performance. The computationally intensive authentication and key agreement process (like EAP-AKA) happens once, producing the long-lived PMK. The lighter-weight 4-way handshake, using the PMK, can then be executed frequently—for example, every time the device roams to a new AP or re-associates—to generate new PTKs without repeating the full authentication. This provides perfect forward secrecy for individual sessions and limits the exposure if a session key is compromised. In the historical context of Wi-Fi, pre-802.11i security (WEP) used static, manually configured keys that were shared across all users and never changed, making them highly vulnerable. The introduction of the PMK-based key hierarchy with 802.11i (WPA2/WPA3) was a revolutionary improvement. For 3GPP, adopting this model for WLAN interworking (starting in Release 6 and enhanced in later releases) allowed mobile operators to securely extend their services over untrusted Wi-Fi networks by leveraging their robust cellular authentication (USIM-based) to generate a strong PMK, thereby creating a seamless and secure 'hotspot' experience. It solved the problem of providing standardized, cryptographically strong access security for non-3GPP access networks.

Key Features

  • A 256-bit cryptographic key serving as the root for session key derivation
  • Derived from a successful EAP authentication (e.g., EAP-AKA') in 3GPP-WLAN interworking
  • Delivered securely from the AAA server to the WLAN Access Point (Authenticator)
  • Used as the primary input to the IEEE 802.11i 4-way handshake
  • Enables generation of fresh Pairwise Transient Keys (PTKs) for each session
  • Foundational for security in 3GPP-WLAN interworking, V2X, and ProSe direct communication

Evolution Across Releases

Rel-13 Initial

Formal adoption and specification of the PMK within the 3GPP security architecture for WLAN interworking, particularly for S2a-based trusted WLAN access via the STa interface. Defined its derivation from the Master Session Key (MSK) obtained via EAP-AKA' authentication and its role in the key hierarchy securing the UE-WLAN link.

TS 33.885TS 36.300TS 36.331
Rel-14

Enhanced usage of PMK in the context of LTE-WLAN Aggregation (LWA) and LTE-WLAN Radio Level Integration (LWIP). Specified procedures for PMK caching and re-use to enable faster re-authentication and seamless mobility between WLAN access points.

TS 33.885TS 36.300TS 36.331
Rel-15

Extended the PMK-based security model to support access to the 5G Core network via trusted non-3GPP access (TNGA). Defined the derivation and distribution of the PMK for 5G, ensuring continuity of security principles from EPC to 5GC.

TS 33.885TS 36.300TS 36.331
Rel-16

Further refinements for integrated 5G-WLAN access, including support for simultaneous connectivity scenarios. Clarified PMK handling in scenarios involving multiple authentication servers or network slices.

TS 33.885TS 36.300TS 36.331
Rel-17/Rel-18

Maintenance and potential enhancements related to PMK lifecycle management for new 5G use cases, such as enhanced fixed wireless access and private networks, ensuring robust security for diverse access types.

TS 33.885TS 36.300TS 36.331

Defining Specifications

SpecificationTitle
TS 33.885 3GPP TR 33.885
TS 36.300 3GPP TR 36.300
TS 36.331 3GPP TR 36.331