When the RADIUS server has authenticated the client, it gives the access point an OK, plus a RANDOM 256bit pairwise master key (PMK) to encrypt data traffic for the current session only. WPA2-Enterprise is only a little bit different behind the scenes, but the security implications are severe: The client associates to the access point, authenticates to the access point, who passes this on to a backend RADIUS server (using EAP, but that's not important here, so more on that at the end). Should someone break the PMK, they could decrypt all data encrypted with that key, past/recorded and future/realtime. So it's easy to gather a lot of data encrypted with the same PMK.
The important thing to note here is that all clients will always encrypt their data with the same PMK, all the time. This PMK is then used to encrypt data traffic using CCMP/AES or TKIP.
WPA2-PSK (aka WPA2 Personal) basically does the same thing as WPA2-Enterprise from the clients perspective: The client associates to the access point, authenticates to the access point using the pre-shared key and access point creates a 256bit PMK (pairwise master key) from the SSID and the pre-shared key (PSK). All earlier answers are missing a very important step and its implication and are misunderstanding EAP.
0 kommentar(er)
