How to calculate WPA Hexkey?

Aruba Employee
Aruba Employee

Would it be possible to configure both passphrase & hexkey for an SSID?
If both passphrase & hexkey are configured for a PSK SSID; which will take precedence?
If SSID profile has Hexykey configured, can the corresponding passphrase be used by a client to conenct?


Environment Information : This article applies to all Aruba controllers and code versions.


Related Links:




Due to the vulnerable nature of human-configured Passphrases; pre-shared key based RSN derives

a hex value out of the passphrase. This is done by a function called PBKDF2 function and is defined as below

DK =PBKDF2 (P, S, c, dkLen) where

DK == Derrived key
PBKDF2 == Password-Based Key Derivation Function
P == Password
S == Salt
c == Iteration count
dkLen == Length of derived key in octet

For WPA it becomes

DK = PBKDF2(passphrase, ssid, 4096, 256)

PBKDF2 uses Hmac-SHA1 for WPA.

We can derive the WPA-Hexkey from passphrase  & SSID values. Several tools are available to achieve this function. (Example : Wireshark Key Generator) .

Example :

passphrase == top-secret

SSID == aruba-ap


Same operation when carried for passphrase "new-secret" is


Aruba OS gives us an option to configure either passphrase or the hexkey. If both are configured; then Hexkey will take precedence.


Here we configured passphrase as top-secret and hexkey for new-secret. Hexkey takes precedence and clients will be able to connect to this ssid using the hexkey or  passphrase " new-secret".



Version history
Revision #:
1 of 1
Last update:
‎07-10-2014 12:12 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: