In Wifi WPA, I understand that during association, a 802.11 client and AP negotiate a Pairwise Transient Key (PTK), using which the Groupwise Transient Key(GTK) is provided to the station.
Why then does the client need to encrypt the broadcast using the GTK? Why can't the client just encrypt the broadcast frame using its PTK, and the AP decrypt it, then encrypt it using each of the other clients' PTK before sending it out to them?
Best Answer
It doesn't. Since the AP broadcasts, not the client, the client doesn't use the GTK to encrypt the frame. The AP does.
Exactly. This is what happens.
Here is where the magic happens. By the standard, a broadcast frame is sent one time from the AP to all associated clients. If the AP used the PTK from one client, none of the other clients would be able to process the frame. So instead, the GTK is used by the AP for broadcasts and each client has been given the GTK to decrypt such frames.
Now, if some sort of broadcast-to-unicast conversion takes place on the wireless infrastructure, then the PTK would be used by the AP for each corresponding client rather than the GTK.