WPA key calculationFrom passphrase to hexadecimal key
A wireless network with WPA-PSK encryption requires a passphrase (the pre-shared key) to be entered to get access to the network. Most wireless drivers accept the passphrase as a string of at most 63 characters, and internally convert the passphrase to a 256-bit key. However, some software also allows the key to be entered directly in the form of 64 hexadecimal digits. It is therefore occasionally useful to be able to calculate the 64-digit hexadecimal key that corresponds to a given passphrase.
This page explains how WPA software computes the hexadecimal key from the passphrase and the network SSID. The form below demonstrates this calculation for any given input.
How to use the form
Enter the network SSID string (at most 32 alphanumeric characters) and
the passphrase (at least 8 and at most 63 ASCII characters) in the form
above and click
Make sure that you don't accidentally type space characters before/after the string.
The derived key will appear in the form as a sequence of 64 hexadecimal digits.
Test button can be used to check that your web browser computes the correct result for a sample case.
A number of popular web browsers have been tested, and all of them seem to work correctly.
A word about entering passwords on web forms
Please don't even take my word for it. Instead, download this webpage to your computer, look through the HTML code to make sure I don't play any tricks, then open the downloaded page in your browser and use it.
Details of the calculation
For WPA-PSK encryption, the binary key is derived from the passphrase according to the following formula:
Key = PBKDF2(passphrase, ssid, 4096, 256)
PBKDF2 is a standardized method to derive a key from a passphrase.
It is specified in RFC2898 with a clear explanation on how to compute it.
The function needs an underlying pseudorandom function.
In the case of WPA, the underlying function is
SHA1 is a function that computes a 160-bit hash from an arbitrary amount of input data.
It is clearly explained in RFC3174.
HMAC is a standardized method to turn a cryptographic hash function into a keyed message authentication function.
It is specified in RFC2104.
To summarize, the key derivation process involves iterating a
HMAC-SHA1 function 4096 times, and then doing that again to produce more key bits.