What Is PSK? Security Definition
Also known as: Pre-Shared Key, passphrase, shared secret
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
A Pre-Shared Key (PSK) is a symmetric cryptographic key that is shared between two communicating parties before any data transmission begins. It is most commonly used in Wi-Fi Protected Access (WPA/WPA2) personal mode and in some VPN protocols like IPsec with pre-shared key authentication. The key is a secret passphrase or hexadecimal string that both the access point (or VPN server) and the client must know. When a client attempts to connect, it proves knowledge of the PSK without sending the key itself over the network, typically through a four-way handshake. The PSK is used to derive session keys that encrypt the actual data traffic. The primary reason PSK exists is simplicity—it avoids the need for a complex Public Key Infrastructure (PKI) or authentication server, making it ideal for small offices, home networks, and temporary deployments. However, its security relies entirely on the secrecy and complexity of the shared key; if the PSK is compromised, an attacker can decrypt all past and future traffic.
Must Know for Exams
On the CompTIA Network+ exam (N10-008), PSK is tested under Objective 2.4 'Compare and contrast wireless networking protocols' and Objective 4.1 'Explain common security concepts.'
Specifically, candidates must know that WPA2-PSK uses a pre-shared key for authentication, while WPA2-Enterprise uses 802.1X with a RADIUS server. Exam questions often ask to identify the correct encryption method for a given scenario—e.
g., 'Which security method is most appropriate for a small office with no authentication server?' The correct answer is WPA2-PSK. On Security+ (SY0-601), PSK appears under Objective 3.
2 'Given a scenario, implement secure network architecture concepts' and Objective 3.8 'Given a scenario, implement authentication and authorization solutions.' Candidates must understand that PSK is vulnerable to offline brute-force attacks and that WPA3 replaces the PSK handshake with Simultaneous Authentication of Equals (SAE) to prevent such attacks.
On CCNA (200-301), PSK is covered under Objective 5.1 'Configure and verify WLAN components' and Objective 5.2 'Describe wireless principles.' CCNA expects candidates to know how to configure WPA2-PSK on a Cisco wireless LAN controller and to understand the 4-way handshake.
A common exam trap is confusing PSK with WEP—both use a shared key, but WEP uses RC4 with a static key, while WPA2-PSK uses AES with dynamic per-session keys. Another focus area is the difference between personal (PSK) and enterprise (802.1X) modes, and when to choose each.
Simple Meaning
Imagine you and a friend want to send secret messages to each other. You agree on a secret code word—like 'banana'—that only you two know. When you send a message, you lock it with that code word, and your friend unlocks it with the same word.
If anyone else tries to listen, they can't understand the message because they don't know 'banana'. That's exactly how a Pre-Shared Key works in networking. The key is the secret word you both share before you start talking.
In Wi-Fi, this is the Wi-Fi password you type in when you connect to a network. The network and your device both know that password, and they use it to create temporary encryption keys for that session. The catch is that if someone else learns that password—maybe you wrote it on a whiteboard—they can read all your messages.
So the strength of PSK depends entirely on keeping that shared secret truly secret.
Full Technical Definition
A Pre-Shared Key (PSK) is a symmetric cryptographic key established out-of-band between two parties prior to communication. In the context of IEEE 802.11 wireless networks (Wi-Fi), PSK is used in WPA-Personal and WPA2-Personal modes, defined by the IEEE 802.
11i standard. The PSK itself is a 256-bit key derived from a passphrase (8 to 63 ASCII characters) using PBKDF2 (Password-Based Key Derivation Function 2) with the SSID as a salt. This derivation is specified in IEEE 802.
11i-2004. The PSK is not transmitted over the air; instead, it is used during the 4-Way Handshake to generate Pairwise Transient Keys (PTK) and Group Temporal Keys (GTK). The handshake uses a cryptographic protocol called EAPOL-Key (Extensible Authentication Protocol over LAN) frames.
At the OSI model, PSK operates at Layer 2 (Data Link) for Wi-Fi, as it is part of the MAC sublayer security. For IPsec VPNs, PSK is used at Layer 3 (Network) as part of IKE (Internet Key Exchange) phase 1, defined in RFC 2409. In IPsec, the PSK authenticates the peers before establishing an encrypted tunnel.
Compared to certificate-based authentication (PKI), PSK is simpler to deploy but offers weaker security because the key is static and shared among all clients. Unlike EAP (Extensible Authentication Protocol) which supports per-user authentication, PSK is typically shared across an entire network, making it vulnerable to offline dictionary attacks if the passphrase is weak. The key mechanical property is that the PSK itself is never sent over the wire; it is only used as input to a key derivation function, ensuring that an eavesdropper cannot directly recover the PSK from captured handshake traffic.
Real-Life Example
Consider a small dental office with five employees and a guest Wi-Fi network. The office manager configures a new TP-Link router with WPA2-PSK and sets the passphrase to 'SmileDentist2024!' Each employee types this passphrase into their laptops and smartphones.
When Dr. Smith's laptop connects, it performs a 4-way handshake with the router. The router sends a random nonce, the laptop uses the PSK to compute a PTK, and they exchange encrypted messages to confirm they both know the key.
Once authenticated, all traffic between Dr. Smith's laptop and the router is encrypted with AES-CCMP. A patient in the waiting room tries to connect to the guest network, which uses a different PSK ('GuestAccess123').
The patient's device cannot decrypt the employee's traffic because it does not know the employee PSK. However, if an employee leaves the office and shares the PSK with a friend, that friend can connect and potentially eavesdrop on all employee traffic. To mitigate this, the office manager changes the PSK monthly.
This scenario illustrates how PSK provides simple, shared authentication but requires careful key management to maintain security.
Why This Term Matters
Understanding PSK is critical for IT professionals because it is the most widely deployed wireless security mechanism in homes and small businesses. Troubleshooting connectivity issues often involves verifying that the correct PSK is entered—a common source of help desk tickets. PSK also appears in VPN configurations, especially for site-to-site tunnels where certificates are not used.
Knowing the limitations of PSK—such as vulnerability to dictionary attacks and lack of per-user accountability—helps professionals recommend stronger alternatives like WPA3-SAE or 802.1X/EAP for enterprise environments. On the career side, PSK knowledge is tested on CompTIA Network+, Security+, and Cisco CCNA exams, making it a foundational concept for certification.
Misunderstanding PSK can lead to security misconfigurations, such as using weak passphrases or failing to rotate keys, which can result in data breaches.
How It Appears in Exam Questions
1. Scenario-based: 'A company wants to provide wireless access for guests without an authentication server. Which security method should be used?' Wrong answers include WPA2-Enterprise, WEP, and 802.
1X. Correct: WPA2-PSK. 2. Comparison: 'Which of the following is a characteristic of WPA2-PSK?' Wrong answers: 'Uses a RADIUS server for authentication' or 'Requires digital certificates.'
Correct: 'Uses a pre-shared key for authentication.' 3. Security weakness: 'What is a primary vulnerability of WPA2-PSK?' Wrong answers: 'Man-in-the-middle attacks due to weak encryption' or 'Replay attacks.'
Correct: 'Offline dictionary attacks against the 4-way handshake.' 4. Configuration: 'An administrator configures a wireless network with a passphrase of 8 characters. Which security standard is being used?'
Wrong answers: WEP, WPA3. Correct: WPA2-PSK. To identify the correct answer, look for keywords like 'no authentication server,' 'small office,' 'home network,' or 'shared password.'
If the question mentions 'personal mode' or 'pre-shared key,' the answer is PSK. If it mentions 'enterprise' or 'RADIUS,' it is not PSK.
Practise PSK Questions
Test your understanding with exam-style practice questions.
Example Scenario
Step 1: A home user buys a new router and sets up Wi-Fi with WPA2-PSK, choosing the passphrase 'MyHomeNet!' Step 2: The user's laptop scans for networks and sees the SSID 'HomeWiFi'. Step 3: The user selects 'HomeWiFi' and is prompted to enter the network security key.
Step 4: The user types 'MyHomeNet!' and clicks Connect. Step 5: The laptop and router perform a 4-way handshake: the router sends a random number (nonce), the laptop uses the PSK to compute a Pairwise Transient Key (PTK), and they exchange encrypted messages to verify they both have the same PSK.
Step 6: Once verified, the laptop is granted access, and all subsequent data is encrypted with AES using session keys derived from the PTK. Step 7: A neighbor tries to connect but does not know the passphrase, so the handshake fails and the neighbor is denied access. This scenario shows how PSK works in practice: a shared secret is used to authenticate and encrypt, but only those who know the secret can connect.
Common Mistakes
Students think PSK is sent over the air during the handshake.
The PSK is never transmitted. Instead, it is used to compute a PTK during the 4-way handshake. An eavesdropper captures nonces and MICs, but cannot recover the PSK without brute-forcing.
Remember: PSK stays secret—only derived keys are exchanged.
Students confuse PSK with WEP shared key authentication.
WEP uses a static key that is sent (in some modes) and uses RC4. WPA2-PSK uses a dynamic per-session key derived via a handshake and AES encryption. They are fundamentally different.
WEP = static key, RC4; WPA2-PSK = dynamic key, AES.
Students think PSK provides per-user authentication.
PSK is shared among all users of the network. There is no way to distinguish one user from another. For per-user authentication, you need 802.1X/EAP.
PSK = network-level secret; 802.1X = user-level authentication.
Exam Trap — Don't Get Fooled
{"trap":"The most dangerous trap is believing that WPA2-PSK is vulnerable to man-in-the-middle (MITM) attacks because the PSK is shared. In reality, the 4-way handshake includes mutual authentication, so MITM is difficult. The real vulnerability is offline dictionary attacks against captured handshakes."
,"why_learners_choose_it":"Learners hear 'shared key' and assume it can be intercepted. They also confuse PSK with older protocols like WEP that had MITM issues. The word 'shared' triggers a false sense of insecurity about interception."
,"how_to_avoid_it":"When you see a question about WPA2-PSK vulnerability, immediately think 'offline dictionary attack' or 'weak passphrase.' If the answer mentions MITM, it is likely wrong unless the scenario involves a rogue AP with a known PSK."
Commonly Confused With
WEP uses a static 40- or 104-bit key that is shared and can be easily cracked with tools like aircrack-ng. WPA2-PSK uses a dynamic per-session key derived from a passphrase via a 4-way handshake and AES encryption, making it far more secure.
Use WPA2-PSK for a home Wi-Fi network; avoid WEP because it is obsolete and insecure.
WPA2-Enterprise uses a RADIUS server for per-user authentication with EAP methods, while WPA2-PSK uses a single shared key for all clients. PSK is simpler but offers no user accountability.
A university uses WPA2-Enterprise for student access; a home user uses WPA2-PSK.
Step-by-Step Breakdown
Step 1: PSK Derivation
The passphrase (e.g., 'MyPass123') is combined with the SSID using PBKDF2 to produce a 256-bit PSK. This derivation is done offline by both the AP and client.
Step 2: Association
The client sends an association request to the AP. The AP responds with an association response. At this point, no encryption is used.
Step 3: 4-Way Handshake Initiation
The AP sends an EAPOL-Key frame containing an ANonce (AP nonce). The client receives this random number.
Step 4: PTK Generation and Verification
The client generates its own SNonce and computes the PTK using the PSK, ANonce, and SNonce. It sends an EAPOL-Key frame containing the SNonce and a Message Integrity Code (MIC).
Step 5: Confirmation and GTK Delivery
The AP verifies the MIC, computes the same PTK, and sends an EAPOL-Key frame with the GTK (Group Temporal Key) encrypted. The client decrypts the GTK and sends a final acknowledgment. Encryption begins.
Practical Mini-Lesson
A Pre-Shared Key (PSK) is a symmetric secret used to authenticate devices and derive encryption keys in wireless networks. The core concept is simple: both the access point (AP) and the client must know the same secret string. This secret is never sent over the air; instead, it is used as input to a cryptographic handshake.
In WPA2-PSK, the handshake is called the 4-Way Handshake. During this handshake, the AP and client exchange random numbers (nonces) and use the PSK to compute a Pairwise Transient Key (PTK). The PTK is then used to encrypt all subsequent traffic with AES-CCMP.
The PSK itself is derived from a passphrase (8-63 ASCII characters) using PBKDF2, which applies thousands of iterations of hashing to make brute-force attacks slower. How does PSK compare to other authentication methods? WPA2-Enterprise uses 802.
1X with a RADIUS server, providing per-user authentication and dynamic keys. WPA3 replaces PSK with Simultaneous Authentication of Equals (SAE), which is resistant to offline dictionary attacks. For VPNs, IPsec can use PSK or certificates; PSK is simpler but less secure.
Configuration notes: On a home router, you set the PSK in the wireless security settings. On a Cisco WLC, you configure a WLAN with security type WPA2-PSK and enter the passphrase. Key takeaway: PSK is easy to deploy but has a major weakness—if the passphrase is weak or shared with too many people, the network is vulnerable.
Always use a strong, random passphrase (at least 20 characters) and change it periodically. For enterprise environments, use 802.1X instead.
Memory Tip
Think 'PSK = Password Shared with Keychain.' The 'P' is for 'Password' (the secret you type), 'S' for 'Shared' (both sides know it), and 'K' for 'Key' (it unlocks encryption). Remember: PSK is never sent over the air—it's used to derive session keys. If you see 'personal mode' on the exam, think PSK.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
N10-009CompTIA Network+ →SY0-701CompTIA Security+ →200-301Cisco CCNA →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
An AP (Access Point) bridges wireless clients to a wired network, acting as a central transceiver and controller for Wi-Fi communications.
An API is a set of rules that allows software applications to communicate and exchange data with each other.
BCP is a proactive process that creates a framework to ensure critical business functions continue during and after a disruptive event.
BNC (Bayonet Neill-Concelman Connector) is a miniature coaxial connector used for terminating coaxial cables in networking, video, and RF applications.
Frequently Asked Questions
Can the PSK be changed without reconfiguring all devices?
Yes, but every device that connects must be updated with the new passphrase. There is no way to remotely update the PSK on clients. This is a major administrative burden in larger networks.
Is PSK more secure than a certificate-based authentication?
No. Certificates provide stronger security because they use asymmetric cryptography and can be revoked. PSK is simpler but vulnerable to dictionary attacks and lacks per-user identity.
Does WPA3 use PSK?
WPA3 replaces PSK with Simultaneous Authentication of Equals (SAE), which is resistant to offline dictionary attacks. However, WPA3 still uses a shared password conceptually, but the handshake is different.
What is the minimum length of a WPA2-PSK passphrase?
The minimum is 8 characters, but for security, use at least 20 characters with a mix of letters, numbers, and symbols. Short passphrases are easily brute-forced.
Can two different SSIDs use the same PSK?
Technically yes, but it is not recommended. The PSK derivation uses the SSID as a salt, so the same passphrase with different SSIDs produces different PSKs. However, using the same passphrase weakens security if one network is compromised.
Summary
1. PSK (Pre-Shared Key) is a symmetric secret shared between a wireless client and an access point (or VPN peers) before communication begins, used for authentication and to derive encryption keys. 2.
Its key technical property is that the PSK itself is never transmitted; it is used as input to a 4-way handshake that generates per-session keys, preventing direct exposure of the secret. 3. The most important exam fact: PSK is used in WPA2-Personal mode and is vulnerable to offline dictionary attacks if the passphrase is weak; WPA3 replaces it with SAE to mitigate this.
On exams, remember that PSK requires no authentication server, making it suitable for home and small office networks.