I'm setting up a Wifi connection in code using WifiManager, but the connection seems to be using TKIP for the group cipher instead of CCMP. Is this normal? Could it be an issue with the router? I'm setting up the WifiConfig like so:
wifiConfig.allowedProtocols.set(WifiConfiguration.Protocol.RSN);
wifiConfig.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.WPA_PSK);
wifiConfig.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.CCMP);
wifiConfig.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.TKIP);
wifiConfig.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.WEP40);
wifiConfig.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.WEP104);
wifiConfig.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.CCMP);
wifiConfig.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.TKIP);
wifiConfig.preSharedKey = "\"".concat(password).concat("\"");
And when I watch the connection with wpa_cli on the device, I see:
IFNAME=wlan0 <3>WPA: Key negotiation completed with 50:6a:03:16:8c:18 [PTK=CCMP GTK=TKIP]
Shouldn't the last part be GTK=CCMP? As far as I understand it, the group cipher is used for broadcast messages and the pairwise cipher is used for direct communication. Why would the two be different?
Typically the group cipher (used for broadcast frames) has to support the lowest form of encryption allowed by all connected stations. This is often set to TKIP in case there are any old stations around and they need to be able to decrypt broadcast traffic sent from the AP. If CCMP was used for the group key, older (pre-CCMP) stations wouldn't be able to decrypt broadcast traffic.
The pairwise cipher (used for unicast frames) can use the highest level of decryption supported by the station (almost always CCMP these days).