The handshake described in the EAP/802.1X section runs strictly under WPA, i.e. the user will never have to define any keys. For environments where no RADIUS server is available to provide master secrets (for instance in smaller companies), WPA provides the PSK method. In this case the user enters an 8 – 63 character passphrase on the access point and on all other stations: This passphrase is used together with the SSID to calculate the master secret with a hash method. The master secret is therefore constant in such a PSK network, although different session keys still result.
In a PSK network both access security and confidentiality depend on the passphrase not being divulged to unauthorized people. As long as this is the case, WPA-PSK provides significantly improved security against break-ins and eavesdropping over any WEP variant. For larger installations in which such a passphrase would have to be made known to too large a user community for it to be kept secret, EAP/802.11X is used in combination with the key handshake described here.
