To generate a valid pairwise master key for a WPA2 network a router uses the PBKDF2-HMAC-SHA1 algorithm. I understand that the sha1 function is performed 4096 times to derive the PMK, however I have two questions about the process.

Excuse the pseudo code.

1) How is the input to the first instance of the SHA1 function formatted? SHA1("network_name"+"network_name_length"+"network_password")

Is it formatted in that order, is it the hex value of the network name, length and password or straight ASCII?

Then from what I gather the 160 bit digest received is fed straight into another round of hashing without any additional salting. Like this: SHA1("160bit digest from last round of hashing") Rise and repeat.

2) Once this occurs 4096 times 256 bits of the output is used as the pairwise master key. What I don't understand is that if SHA1 produces 160bit output, how does the algorithm arrive at the 256bits required for a key?

Thanks for the help.