a survey on wireless networks-final report.pdf

8/14/2019 A survey on wireless networks-final report.pdf

http://slidepdf.com/reader/full/a-survey-on-wireless-networks-final-reportpdf 1/44

I

TABLE OF CONTENTS

LIST OF TABLES xll

LIST OF FIGUERS xlll

Chapter 3 WLAN Security

3.1 802.11 Family…………………………………………………….1

3.1.1 IEEE 802.11.…………………………………………………..……..1

3.1.2 IEEE 802.11a.……………………………………………………….2

3.1.3 IEEE 802.11b.…………………………………………………….…2

3.1.4 IEEE 802.11g.………………………………………………….……3

3.1.5 Modification……………………………………….………………..4

3.2 WLAN Architecture ………..………………………………………………5

3.2.1 Ad-hoc mode...…………………………….…….……...….….…....5

3.2.2 Infrastructure mode.…………………………………………...…....6

3.2.3 BSS. ………………………………………………………………....7

3.2.4 ESS.………………………………………………………………....8

3.2.5 DS.………………………………………………………………......8

3.3 Authentication in 802.11 …………………………………………93.3.1 Open system authentication……………….…….……...….….…..10

3.3.2 Share key authentication.………………………………………….10

3.4 Encryption and Decryption ………….………………………………….…11

3.4.1 WEP..………………………………………………………………12

3.4.2 WPA.…………………………………………………………...….14

3.4.3 WPA2.……………………………...……………………………...14

3.5 IEEE 802.1X ………..…………………………………………………… 15

3.5.1 802.1x Framework......................…………………………………..15

3.5.2 802.1x Communication/ Authentication………………………...16

3.5.3 802.1xKey management………………………………………….18

3.6 802.11i ……… ………………………………………………………… 20

3.6.1 RSN………………………………………………………………20

3.6.2 Key Hierarchy……………………………………………………22

3.6.3 TKIP……………………………………………………………...26



II

3.6.4 CCMP………………………………………………………………30

3.7 Security Threats: Passive ……………………………………… 33

3.7.1 Eavesdropping……………………………………………………33

3.7.2 Traffic Analysis…………………………………………………..34

3.8 Security Threats: Active ………………………………………. 34

3.8.1 Message Injection/Active Eavesdropping..………………………..34

3.8.2 Message Deletion and Interception..………………………………34

3.8.3 Masquerading and Malicious AP.……………………………….....35

3.8.4 Session Hijacking……………………………………………….....35

3.8.5 Man-in-the-Middle.………………………………………………..36

3.8.6 DOS attack .……………………………………………………….36

3.9 Summary .……………………………………………………….37



III

LIST OF TABLES

3.1 comparison among 802.11 families .……………………………………….. 4

3.2 WEP, WPA, WPA2 comparison…………………………………………...14



IV

LIST OF FIGURES

3.1 Ad Hoc mode…………………………………………………………………6

3.2 Infrastructure mode…………………………………………………………..7

3.3 Basic Service Set(BSS)....................................................................................7

3.4 Extened Service Set(ESS)................................................................................8

3.5 Open System authentication………….……………………………….…….10

3.6 Share Key authentication………….……………………………….………..11

3.7 Wired Equivalent Privacy (WEP) encryption……….…………….………...12

3.8 Wired Equivalent Privacy (WEP) decryption……….…………….………...133.9 IEEE 802.1x framework……………………….………………….………...16

3.10 802.1 x Communication/ Authentication.…….………………….………...173.11 IEEE 802.1x four-way handshake.…………...………………….………...19

3.12 IEEE802.1x group-key handshake…..…………………………………….20

3.13 Pairwise key hierarchy.…………………………………………………….24

3.14 Transient key component. …………………………………………….253.15 Group key hierarchy..………………………………..…………………….26

3.16 TKIP key mixing..…………… .………………………………………….283.17 TKIP encapsulation..………………………… ..………………………….28

3.18 TKIP decapsulation..………………………………………………. .…….29

3.19 Counter mode..…………………………………………………………….31

3.20 CBC mode..…………………………………………………………… ….31

3.21 CCMP encapsulation..………………………… ….………………………32

3.22 CCMP decapsulation………………………… ………….……….…….…33



2

data rates of 1 and 2 megabits per second (Mbps) to be transmitted via infrared (IR)

signals or by either frequency hopping spread spectrum(FHSS) or Direct-sequence

spread spectrum (DSSS) in the frequency band at 2.4 GHz. Unfortunately, 802.11

only supported a maximum bandwidth of 2 Mbps. For this reason, ordinary 802.11

wireless products are no longer being manufactured.

3.1.2 IEEE 802.11a

IEEE ratified 802.11a in 1999, and 802.11b was approved about the same time. Due

to its high cost, 802.11a is usually found on business networks, whereas 802.11b

better serves the home market. 802.11a supports bandwidth up to 54 Mbps, uses

frequency band at 5 GHz, and operates in orthogonal frequency-division multiplexing

(OFDM) modulation. This higher frequency compared to 802.11b limits the range of

802.11a networks. The higher frequency also means 802.11a signals have more

difficulty penetrating walls and other obstructions. Because 802.11a and 802.11b

utilize different frequencies, the two technologies are incompatible with each other.

Some vendors offer hybrid 802.11a/b network gear, but these products simply

implement the two standards side by side (each connected devices must use one or the

other).

3.1.3 IEEE 802.11b

IEEE expanded on the original 802.11 standard in July 1999, creating the 802.11b

specification. 802.11b supports bandwidth up to 11 Mbps and uses the frequency band

at 2.4 GHz - as the original 802.11 standard. However, 802.11b only used DSSS

spread spectrum and complementary code keying (CCK), is not the same as 802.11.

Since there are many appliances used at this frequency, 802.11b devices can incur



3

interference from microwave ovens, cordless phones, and other appliances using the

same 2.4 GHz.

802.11b cards can operate at 11 Mbps, but will scale back to 5.5, then 2, then 1 Mbps

if signal quality becomes an issue. Extensions have been made to the 802.11b protocol

(for example, channel bonding and burst transmission techniques) in order to increase

speed to 22Mbps, but the extensions are proprietary and have not been endorsed by

the IEEE. Many companies call enhanced versions "802.11b+".

3.1.4 IEEE 802.11g

In June 2003, IEEE802.11g was ratified. This standard works in the 2.4 GHz band,

which is the same as 802.11b, but operates at a maximum data rate of 54 Mb/s, or

about 24.7 Mb/s net throughputs (just like 802.11a). 802.11g hardware is compatible

with 802.11b hardware. Details of making b and g work well together occupied much

of the lingering technical process. In older networks, however, the presence of an

802.11b participant significantly reduces the speed of an 802.11g network.

The modulation scheme used in 802.11g is orthogonal frequency-division

multiplexing (OFDM) modulation for the data rates of 6, 9, 12, 18, 24, 36, 48, and 54

Mbps, and reverts to CCK (like the 802.11b standard) for 5.5 and 11 Mbps. Even

though 802.11g operates in the same frequency band as 802.11b, it can achieve higher

data rates (maximum data rate is 54Mbps). The maximum range of 802.11g gears are

slightly greater than that of 802.11b gears, but the range in which a client can achieve

the full 54 Mbps data rate is much shorter than an 802.11b client can reach 11 Mbps.

The comparisons are shown in table 2.1 which contain modulation, spread

spectrum, data rate distance, frequency band, interference, data transmission, voice

transmission, and security among 802.11 families:



4

Table 3.1 comparison among 802.11 families

3.1.5 Modification

Several other standards for wireless local area networks have been ratified. A brief

introduction is given below.

IEEE 802.11c:

IEEE 802.11c was ratified in October of 1998. It provides requirements of

802.11-specific MAC procedures to the ISO/IEC (International Organization for

Standardization/International Electrotechnical Commission). In particular, it adds a

sub-clause under 2.5 Support of the Internal Sublayer Service , to cover bridge

operations with 802.11 MACs.

IEEE 802.11d:

IEEE 802.11d, ratified in July of 2001, is an amendment to the base 802.11

specification that adds support for "additional regulatory domains". This support

includes the addition of a country information element to beacons, probe requests, and

probe responses. This modification make 802.11 standard to operate in countries that



5

not served by the standard.

IEEE 802.11e:

IEEE 802.11e has been approved as a standard which attempts to enhance the 802.11

MAC to increase the quality of service (QoS) possible for LAN applications. The

standard is considered critical importance for delay-sensitive applications, such as

Voice over Wireless IP and Streaming multimedia.

IEEE 802.11f:

IEEE 802.11f was finished in 2002. The standard developed for practice that provides

AP communication among multiple servers. The purpose is to increase compatibility

between Access Point devices from different vendors

IEEE 802.11h:

IEEE 802.11f is the IEEE standard for spectrum and transmit power management in

the 5 GHz band. The standard solves problems like interference with rador in some

European countries. It provides Dynamic Frequency Selection (DFS) and Transmit

Power Management (TPM). DFS means the channal selection to reduce interference

to rador. TPM means the average power is less than the regulatory maximum power to

decrease interference to rador.

3.2 WLAN ArchitectureIEEE defines two types of architecture on wireless LAN 802.11: ad hoc mode and

infrastructure mode. The 802.11 architecture is comprised of several components such

like basic service set (BSS), service set (ESS), distribution system (DS). In this

section, we will introduce two architectures and their components on wireless LAN

802.11.



7

Figure 3.2 Infrastructure mode

3.2.3 Basic Service Set (BSS)

Ad shown in Fig 3.3, A BSS is a group of 802.11 stations or devices comunicating

with each other. We can know the framework from Fig 3.3. A BSS requires an access

point which is the central point of communicaqtion for all stations. The stations do not

communicate directly with each other. They first communicate with the access point,

and then access point delivers the frames to the destination stations.

D i s t r i b u t e d s y s t e m ( D S )



8

Figure 3.3 Basic Service Set (BSS)

3.2.4 Extened Service Set (ESS)

An ESS is composed of two or more BBSs. In other words, the collection of BBSs is

known as ESS. BSSs communicate via distribution system (DS). Fig 3.4 shows an

atthitecture of ESS. The DS can be wired or wireless network, but for the most part,

DS uplinks are wired network.

Figure 3.4 Extened Service Set (ESS)

3.2.5 Distribution System (DS)

A distribution system is a system that interconnects several BSSs. DS can be

constructed of either a wired network or wireless network but usually wired network.

The system provides five services: association, de-association, re-association,

distribution, and integration, we now start to introduce the details of five services.

Association:

The association service is used to make a connection between a mobile devices and an

access point. Each device must become associated with an access point before it is

D i s t r ib u t e d s y s t e m ( D S )



9

allowed to send data through the access point to the distribution system. The

connection is necessary for the distribution system to know where to deliver data to

the mobile station.

De-association:

The de-association is used to disconnect between mobile devices and an access point.

The situation is occurred when the mobile devices no longer require the service of

distribution system. If the station or wireless devices want to obtain the service, it

must begin a new association with access point again.

Re-association:

The re-association service is similar to the association service. The situation is

occurred when the mobile devices leave the ESS, lose connection with the access

point that it is associated, and need to become associated with a new access point.

Distribution:

Distribution is the primary service used by an 802.11 station. The devices uses the

distribution service every time it sends MAC frames through the distribution system.

The distribution service provides the distribution with only enough information to

determine the proper destination BSS for the MAC frame.

Integration:

The integration service connects the 802.11 WLAN to other LANs, including one or

more wired LANs or 802.11 WLANs. The integration service delivers 802.11 frames

to another network or from other networks to 802.11 WLANs.

3.3 Authentication in 802.11Because WLANs have limited physical security to prevent unauthorized access,

802.11 defines two authentication modes, namely open system authentication and share



10

key authentication to control access to WLAN. The goal of authentication service is to

provide access control equivalent to a wired LAN.

After authentication and association process, wireless devices can begin to transmit

and receive data. If wireless devices are configured with a key that different from

access point, the devices will not be able to encrypt or decrypt data frames correctly.

Consequently, the frames will be discarded by both the client and the access point. In

this section, we will first introduce open system authentication and then shared key

authentication.

3.3.1 Open System Authentication

This is the default authentication method, which is very simple. There are two

message exchanges in open system authentication. The steps are shown in Fig 3.5.

First the supplicant who wants to authenticate with authenticator sends an

authentication management frame containing the sending supplicant’s identity.

According to the identity, the authentication result is sent from the authenticator back

to the supplicant.

Figure 3.5 Open System Authentication

3.3.2 Shared Key Authentication

Unlike open system authentication, shared key authentication requires that the

wireless devices and access point have the same WEP keys. There are four messages

S u p p l i c a n t a u t h e n t i c a t o r

A s s o c i a t i o nr e q u e s t

A s s o c i a t i o n r e s p o n s e



11

exchanged as shown in Fig 3.6. The following summaries the share key

authentication process:

1. The supplicant sends a registration request that contains the identity of supplicant to

the authenticator.

2. The authenticator then responds with a plaintext challenge packet to the supplicant.

3. The supplicant encrypts the challenge packet using the shared WEP key and sends

the result back to authenticator.

4. If the authenticator can decrypt the response packet and retrieve the original

challenge, he sends the supplicant a success message.

Figure 3.6 Share-Key Authentication

3.4 Encryption and DecryptionWireless networks ensure its security through the use of various security protocols,

encryption algorithms, and authentication methods. IEEE first ratified WEP as a

solution to wireless security. But WEP has some flaws in its implementation and its

design. For this reason, WEP was replaced by the WiFi alliance with a subset of the

supplicant

1. registration request

2. challenge (a random number R)

3. response (sign R by shared key)

4. build up authentication relationship

authenticator



12

802.11i protocol, which called WPA. WPA was intended to still have security

concerns in wireless network. When the IEEE ratified the 802.11i protocol in 2004,

the WiFi alliance adopted the protocol as WPA2. In section 3.4, we first introduce

WEP in section 3.4.1; include its encryption and decryption algorithms, and then

introduce WPA in section 3.4.2. Finally, WPA2 is introduced in section 3.4.3.

3.4.1 Wired Equivalent Privacy (WEP)

WEP is a part of IEEE 802.11standard ratified in September 1999. WEP uses the

stream cipher RC4 algorithm for confidentiality and and the CRC-32 for integrity.

Standard 64-bit WEP uses a 40 bit key, which is concatenated to a 24-bit Initial Vector

(IV). WEP encryption is depicted in Fig 3.7. The Initial Vector (IV) and secret key are

passed into RC4 algorithm to generate the encryption key, also called RC4 key. On

the other hand, the plaintext message is used to generate Integrity Check Value (ICV),

which is appended to the message. The ciphertext is produced by XORing the RC4

key with the combined the message and ICV. After XOR operation, the result is

transmitted to the wireless network.

IV IV

IV KeyCipherText

ICV

RC4PRNG

Key

Plain text Plain text CRC32

CRC32



13

Figure 3.7 Wired Equivalent Privacy (WEP) encryption.

In contrast, WEP decryption as shown in Figure 3.8, the received encrypted

packet consists of the Initial Vector (IV), ciphertext, and ICV. Initial Vector is not

encrypted while transmitted. The IV is concatenated with the shared secret key and

passed into RC4 algorithm to produce the “key stream.” The decrypted data

(plaintext) is obtained by XORing the “key stream” and ciphertext with the ICV. Then

the plaintext uses the same integrity algorithm (CRC-32) when used in WEP

encryption to generate new ICV. This ICV is compared with the original ICV

appended to the data. If the two ICVs match with each other, the data is valid.

Otherwise, the data must be modified during the transmission and will be rejected by

the system.

Figure 3.8 Wired Equivalent Privacy (WEP) decryption.

Two main vulnerabilities in WEP are the use of a 32-bit CRC checksum and a

24-bit Initialization Vector (IV) for the encryption algorithm. The CRC checksum is

intended to detect unintentional errors in the packet. Attackers can still modify the

packet and calculate a new CRC checksum as if the packet was not modified. The

problem with the 24-bit IV is that the IV domain is not large enough to guarantee use

IV

CipherText

ICV

Key

IV KeyRC4

PRNG

Plain text CRC32

CRC32 CRC32'

CRC32=CRC32'Wrong

data

RightdataYes

No



14

only for once. Attackers can observe sufficient network traffic to completely exhaust

the entire domain of the 24-bit IVs. The attacker can eavesdrop two encrypted packets

with the same IV to reduce the probability of cracking the encryption key.

Consequently, WEP is insecure.

3.4.2 Wireless Protected Access (WPA)

To cope with the weaknesses of WEP, the Wi-Fi alliance attempts to offer a better

security solution than WEP. This subset protocol is called Wireless Protected Access

(WPA). WPA specified the Temporal Key Integrity Protocol (TKIP) that replaced the

weak 32-bit CRC checksum with a strong HMAC checksum. In addition, WPA adds a

Message Integrity Check (MIC) based on the Michael algorithm, and replaces the

24-bit IV with a 48-bit IV. WPA also defined dynamic key rotation and Extensible

Authentication Protocol (EAP) to allow strong authentication in wireless LAN. WPA

is intended for upgrading legacy systems that use stream cipher RC4 and secure

communication protocol WEP. Even though WPA is more secure than WEP, it still

uses RC4 for the compatibility with legacy systems. The use of weak stream cipher

RC4 makes WPA not strong enough against various attacks. For example, it is

possible to monitor initial key exchanges and launch dictionary attacks to break the

key. WPA was never intended as a robust security solution, it is only a better wireless

security solution than WEP when WPA2 was not ratified.

3.4.3 Wireless Protected Access Version 2 (WPA2)

In 2004, the IEEE ratified the 802.11i protocol, which provides Robust Security

Network (RSN) capabilities that is more secure than WEP and WPA. The main

difference between WEP and WPA2 is that the encryption algorithm used in WPA2 is

Advanced Encryption Standard (AES) for data confidentiality. The comparison

among WEP, WPA, and WPA2 are shown in table 3.2:



15

Table 3.2 WEP, WPA, WPA2 comparison

3.5 IEEE 802.1X

IEEE 802.1X is part of IEEE 802.1 group of protocol. It provides point-to-point

connection and prevents access from a port with authentication failure. It is used for

certain access point, and is based on EAP. EAP is an authentication framework used

in wireless networks and point-to-point connections. 802.1X is available on certain

network switches, and can be configured to authenticate hosts which are equipped

with client software, denying unauthorized access to the network at the data link layer.

3.5.1 802.1x Framework

IEEE 802.1x framework is depicted in Fig 3.9. Both supplicant and authenticator have

a port access entity (PAE). The PAE controls the authorized/unauthorized state when

the supplicant is not authenticated successfully. We can find in Fig 3.9 that the

authenticator uses an uncontrolled port to communicate with the supplicant PAE

WEP WPA WPA2

Transport protocol WEP 802.1x/EAP 802.1x/EAP

Encryption algorithm RC4 RC4 AES

Key management NONE TKIP CCMP

Cryptographic digest None MIC MIC



16

before the supplicant is authenticated. In this state, the authenticator blocks all traffic

except 802.1x messages.

802.1x also defines EAP protocol that compresses EAP messages between the

supplicant and authenticator. EAP messages are delivered from the supplicant to the

authenticator server by PAE. In order to let server authenticate user information, the

authenticator PAE compresses the same EAP messages in server (RADIUS) packet

format and sends them to the authenticator server. Once the supplicant is

authenticated successfully, the controlled port is authorized. The supplicant can obtain

services through the controlled port. [J-C CHEN, M-C JIANG, AND Y-W LIU]

“WIRELESS LAN SECURITY AND IEEE 802.11I,” February 2005

Figure 3.9 IEEE 802.1x framework

3.5.2 802.1x Communication/ Authentication

Fig 3.10 depicts a typical 802.1x communication and authentication process between

the supplicant and the authenticator. The following summaries the 802.1x

communication/authentication process:

1. The supplicant sends an EAP-start message to start the communication.

SupplicantPAE

Supplicantsystem

Authenticatorsystem

Service offeredby authenticator

system

AuthenticatorPAE

Authenticatorserversystem

Authenticatorserver

LAN

Controlledport

Uncontrolledport

EAPprotocol

exchangescarried inhigher-layer

protocol



17

2. The authenticator sends an EAP-request identity message to obtain supplicant’s

identity.

3. Upon receipt of the EAP-request/identity message from the authenticator, the

supplicant responds with the EAP-response/identity packet along which includes

the client's identity.

4. Upon receipt of the EAP-response/identity, the authenticator PAE state transits to

the authenticating state and then encapsulates the EAP-response/identity message

in RADIUS-access-request and sends it to the authentication server.

5. The authentication server challenges the supplicants to prove themselves by

sending a RADIUS-access-challenge to the authenticator.

6. The authenticator encapsulates RADIUS-access-challenge in EAP-request/Auth

and then sends to the supplicant. Upon receipt of the message, state of the

supplicant changes to authenticating state.

7. The supplicant respond with an EAP-response/Auth to the authenticator.

8. The authenticator relays to the authentication server in the form of RADIUS-

access-request. The authentication server then either accepts or rejects the client's

request for connection.

9. If the authentication server accepts the connection, it sends a RADIUS-access –

accept to the authenticator and then authenticator PAE state transits to

authenticated state. Afterwards, the authenticator PAE sends EAP-success to the

supplicant.

10. Otherwise, the authentication server rejects the connection, and sends a

RADIUS-access-reject to the authenticator. The authenticator PAE state transits

to the held state, and then sends EAP-failure to the supplicant.



18

Figure 3.10 802.1 x Communication/ Authentication

3.5.3. 802.1x Key Management

In this section, key management of the authentication process in IEEE 802.1x is

described. Both the four-way handshake and group-key handshake are introduced.

Fig 3.11 gives the four-way handshake messages exchanged. In the four way

handshake, the authenticator first sends an Anonce and key information to the

supplicant. Anonce is a nonce value generated by the authenticator and will only be

used once. After receiving the first message, the supplicant checks the validity of the

message by using the “replay counter.” The “replay counter” will be incremented by

each EAPOL-key message. Once the “replay counter” is smaller or equal to the value

kept in the supplicant, the message will be discarded. Otherwise, the supplicant sends

the second message that contains its own nonce-value ( SNonce ), key information,

message integrity code (MIC), and supplicant’s RSN IE ( Robust Security Network

s u p p l i c a n t

E A P O L - s t a r t

A u t h e n t i c a t i o ns e r v e r

E A P O L - r e q u e s t / i d e n t i t y

A u t h e n t ic a t o r

E A P O L - r e s p o n s e / i d e n t i t y

R A D I U S - a c c e s s - r e q u e s t

R A D I U S - a c c e s s - c h a l l e n g eE A P - r e q u e s t / A u t h e n t ic a t i o n

E A P - r e s p o n s e / A u t h e n t ic a t i o n

R A D I U S - a c c e s s - r e q u e s t

M u l t i - r o u n d a u t h e n t i c a t i o n m e s s a g e e x c h a n g e s

R A D I U S - a c c e s s - a c c e p t

E A P - s u c c e s s

R A D I U S - a c c e s s - r e j e c t

E A P - f a i l u r e

E A P - l o g o f f

A u t h e n t i c a t i o nm e s s a g e e x c h a n g e

A u t h e n t ic a t i o ns u c c e s s

A u t h e n t ic a t i o nf a i l u r e

l o g o f f



19

Information Element ) to the authenticator. RSN IE carries RSN security information

including RSN capabilities, authentication, and cipher key selectors. An RSN IE can

be used to distinguish between pre-RSN stations and RSN-capable stations .

RSN-capable stations shall include the RSN IE in beacons, probe response,

association and re-association request, and the second and third messages of the

four-way handshake. In contrast, there is no RSN-IE in messages sent by pre-RSN

stations.

Upon receipt of the second message, the authenticator checks the validity of the

message by using the “replay counter.” Besides, the authenticator also verifies the

MIC. If the MIC is incorrect, the message is discarded. Otherwise, the authenticator

sends the thirds message which contains Anonce , key information, MIC, and

authenticator’s RSN IE to the supplicant.

Upon receipt of the third message, the supplicant validates the message by checking

the “replay counter.” It then compares the RSN IEs. If the RSN IEs are different, the

connection between the supplicant and the authenticator will be disconnected. If RSN

IE is correct, the supplicant checks the MIC later. The supplicant sends back the

fourth message if the MIC is valid.

When the authenticator receives the fourth message, it first checks the “replay

counter.” If the “replay counter” is valid, it then keeps a check on MIC. The four-way

handshake is completed if the MIC is valid.



20

Figure 3.11 IEEE802.1x four-way handshake

The group key handshake is shown in Fig 3.12. It is performed after the four way

handshake. The authenticator first sends the message which contains key information,

MIC, and GTK (Group Temporal Key) to the supplicant. After receiving the first

message, the supplicant checks the validity of the message by using the “replay

counter.” It then checks the MIC if the “replay counter” is valid. The supplicant sends

back the second message includes key information and MIC to the authenticator if

MIC is valid. Once the second message is received by the authenticator, the

authenticator checks the validity of the message as before. If the “replay counter” and

the MIC are valid, the group key handshake is completed.

1.EAPOL-key (key_info, Anonce)

2.EAPOL-key (key_info, Snonce, MIC, RSN IE)

3.EAPOL-key (key_info, Anonce, MIC, RSN IE)

4.EAPOL-key (key_info, MIC)

AuthenticatorSupplicant

Authenticator delivers anothernonce to AP so that it can

generate PTKSupplicant delivers anothernonce to AP so that it can

generate PTK

Ensure PTK is fresh

This frame servers only asan ACK



21

Figure 3.12 IEEE802.1x group key handshake

3.6 802.11i

IEEE 802.11i provides two classes of security mechanisms for wireless networks to

improve security, namely, pre-RSN and RSN security mechanisms. The pre-RSN

security mechanism includes the original security mechanism in the IEEE 802.11

specifications such as shared key authentication for validating an unfamiliar station,

and using WEP to enhance the confidentiality by protecting the transmitted data.

The second one is RSN security mechanism , which is constructed from many different

security mechanisms. The components of RSN will be introduced in the following

sections.

3.6.1 RSN (Robust Security Networks)

IEEE 802.11i has a working group on the MAC layer that is named Task Group I

(TGi). TGi focus on the research of enhancing the security of IEEE 802.11i, and its

EAPOL-key(key_info, key ID,keyRSN, MIC, GTK)

EAPLO-key(key_info, MIC)

Supplicant Authenticator



22

main mission of is to define a standard named robust security networks (RSN). RSN

is defined according to the IEEE 802.11i draft. It allows two devices in a wireless

network to construct a robust security network association (RSNA) to ensure the

security. In this network, all the APs and stations contribute many RSNAs, and the

RSN is formed by a large number of RSNAs. RSNA has also been defined in IEEE

802.11i draft. It began its measure by applying a four-way handshake, which is

described earlier to make sure that both communication parties get a valid pairwise

master key (PMK), establishes the temporal key, and confirm the cipher method used

in the following session..

The RSNA focuses on the authentication frameworks such that using 802.1X, and it

transits the authentication services and maintains the key management mechanisms,

Four-way handshake provides much more robustness for managing the session keys.

But it is not enough for just provide the authentication methods for a goal to achieve a

robust and secure network, for many threats may occur. For confidentiality, IEEE

802.11 standard chooses some cryptography algorithms to ensure the confidentiality of

the transferred data, some hash functions for checking integrity of transferred frames

and the data origin authentication, and some other algorithms for key generation. All

of these algorithms have the same characteristics, that is, they are all symmetric

algorithms. These algorithms are listed below.

Confidentiality:

TKIP (RC4)

WEP (RC4)

CCM (AES - CTR)

NIST Key Wrap

Integrity:

HMAC – SHA – 1



23

HMAC – MD5

TKIP (Michael MIC)

CCM (AES – CBC – MAC)

Key generation:

HMAC – SHA – 1

RFC 1750

Proprietary

3.6.2 Key Hierarchy

The security of keys is particularly important in 802.11 because the data

confidentiality relies on the protection and use of the keys. 802.11i introduce the

key hierarchy which needs to meet the following requirements:

1. Keys should be generated randomly for reducing the probability that any adversary

can get it by guessing.

2. Keys need to be changed frequently to prevent sophisticated cryptanalysis.

3. To protect enciphered data, keys should be protected in storage.

4. Keys cannot be eavesdropped while transmitted.

5. Keys should be deleted when not needed.

In order to achieve these requirements, “key management” scheme is needed which

defines “the process of handling and controlling cryptographic keys and related

material (such as initialization values) during their life cycle in a cryptographic

system, including ordering, generating, distributing, storing, loading, escrowing,

archiving, auditing, and destroying the material” [S. Frankel, B. Eydt, L. Owens, K.

Kent]. IEEE 802.11i has met the requirements and leave the details open for

implementation.

For pre-RSN or older security policies in 802.11, key management is not included in



24

the specifications because WEP only uses a single key for all devices in a wireless

local area network, and they key is entered manually. There is no need to distribute

keys to stations.

In RSN systems, RSNA needs keys for encryption, integrity, and authentication. This

makes the legacy method inefficient because each key is distributed manually. IEEE

802.11i specifications define two key hierarchies for RSNAs. One is Pairwise Key

Hierarchy, designed for unicast protection. The other is Group Key Hierarchy for

multicast/broadcast protection. The following is the introduction to these two key

hierarchies.

Pairwise Key Hierarchy

Figure 3.13 shows the key hierarchy of pairwise key hierarchy. The two keys on top

of the whole hierarchy are called root keys. The root keys are the basis of all other

keys in the key hierarchy. The two root keys in Pairwise Key Hierarchy represent two

ways other keys may be set up in an 802.11 RSNA device. Details are described as

follows :

Pre-Shared Key (PSK): A PSK key should be put into wireless devices before

establishing, and the delivery of the key should in an out-of bound channel, that is, the

establisher may need input the key into device manually. In the 802.11i standard,

there is no specification for how to generate or distribute the PSKs. The

implementation of generation or distribution of PSKs is left to the implementers.

The PSKs can be generated using any kind of pseudo random generator and distributed by

a USB device which can be brought to anywhere, etc. No matter how the PSK is generated

or distributed, the implementer should be careful for any possible threats and design

the process of key distribution in an effective fashion.

Authentication, Authorization, and Accounting Key (AAA Key) : An AAA key,



25

which is also called Master Session Key (MSK), is handed over through the

Extensible Authentication Protocol (EAP) to APs when establish an RSNA. The AAA

key will be changed every time a user authentication request is invoked, and an AAA

key will be used in a user’s session. The AAA key expires when its lifetime ends or

the user initiates re-authentication. For the delivery of the AAA key, it needs EAP

authentication method to provide key generation method. All of the EAP mechanisms

that support RSNs should have the capability to generate the AAA key for the RSN.

The EAP method to be selected is up to the implementer’s decision. Different AP or

STAs may have different implementation of EAP methods.

Figure 3.13 Pairwise key hierarchy

In the Figure 3.13, a Pairwise Master Key (PMK) will be derived from the two root

keys, either the PSK or the AAAK. The PMK is used as a key-generating key, which

is used for generating another key Pairwise Transient Key (PTK). The PTK is

derived from the MAC addresses of STA and AP, and a nonce created each time in the

key generation process. The STA and AP addresses are used to protect against session

hijacking and impersonation, the nonce is used to add additional random material. A

Pre-Shared Key AAA key

Pairwise Master Key

Pairwise Transient Key

256 bits >=256 bits

256 bits

384 bits for CCMP512 bits for TKIP

Possible truncation

PRF



26

PTK is composed of three components as follows:

EAP over LAN (EAPOL) Key Confirmation Key (EAPOL –KCK): the

EAPOL–KCK’s purpose is to provide the integrity and the data origin authenticities

for the STA–to–AP control frames during the setup of the RSN. The process also

performs proof–of–possession of the PMK.

EAPOL Key Encryption Key (EAPOL -KEK): EAPOL–KEK can provide

protection for confidentiality of keys or data in some RSN processes.

Temporal Key: Temporal Key ( TK) is used to encrypt and protect all the user traffic.

Figure 3.13 shows length of the keys. The two root keys, PSK is of 256 bits long, and

on the other hand the AAA key can be of 256 bits long or larger. PMK is 256 bits long,

and it needs a pseudo-random function to deliver the TK. The length of the TK may

be different for different confidentiality and integrity protocols used. In this case,

512 bits for TKIP and 384 bits for CCMP are used. The components of these two

different TK are shown in Figure 3.14.

Figure 3.14 Transient key components

Group Key Hierarchy

Pairwise transient ke

EAPOL KCK EAPOL KEK TK

EAPOL KCK EAPOL KEK TK MIC key

128 bits 128 bits 128 bits

128 bits 128 bits 128 bits 128 bits

TKIP

CCMP



27

Another key hierarchy is Group Key Hierarchy shown in Figure 3.15, and the key

derived from PMK is called Group Temporal Key (GTK). GTK is usually generated

by the AP and delivered to its associated STA. The generation of a GTK is still

undefined in IEEE 802.11 specification, and it depends on the implementation of

different implementers. But every implementation should obey the rule that the value

must computationally indistinguishable from random.

Figure 3.15 shows that GTK is 256 bits long for TKIP and 128bits long for CCMP.

Its standardization is still underway.

Figure 3.15 Group key hierarchy

3.6.3 Temporal Key Integrity Protocol (TKIP)

Although the RSN can provide some security mechanisms to enhance the security of

IEEE 802.11 wireless network, the legacy devices may not have the capability to

implement the mechanisms. For enhancing the security of legacy devices, pre-RSN

was defined and TKIP is used for replace the WEP protocol. TKIP is a set of

algorithms wrapping WEP. TKIP adds four new algorithms to WEP: a cryptographic

Pairwise transient keyPairwise master key

TKIP - GTK

GTK GMK GTK

TKIP - GTK CCMP - GTK

128 bits256 bits

PRF



28

Message Integrity Code (MIC) called Michael to exclude forged packets, an IV

sequencing discipline to remove the replay attack, a per-packet key mixing function to

de-correlate the IVs from weak keys and a re-keying mechanism to provide fresh

encryption and integrity keys. This section will show all of the TKIP features, the

encapsulation and de-capsulation procedures, and some countermeasures.

The following is the feature of TKIP in IEEE 802.11:

1. Use RC4 algorithm for confidentially protection

2. Use Michael message digest algorithm to check the integrity against modification

attacks.

3. Apply the frame sequencing mechanism for replay prevention.

4. Refresh the encryption key for each frame, it’s used to defend an attack named

Fluhrer-Mantin-Shamir (FMS) attack, which can break the WEP-based WLAN.

5. Implement countermeasures when the SPAs or APs find a MIC error, this error

usually means there exists some active attack.

TKIP Encapsulation

TKIP encapsulation is established from the WEP, but it includes some additional

techniques through software, because it is required to be usable on legacy devices.

The following is main features for TKIP encapsulation

1. In the Michael message digest algorithm, there needs two 64–bits message integrity

keys for producing the message integrity code. Each key is used for each half

transmission between the STA and AP. The MIC is computed from user data,

source address, destination address and priority bits for checking data integrity.

TKIP also provide some countermeasure to mitigate the threats invoke by attackers,

because the attackers can forge the MIC.

2. In the each frame, TKIP adds an additional sequence counter for avoiding replay

attacks. The receiver drops the frame not in order.



29

3. Using a two-phase process to mix the cryptographic key refreshed per sending

frame, TK and sequence counter are required to create the dynamic key. The key

mixing function is shown in Figure 3.16. The key mixing function, also called

temporal key hash, produces the 128-bit RC4 per-frame encryption key. This function takes as

input the 128-bit Temporal Key (TK), the 48-bit Transmitter’s Address (TA) and 48-bit IV.

The 48-bit IV is often called the TKIP Sequence Counter (TSC). The 32 most significant bits

of the TSC are represented by IV32 and the 16 least significant bits of the TSC are represented

by IV16 here. The key mixing function outputs 128-bit WEP key, the three first bytes of which

are derived from the TSC. TKIP key mixing has two phases. The input to phase 1 is

TK, TA and IV32. The output of phase is 80-bit Phase 1 Key (P1K). The P1K will

be part of the input to phase 2. P1K is the same for consecutive frames from the

same TK, TA and IV32. Therefore, P1K is often calculated only once for the first

frame and is cached for the next phase, though it can be calculated for every framein theory. In phase 2 it takes as input P1K, TK and IV16, and outputs the 128-bit

WEP key for the RC4 encryption algorithm. d is a dummy byte designed to avoid

weak keys. The key mixing process can be described as follows:

P1K = Phase1 (TK, TA, IV32)

RC4Key = Phase2 (P1K, TK, IV16)

Figure 3.16 TKIP key mixing

Upper 32bits Lower 16bits

IV IV Per acket ke

Phase 1

Phase 2

48-bit TA

TK

D

128-bit TK48-bit IV (TSC)

RC4 encrypted key



30

The procedure for TKIP encapsulation is shown in Figure 3.17

Figure 3.17 TKIP encapsulation

TKIP decapsulation

In the de-capsulation, it comes with some checks. The first is the check for the

sequence order. The frame will be discarded if it is out of order. The MIC is the

following one. It compares the MIC in the frame and the MIC computed by the

receiver itself. The countermeasures are invoked if the two MIC is not matched.

Figure 6 – 6 shows the procedure of TKIP de-capsulation.

Phase 1

Phase 2

Michal

Fragmentation

WEP enca sulation

TTAK

Sequence SA+DA+MSDU

MAC Protocol

MSDU plaintext

MSDU plaintextWEP WEP key

Encrypted MDPU

TK TA MIC key



31

figure 3.18 TKIP decapsulation

TKIP countermeasures

Countermeasures are used when the MIC check is failed. Michael MIC check is much

more stronger than usual CRC check, but it is still a weak protection against existing

attacks, and the countermeasures is needed for any failure of the MIC checks.

The following is the countermeasures:

1. Logging security events: Active attacks may occurs when the MIC check failed, the

system administrator should check the events

2. Limiting MIC failures: For a large number of attacks in a limited time, the attacker

may learn what the Michael key is. Therefore, it is required to limit the MIC failures

in a limited time. For example, permit 3 failures per minutes.

3. Changing the PTK or GTK: re-initialize the temporal key.

4. Blocking the IEEE 802.1X ports: block the control ports since the authentication

mechanism is used.

Reverse mixing IVPhase 1ke mixin

Phase 2key mixing

TKTKIP TSC

WEP

Recombination

Michael

MICcheck

MIC ke

MDPU plaintext

MIC'

MIC sucess

WEP seedOrderedMDPU

encrypted

Discardnon-orderedMPDU

TSC

countermeasurefail



32

3.6.4. Counter Mode with Cipher Block Chaining MAC Protocol (CCMP)

CCMP is another protocol for protect data confidentiality and integrity, but contrast to

TKIP, CCMP is created with no constraint with old devices, and it is considered as a

long-term solution for the IEEE 802.11 WLAN.

CCMP uses CCM, which is an encryption block cipher mode for AES CCM can

applied to any 128-bit long cipher system. There are two important components in the

CCM: counter mode(CTR) and Cipher Block Chaining MAC (CBC-MAC) Protocol.

Figure 6 – 7 and 6 – 8 shows the CTR and the CBC protocol.

The following are the features of CCMP:

1. Use only one key for encipher and integrity check to improve the prerformance

2. Provide integrity check for both frame header and the frame payload.

3. Can compute some parameters for cryptography before the process for the frame,

this can reduce the execution time for the mechanisms for security.

4. Less costs due to small fsoftware and hardware implementation size.

5. Minimize the size for security related fields.

6. No additional patents



33

figure 3.19 Counter mode

Figure 3.20 CBC mode

CCMP Encapsulation

Counter

AES

XOR

Counter+1

AES

XOR

M1 M2

IV XOR

Encr tion Encr tion

XOR

C hered C hered

Block1 Block2



34

Following is the main steps of CCMP encapsulation:

1. Increases the packet number (PN) for each individual session

2. Derive nonce using the PN and part of the address field.

3. Compose the CCMP header from the Temporal Key ID and the PN.

4. Build the Additional Authentication Data by frame header (AAD)

5. Use nonce, AAD, and the plaintext data as the input to CCM with the TK as the

key.

6. Concatenate the packet header, the CCM header, and the enciphered data as the

ciphertext frame.

Figure 6 – 9 shows the encapsulation of CCMP.

figure 3.21 CCMP encapsulation

CCMP Decapsulation

Main steps of decapsulation of CCMP protocol is the following:

1. Parse the frame to rebuild the AAD and nonce, AAD comes from the header.

Increment PN

Construct Construct

Construct AAD

CCM encryption

MAC header Data

MAC header CCM header Encrypted data MIC

PNKeyIDA2

TK

AAD

nonce

Ciphertext MPDU

4848

48

K=16, M=8, L=2

128 bits

Plaintext MPDU



35

2. Nonce was rebuild from PN and destination address and priority field.

3. Check the MIC.

4. Recover the plaintext by using the TK, nonce, AAD, and the enciphered payload

5. Compare the PN in the frame and the counter counted for the session, the received

one must be the greater one, or the frame will be discarded.

The process for CCMP decapsulation is showed in figure 6 – 10.

Figure 3.22 CCMP decapsulation

3.7 Security threats: passive

Passive security threats are the attacks start by an unauthorized part getting

information about the traffic content. There are two kinds of passive attacks:

eavesdropping and traffic analysis.

3.7.1. Eavesdropping

Construct

Construct AAD

CCM encryption

MAC header Data

MAC header CCM header Encrypted data MICPN

A2

TK

AAD

nonce

PN48

128 bits

K=16, M=8, L=2MDPU

Out-of-se

quence

PN

Plaintext MPDU

Ciphertext MPDU



36

In a wireless network the attacker can easily fetch the frame transfer from one to

another in the same local area network. This characteristic is not bothered by encrypt

and is performed for different purpose.

3.7.2. Traffic Analysis

According to last section, the attacker can get the information from the frame no

matter what it is. Not only the content of payload is the target, other fields may

provide some information of the key or about the MIC check, analyze these fields

may find some part information about the key information and let the attacker have

the chance to break the encryption or forge another MIC data.

3.8 Security threats: activeActive security threats are the attacks that may modify the content or traffic of

messages. Sometimes the active attacks will success due to lack of defense

mechanisms. Active attacks involves message injection/active eavesdropping,

message deletion and interception, masquerading and malicious AP, session hijacking,

man-in-the-middle attack, DOS attack.

3.8.1 Message Injection/Active Eavesdropping

Attackers can modify the content of the frame or other field by using some modified

devices, though most of the devices was equipped to allow only 802.11 traffic. In this

condition, the attacker can pass the integrity check by modify the MIC field, or

modify the payload of a frame used for replay attack in a no replay attack prevention

system.

3.8.2 Message Deletion and Interception



37

It seems impossible to delete a packet send in a wireless channel, for the characteristic

of the wireless network. But there still exist methods to delete a frame in the wireless

channel. It needs another antenna for interfering the receiver’s antenna, after the

interfering the receiver will get a interfered frame and the integrity check may not

pass. At the last the receiver can only drop the received packet, and the attacker

achieve his goal.

The way to message interception is alike the step of message deletion. But for

interception, the attacker should have the ability to control the frame sent to the

receiver. That is, the attacker can decide which packet will be sent and which will be

discarded. To achieve this, the attacker need an antenna to delete the frame sent to the

remote antennas, and another one get the frame. By the content in the frame, the

attacker decides whether the packet will be sent or not. The receiver can only receive

chosen frame and does not know there is an attacker interfering the frames, and

modify or create other frame will be sentlate to the receiver.

3.8.3 Masquerading and Malicious AP

if there is no protection or integrity check about the MAC address, the attacker can

easily modify the MAC address in its frame. It is more dangerous if the system use

only the MAC address to identify another wireless device. So it is easy for an AP to

masquerade as another AP, the STAs can also do this by spoofing. It is dangerous for a

station associated with a malicious AP.

3.8.4. Session Hijacking

Session hijacking is happened when a session pass the authentication process. for an

authenticated device, the attacker can disconnect it from this session. The second step

the attacker masquerade as the victim and send and receive frames as the victim in the



38

session. But there has some mechanism to prevent this kind of attack, such like the

protection of confidentiality and the integrity. In this circumstance, the attacker can’t

create valid frame to communicate with the AP, and the session hijacking can’t get

any benefit.

3.8.5. Man-in-the-Middle attack

Contrast to message interception, the man-in-the-middle attack need to

participate in the connection. If the attacker is not in any connection, it

need to try to break another connection, and then involved into the

connection to derive the man-in-the-middle attack. The attacker need to

act as aP for the victim station and act as a station to the victim AP.

Another way to implement man-in-the-middle attck is do the ARP

spoofing just like in wired LAN.

3.8.6. DOS attack

DOS attack includes three main kinds of attack.

beacon flood

Lots of attackers masquerade as different APs and send lots of frames with different

SSID to make the station sees ten or hundreds of APs in the network and make the

traffic of the station slower.

authentication flood

Using a similar method as the last section but masquerading as lots of stations in this

section. The attacker can send a large amount of authentication frames to the AP, since

the AP spends a slice of time to process the authentication request, the authentication

frames can hang the AP.

deauthentication flood



39

The victim of deauthentication flood is a pair of AP and STA. Because the

deauthentication frame is not encrypted, attackers can deauthentication any session

easily. Large numbers of deauthentication frame nay make the pair of AP and STA

spends lots of time in establishing connection.

3.9 Summary

With the development and enhancement in 802.11 wireless networks, this technique is

widely spread. Although the nature wireless network make the message transferred on

the fly get exposed easily, it is still become much more popular. The IEEE 802.11

alliance select WEP as their solution to provide security as the wired network, but

WEP is proved a weak method in few years later. To fulfill the secure requirement for

802.11 WLAN, IEEE 802.11 provides a much more complete solution, 802.11i.

802.11i provides lots of security features such as adopting 802.1X port-based access

control to support authentication and access control, two classes of key hierarchy for

key generation and distribution, two protocols for enhancing data confidentiality and

integrity in pre-RSN and RSN environment.

The threats are also discussed. Various kinds of attack and threats occur in reports

everyday and become more complicated. Though the secure mechanisms have large

growth, there still no one can ensure the 802.11wireless network is safe.

3.10 Reference[Arbaugh 01] William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan “Your 802.11

Wireless Network has No Clothes,” Mar. 2001

[CHENG 05] Jyh-Cheng Chen, Ming-Chia Jiang, and Yi-Wenliu “Wireless LAN

security and IEEE 802.11i,” Feb. 2005



[Frankel 06] S. Frankel, B. Eydt, L. Owens, K. Kent “Draft Guide to IEEE 802.11i

Establishing Robust Security Networks,” June 2006

[Gable 05] Eliot Gable “802.11WirelessAuthentication and Encryption,” Mar. 2005

[He] C. He, J. C. Mitchell, “Security Analysis and Improvements for IEEE 802.11i ”

[Karygiannis 02] Tom Karygiannis, Les Owens ”Wireless Network Security 802.11,

Bluetooth and Handheld Devices,” Nov. 2002

a survey on wireless networks-final report.pdf

Documents