S I IEEE 802.11 W L A N (Wlan) : Ecurity Mprovements Within I Ireless Ocal REA Etworks S

Download as pdf or txt
Download as pdf or txt
You are on page 1of 25

In: Progress in Wireless Communications Research ISBN 978-160021-675-6

Editor: Alfred P. Martinhoff, pp. 279-303


c 2007 Nova Science Publishers, Inc.

Chapter 12

S ECURITY I MPROVEMENTS WITHIN IEEE 802.11 I


W IRELESS L OCAL A REA N ETWORKS (WLAN S )
Cristian Chiţu∗
Infineon Technologies Austria AG, Siemensstrasse 2, A-9500 Villach, Austria

Abstract
Wireless networks use electromagnetic waves to communicate from one point to
another without relying on a physical connection. They become very popular, almost
anywhere you go has a wireless connection available: airports, restaurants, libraries,
colleges, even malls.
Typically, WLANs operate over a fairly limited range, such as an office building or
building campus, and usually are implemented as extensions [1] to existing wired local
area networks to enhance user mobility. The factors that contribute to the popularity
of WLANs are easy of use, inter-operability, compatibility, availability, and different
modes of operation. However, they are not as secure as the people would want them to
be. Due to the fact that WLANs are expanding and the amount of people are wanting
to be connected to them expands as well, the control and security [2] become harder
for the network administrators and everyday users. The wireless security is different
from wired network security, primarily because it gives potential attackers an easy
transport medium access [3]. It is easier for attacker to intercept the transmitted data
in wireless mode and, therefore, the security is a very important issue.
Wireless network security attacks are concerns for people with available wireless
connections. New security solution has been implemented and proposed. AES is new
[4] since it was made a standard in 2001. However, it has already been implemented
in many ways, and seen as the possible solution to security problems.
To improve security, the IEEE formed the 802.11i task group. This task group
proposed a new security architecture known as RSN which offers centralized authen-
tication of users and tones down some of the weaknesses of the first security standard
named WEP protocol [5]. The draft of the IEEE 802.11i addressed numerous secu-
rity problems and specified two different AES based encryption modes, AES-OCB
[6, 7] and AES-CCMP [8]. Both of them have been submitted to the National Insti-
tute of Standards and Technology (NIST) as new modes of operation. One of these
two modes, AES-CCMP, has been selected as the mandatory to implement mode for

E-mail address: [email protected]
280 Cristian Chiţu

IEEE 802.11i. In 2004 the draft became a standard [9], known as the data security
protocol. It considers two encryption algorithms, TKIP for backward compatibility
with WEP and AES-CCMP to provide a stronger encryption than WEP.
Many researches have been done, or are going on, trying to enhance the security
mechanisms for the IEEE 802.11i WLANs. The main purpose of this chapter is to an-
alyze and understand the security aspects of the IEEE 802.11i WLANs. Our analysis
suggests that 802.11i is a well designed standard for data confidentiality, integrity, and
authentication, promising to improve the security of wireless networks.

List of Acronyms

AES Advanced Encryption Standard


AES-CCMP AES with CCMP
AES-OCB AES with OCB
AP Access Point
ARP Address Resolution Protocol
CBC-MAC Cipher Block Chaining Message Authentication Code
CCM Counter with CBC-MAC
CCMP Counter with CBC-MAC Protocol
CRC Cyclic Redundancy Checksum
EAP Extensible Authentication Protocol
EAPOL EAP Over LAN
EAP-TLS EAP - Transport Layer Security
EAP-TTLS EAP - Tunnelled Transport Layer Security
FCS Frame Check Sequence
GEK Group Encryption Key
GIK Group Integrity Key
GMK Group Master Key
GTK Group Transient Key
ICMP Internet Control Message Protocol
ICV Integrity Check Value
IP Internet Protocol
IV Initialization Vector
KCK Key Confirmation Key
KEK Key Encryption Key
LAN Local Area Network
MAC Media Access Control
MIC Message Integrity Code
MK Master Key
MPDU MAC Protocol Data Unit
MSDU MAC Service Data Unit
OCB Offset Codebook
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 281
OFDM Orthogonal Frequency Division Multiplexing
PEAP Protected EAP
PMK Pairwise Master Key
PN Packet Number
PRF Pseudo Random Function
PSK Pre-Shared Key
PTK Pairwise Transient Key
RADIUS Remote Authentication Dial In User Service
RC4 Rivest Cipher 4
RSN Robust Security Network
RSNA Robust Security Network Association
RSN IE Robust Security Network Information Element
TEK Temporal Encryption Key
TK Temporal Key
TKIP Temporal Key Integrity Protocol
TMK Temporal MIC Key
WEP Wired Equivalent Privacy
Wi-Fi Wireless - Fidelity
WLAN Wireless Local Area Network
WPA Wi-Fi Protected Access
WPA2 Wi-Fi Protected Access 2

1. Introduction
Nowadays, mobility is something that the people prefer every day. When thinking about
mobility, the correspondent term is wireless, anything that makes is easier for people to
access data from any place. From mobile phones, pagers and Personal Digital Assistants
(PDAs), to laptop computers, people want to be able to reach each other at any place and at
any time. Wireless networks help them with that process. Millions of wireless devices are
sold every year, including the majority of notebook computers, as well as cell phones and
PDAs. Today most notebooks have 802.11 (popularly known as Wi-Fi) capabilities.

1.1. 802.11 Network


802.11 wireless network consists of o group of computers interconnected between each
other through a wireless channel frequency. Basically, there are two modes of connection
[10]: infrastructure (access point preferred) and ad-hoc (peer-to-peer).
The infrastructure mode is characterized in having a centralized AP. Through AP many
computers can connect to other computers in the same network. Actually, an AP acts as an
ethernet bridge and forwards the communications on to the appropriate network. As shown
in Figure 1, AP serves as a central structure that interconnects the wireless adaptors to the
wired network. On the other hand, AP is connected to a switch and this is usually done
to get to an outside internet connection or to interconnect to the wired network. Figure 1
shows two computers connected to AP through the wireless medium. All computers in the
AP network can be authenticated and monitored to maintain the integrity and security of
282 Cristian Chiţu

Desktop PC
Server

Switch

Access Point

Notebook with WLAN Notebook with WLAN

Figure 1. Infrastructure (access point) wireless network.

the network. However, the biggest security threat derives from wireless AP and, therefore,
this is a common problem when discussing wireless network security. On one hand people
want that their network should be secure, but on the other hand they do not want to spend
time and money on setting the network up in a secure manner.
In comparison with the infrastructure network, the ad-hoc mode is designed for having
computers interconnected to each other as peers, without the need of a centralized AP. The
computers are interconnected to each other, as depicted in Figure 2. This type of wire-
less network has no AP, authentication from one computer to the other is somewhat more
complicated than AP authentication, which resembles with the authentication in wired net-
works. Furthermore, the computers are interconnected to each other performing their own
authentications. In terms of security, the ad-hoc networks are vulnerable to eavesdropping
and masquerading attacks.

1.2. 802.11 WLAN Standards


IEEE 802.11, the Wi-Fi standard, denotes a set of WLAN standards. Some of the most
popular are 802.11a, 802.11b, 802.11d, 802.11e, 802.11f, 802.11g, 802.11h, and 802.11i.
A brief description of each standard is presented below.
802.11a is a high speed WLAN standard for the 5 GHz band. It has a throughput
of 54 Mbps and uses OFDM modulation technique. The most currently used standard is
802.11b. The products operate in the 2.4 GHz frequency range with a throughput of up to
11 Mbps. Microwave ovens, cordless phones, medical and scientific equipment, as well
as Bluetooth devices, all work within the 2.4 GHz frequency band. 802.11d is a standard
supplementary to MAC layer in 802.11 to promote worldwide use of 802.11 WLANs. It
allows APs to communicate information on the permissible radio channels with acceptable
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 283

Desktop PC with WLAN

Notebook with WLAN Notebook with WLAN

Figure 2. Ad-hoc wireless network.

power levels for client devices. The devices are automatically adjusted based on geographic
requirements. 802.11e defines a set of Quality of Service (QoS) enhancements for LAN
applications. The standard is considered of critical importance for delay sensitive appli-
cations, such as voice over wireless IP and streaming multimedia. The protocol enhances
the MAC layer. 802.11f or Inter Access Point Protocol is a recommendation that describes
an optional extension to 802.11 that provides wireless access point communications among
multi-vendor systems. Similar to 802.11b, 802.11g gives a throughput of up to 54 Mbps. It
also operates in the 2.4 GHz frequency band but uses a different radio technology in order
to boost overall bandwidth. 802.11h focuses on power usage and transmission interference
from 802.11 radio frequencies. It was originally designed to address European regulations
but is now applicable in many other countries. Finally, 802.11i known as the data security
protocol, is an amendment to the 802.11 standard specifying security mechanisms for wire-
less networks. The draft standard was ratified in June 2004, and supersedes the previous
specification WEP which was shown to have severe security weaknesses.
As a long term solution, 802.11i is proposed to provide an enhanced MAC layer se-
curity. The standard defines a CCMP that provides strong confidentiality, integrity, and
replay protection. Furthermore, an authentication process, combining the 802.1X authenti-
cation and key management procedures, is performed to mutually authenticate the devices
and generate a fresh session key for data transmissions. 802.11i is supposed to be the right
solution for wireless security and should be able to prevent an adversary from advanced
attacks. This is the case even if the adversary might have the most powerful equipments
and techniques for breaking into the systems. In other words, an implementation of 802.11i
protocols in a WLAN should be able to provide sufficient data confidentiality, integrity, and
mutual authentication.

1.3. Wireless Network Security


There are a number of issues that anyone deploying a WLAN needs to be aware of. First
and foremost is the issue of security. In most wired LANs the cables are contained inside
the building, so a would be hacker must defeat physical security measures (e. g. security
personnel, identity cards and door locks). However, the radio waves used in wireless net-
284 Cristian Chiţu

working typically penetrate outside the building, creating a real risk that the network can be
hacked from the parking lot or the street.
Several papers [11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22] dealing with wireless
security have been publishes so far. Two terms within WLAN security are defined: ”threat”
and ”attack”. A ”threat” is a potential violation of security and can be a danger that might
exploit a vulnerability of the system [21]. An ”attack” is an actual violation of security.
Actually, it is a deliberate attempt to evade security services and to violate the security
policy of a system [21]. Generally, a distinction between active and passive attacks can
be made, putting the intruder either into the role of a listener or more in the role of a
manipulator. However, no matter what he or she intends to do, any king of an attack is
not desired at all, independent whether being of the first or the second category. Attacks
on wireless networks fall into four basic categories: passive attacks, active attacks, man-in-
the-middle attacks, and jamming attacks [22].
Passive attacks on wireless networks are extremely common, and the same time, very
difficult to detect. A passive attack on a wireless network may not be malicious in nature.
They help an attacker to prepare for an active attack, by providing sufficient information
from the system. Once an attacker has gained sufficient information from the passive attack,
he can launch an active attack against the network. Common passive attacks are those that
involve traffic analysis and eavesdropping.
With few words, eavesdropping means that someone listens to your transmission by
monitoring and intercepting data passing over the WLAN. This kind of attack is special
easy within the wireless environment since transmission travels over the radio path. As
we know, transmission over the radio path allows everyone being equipped with a suitable
transceiver and located within the transmission range to listen to the messages sent over the
air. With the use of a special antenna, the unauthorized listener can even monitor traffic
from a location quite far away, staying unrecognized by the sender as well as the intended
and authorized receiver.
There are different types of active attacks that an adversary can launch against a wireless
network. For the most part, these attacks are identical to the kinds of active attacks that
are encountered on wired networks. These include, but are not limited to, spoofing or
masquerading, replay, message modification, and Denial-of-Service (DoS) [11].
Spoofing or masquerading is one of the basic types of active attacks launched to gain
unauthorized access to network resources and services. The intruder will first try to de-
termine the access parameters of a potentially vulnerable wireless network. Such access
parameters may include a MAC address and an IP address of a particular station. When
the station is not transmitting, the intruder will first reconfigure his or her terminal with the
known information. Once this is done, the intruder’s terminal will appear as the authorized
terminal and will be able to access most of the resources. This technique is known as MAC
spoofing.
During replay attack, the intruder may use a third-party wireless packet sniffing or mon-
itoring utility to capture packets exchanged between two wireless entities. Once such pack-
ets are captured, the intruder can analyze the packet content and launch a number of attacks.
One such example could be to initiate a DoS attack. On the other hand, the intruder could
collect sufficient data to crack an encryption key.
Message modification attacks occur when an attacker adds data to an existing connec-
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 285

tion in order to hijack the connection or maliciously send data or commands. An attacker
can manipulate control messages and data streams by inserting packets or commands to a
base station or vice versa. Inserting control messages on a valid control channel can result
in the disassociation or disconnection of users from the network.
DoS attack prevents authorized and therefore authenticated users from getting access to
the wanted network resources. This type of attack differs from the usual ones in such a way
that its aim is not to get into possession of sensitive information but to just bring down the
organization’s network. Flooded APs causing them to break down which can for example be
achieved by a huge ICMP ping flood, is one possible scenario. Such a flooded AP bars users
from connecting to it or interrupts an already existing connection. Other examples for a
denial of service attack are jamming of specific radio frequencies or consequently resending
of a captured disconnect message. In the first scenario no transmission will be possible
anymore because no understanding among AP and its associated stations can happen. In
the second case the attacker will cause the legitimated user to loose his or her connection
to AP. Unfortunately, all these attacks will also be possible when providing a strict access
control with strong authentication methods.
Man-in-the-middle is an attack that requires some sophisticated hacking software and
may cause significant levels of disruption and chaos. Due to the fact that network layer
security typically only provides protection for IP, other protocols are left unprotected and
vulnerable to attacks. With no access control mechanisms someone could for example
fool a station by sending a forged ARP message to it, or try to get access to the network
by simulating known, permitted MAC addresses. Like this, the attacker can also place
himself or herself between AP and the station, identifying and impersonating himself or
herself as a corporate wireless AP to the station and as station to AP. Data between the two
authorized entities will be redirected by the attacker, generating a transmission path from
the station over the attacker to the corporate AP and the other way around, letting both
authorized parties unaware of its data being redirected. The authorized, associated station
is connected to AP, even if not directly. In this attack, mutual authentication appears to be
very important.
Wireless networks provide security in different ways. Security is defined as the op-
erations undertaken to protect and defend information and information systems ensuring
their confidentiality, integrity, authorization, availability, nonrepudiation, and authentica-
tion [21].
Confidentiality ensures an eavesdropper cannot discover the contents of messages being
exchanged between endpoints. It is usually achieved through the use of good encryption
algorithms and keeping the keys secret.
Integrity ensures a third party cannot tamper with the contents of messages exchanged
between endpoints without the endpoints’ knowledge. Integrity is usually achieved by a
Message Authentication Code (MAC), which is like a checksum but incorporates a crypto-
graphic key in a way that prevents a third party from calculating the MAC on his own. An
attacker attempting to tamper with the message will not be able to construct a correct MAC
for the modified message. Again, keeping the keys secure is an essential element.
Authorization controls who is permitted to do what. The simplest authorization decision
is who is permitted to establish a communication session with whom. More complex au-
thorization can make finer grained statements about what different endpoints are permitted
286 Cristian Chiţu

to do once communication is established. Authorization decisions are based on the identity


of the participants; hence, authorization typically relies on authentication.
Availability assures that the information and communication services will be ready for
use when expected. Information must be kept available to authorized persons when they
need it.
Nonrepudiation assures that information and/or actions that purport to be from (or pur-
port not to be from) a user or system are as claimed. In other words, it provides evidence
to prevent a person from unilaterally modifying or terminating obligations arising out of a
transaction effected by computer-based means.
802.11 standard provides network security through two methods: authentication and
encryption [21]. Authentication is the means by which one station is verified to have autho-
rization to communicate with a second station in given coverage area. In the infrastructure
mode, authentication is established between an AP and each one of the stations. Authentica-
tion applies to passwords and keys used to validate the users in the network. Authentication
itself can subdivide into two subsets: Open System and Shared Key System. In an Open
System, any wireless station may request authentication to AP. On the other hand, in a
Shared Key System, only the wireless stations that possess the secret encrypted key are the
authenticated ones.
Encryption is most widely used to ensure data privacy. It should provide a level security
comparable to what of a wired LAN. Commonly used after user authentication has taken
place, its primal function is to maintain the integrity of the transferred data. Encryption
algorithms have been used for many years and one of them, AES [23, 24], became the new
encryption standard [4]. When talking about wireless network security, encryption is one
of the most important mechanisms used to protect the data.

Station Access Point


authentication request

challenge text

challenge response
(encrypted challenge text)
confirm success

Figure 3. WEP authentication.

1.4. Evolution and Limitations of 802.11 Security


When the IEEE standard for 802.11 was ratified [5], it included an optional standard called
WEP [25, 26, 27, 28, 29, 30] which was designed to provide a level of security equivalent
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 287

to what of a wired network. The WEP protocol introduced three main accepts of security
to WLANs as follows: authentication, encryption and integrity checks.
One of the WEP’s components was an authentication process to assist with the need to
ensure that APs only communicate with authorized wireless stations. WEP authentication
is based on a Shared Key also known as the WEP key. Both the station and AP need to have
the same WEP key to be able to allow communication beyond the authentication exchange.
An example of the exchange is shown in Figure 3. First, the station sends an Authentication
Request to AP. AP sends back a random number known as the Challenge Text. After that,
the station encrypts the Challenge Text using the WEP key to create ciphertext. Finally, AP
verifies that the Challenge Text it sent was encrypted with the correct WEP key.
WEP’s encryption is based on the RC4 stream cipher algorithm. The cipher takes
plaintext and applies an encryption key to it making the output randomized encrypted ci-
phertext. The receiving device decrypts the ciphertext using the predetermined encryption
key. Initially, WEP standard used 40 bit encryption keys but later on the manufactures in-
creased the length of their WEP key implementations to 104 bits. To add randomness to the
encryption key, an IV was added to the fixed length encryption key. The addition of the IV
increases the number of bits from 40 and 104 bit keys to 64 bits and 128 bits, respectively.
These are the key sizes supported on all WLAN devices that are WEP compliant.
WEP includes a check-field called ICV. Check value is computed from the plaintext
data before encryption. The value is appended to the plaintext, and encrypted among with
rest of the data. The idea of ICV was to provide integrity protection. At the time of initial
release, it was believed that encrypting the ICV value would prevent tampering and ensure
integrity.

transmit address encryption key

TKIP per packet per packet WEP key


sequence number key mixing
of 48 bits WEP
fragment ciphertext
plaintext MPDU(s)
Michael key MPDU(s)
Michael
plaintext MSDU
plaintext MSDU + MIC

Figure 4. TKIP protocol block diagram.

It was soon discovered that the WEP security protocol was flawed and in 2001,
Fluhrer et al. [25] published a cryptanalysis of WEP that exploited the way the RC4 al-
gorithm and IV was used in WEP. It was discovered that a passive attack could recover
the RC4 key after eavesdropping on the network for a few hours. Borisov, Goldberg, and
Wagner [26] showed several other attacks, including that the encrypted messages could be
modified freely as well as the fact that the user authentication protocol is trivially defeated.
According to Edney and Arbaugh [27], there are three ways to attack RC4 privacy in WEP:
IV reuse, RC4 weak keys and direct key attack. In 2006, Bittau, Handley, and Lackey [28]
show that the 802.11 protocol itself can be used against WEP to enable earlier attacks that
are previously thought impractical. After eavesdropping a single packet, an attacker can
288 Cristian Chiţu

rapidly bootstrap to be able to transmit arbitrary data.

2. Description of 802.11i Features


After the reliability of WEP’s implementation of RC4 for encryption was decimated in
2001 by both the introduction of its weaknesses and the later exploitation of those weak-
nesses, Wi-Fi Alliance and 802.11i work-group realized the need to rectify WEP’s broken
encryption scheme. The solutions were TKIP and AES-CCMP [9, 19]. Meanwhile, Wi-Fi
Alliance had to create a security standard that corporations and home users alike could im-
plement using their existing equipment. Therefore, they integrated TKIP into their WPA
because it was a standard that could be easily be implemented to existing WLAN hardware.
TKIP continues to have RC4 at its core, but introduces changes in the areas of message
integrity, IV creation, and key management. Also, it plays the part of a wrapper to in-
crease the security of WEP. While TKIP is considered secure, AES-CCMP is at the core
of 802.11i and is a mode created from the ground up with AES at its center. It is believed
that going forward, true implementation of 802.11i will have AES-CCMP as a long term
solution for encryption and integrity verification. TKIP, AES-CCMP, and their encryption
and integrity verification methods are explained below.

2.1. TKIP as a Short Term Solution within 802.11i


TKIP is a suite of algorithms wrapping WEP and a block diagram is shown in Figure 4.
The protocol added four new algorithms as follows: a cryptographic MIC, called Michael,
to defeat forgeries; a new IV sequence discipline, to remove replay attacks; a per-packet
key mixing function, to de-correlate the public IVs from weak keys; and a re-keying mech-
anism, to provide fresh encryption and integrity keys. The reason why TKIP is an improve-
ment of WEP is that it rotates the temporal keys. Therefore, a different key is used for each
packet.
As depicted in Figure 4, when a station transmits a MSDU, the TKIP implementation
uses the Michael Key to compute the MIC of the source and destination MAC addresses,
as well as the MSDU payload. By appending the MIC to the data field, the packet’s data
payload is extending with 8 bytes. Next, it takes place a fragmentation from MSDU into
MPDUs as needed further on in the environment. A packet Sequence Number it is assigned
for each packet. The key mixing function creates a per-packet Encryption Key, represented
as a IV in a base key. Finally, the remaining steps are pure WEP, usually implemented in
hardware.
The integrity checking feature MIC would not allow a hacker to inject data into a
packet. This permits the hacker to deduce the streaming key used to encrypt the data.
MIC uses a cryptographically protected one way hash in the payload, which ensures packet
tampering detection immediately upon decryption. Compared to WEP, TKIP is a costly
process and may degrade performance at many APs, where it can consume every spare
processor cycle.
TKIP also uses RC4 as the encryption algorithm, but it removes the weak key problem.
In addition, it hashes IV values that were sent as plaintext in WEP. TKIP is useful as it can
be used on old hardware, which supports WEP.
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 289

2.2. CCMP as a Long Term Solution within 802.11i


CCMP is a required component of any 802.11i implementation and has little resemblance
to WEP. Wireless network confidentiality, integrity, and authentication were CCMP’s de-
sign criteria. CCMP uses the 128 bit AES for data protection rather than RC4. While RC4
is not inherently flawed, AES is the new strong symmetric encryption standard [4, 23, 24].
Hardware vendors are creating robust AES encryption processing hardware that can handle
AES as effectively as today’s RC4 encryption hardware.
AES algorithm is a symmetric key block cipher in which both the sender and receiver
use a single key to encrypt or decrypt the information. The flowchart for AES encryption
is shown in Figure 5 and the way of implementing all component operations are described
below.

Plaintext

Initial Round

KeyAddition

Standard Round
Substitution ShiftRow MixColumn KeyAddition

Final Round
Substitution ShiftRow KeyAddition

Ciphertext

Figure 5. Block diagram of the AES encryption.

The encryption and decryption algorithms are organized as a set of iterations called
round (initial, standard, and final) transformations. Since the block and key lengths are of
128 bits the total number of rounds is ten. All round transformations are identical, apart of
the final one. Implementation of the encryption round of AES requires realization of four
component operations: Substitution, ShiftRow, MixColumn, and KeyAddition.
The Substitution transformation is performed on each byte of the state using sixteen
substitution tables (S-boxes). The inverse transformation of Substitution, InvSubstitution,
is constructed by the same number of inverse S-boxes.
In the ShiftRow transformation, the bytes in the first row of the state do not change. The
second, third, and fourth rows shift cyclically to the left one byte, two bytes, and three bytes,
respectively. InvShiftRow is the inverse transformation of ShiftRow. In this transformation,
the bytes in the first row of the state do not change; the second, third, and fourth row shift
290 Cristian Chiţu

cyclically one byte, two bytes, and three bytes to the right, respectively.
The MixColumn transformation as well as InvMixColumn can be expressed as a matrix
multiplication in the Galois Field. The InvMixColumn transformation has a longer critical
path compared to the MixColumn transformation, and therefore the entire decryption is
more time consuming that encryption.
KeyAddition is a bitwise XOR of two 128 bit words.
To decrypt the ciphertext, the procedure followed is the exact opposite of the encryption
process. That is, a standard round consists of InvSubstitution, InvShiftRow, InvMixColumn,
and KeyAddition operations while the final round consists of the same operations excluding
the InvMixColumn operation.
In early 802.11i drafts, two AES schemes were proposed: CCM [8] and OCB [6, 7].
Questions over intellectual property, however, made some members of the 802.11i task
group uncomfortable. Therefore, CCMP has been chosen within 802.11i standard. Al-
though there has been some criticism [31], analysis suggests that CCM mode provides
a level of confidentiality and authenticity comparable to OCB mode. It is reasonable to
believe that, once CCMP is implemented, an adversary is not able to break the data confi-
dentiality and integrity without the knowledge of the key. Furthermore, an adversary cannot
obtain useful information about the key through analyzing the cipher text even if the corre-
sponding plaintext is known.

Encrypted
Authenticated Authenticated

802.11 Header IV/KeyID Extened IV Data MIC


4 octets 4 octets >=0 octets 8 octets

Figure 6. MPDU format after CCMP encryption.

CCM mode [32] uses counter mode for encryption and CBC-MAC for integrity pro-
tection. Both algorithms employ only the encryption primitive at both the sender and the
receiver. CCM mode was designed to meet the following criteria:
• Use a single key to provide confidentiality and integrity. This minimizes the time spent to
compute AES key schedules.
• Allow pre-computation to reduce latency.
• Support pipelining to increase throughput.
• Provide integrity protection for the plaintext header along with integrity and confidential-
ity of the packet payload.
• Small implementation size.
• Avoid patent issues.
MPDU format after CCMP encryption is shown in Figure 6. The packet is expanded
by 16 bytes over an unencrypted frame and is identical to a TKIP frame with the exception
of the ICV. Like TKIP, CCMP uses a 48 bit IV called PN which is used along with
other information to initialize the AES cipher for both the MIC calculation and the frame
encryption.
The CCMP encapsulation process [33] is illustrated in Figure 7. CBC-MAC provides
data integrity and like MIC in TKIP, protects the sender and destination addresses as well
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 291

MIC Calculation

AES(K) IV 64 bits 64 bits

AES(K) AES(K) AES(K) AES(K) AES(K)

Clear Text
Frame
Frame Header PN 128 bits 128 bits Data 128 bits MIC
Encryption
PL(1) PL(2) PL(n) PL(0)
Ctr Preload

AES(K) AES(K) AES(K) AES(K)

Encrypted
Frame
Frame Header PN Data MIC FCS

AES(K) AES using 128 bit key K Bitwise XOR

Figure 7. Diagram of the CCMP encapsulation process.

as the frame data from modification. CCMP uses PN as part of the IV. PN increments for
each frame sent, and never repeats for a single temporal key. Like the sequence number in
TKIP, PN provides protection from replay attacks and works in the same way. A frame
with an out of sequence PN, or a frame which has a PN equal or smaller than the current
value of the replay counter, is discarded.
As depicted in Figure 7, the data in the frame is split into 128 bit blocks. To calculate
the MIC, an IV is created by concatenating the priority on reserved bits, the address of the
sender, the PN and other header data. IV is fed into an AES block, and a XOR operation is
applied to the resulting key stream with specific elements in the header of the frame. The
output is then XOR-ed with the first 128 bit block of data. This continues for the entire
length of the frame resulting in a 128 bit CBC-MAC value. The first 64 bits of this value
are used as MIC. The encryption process is initiated by IV and a counter set to 1. The
combined IV and counter value, known as the preload value PL(n), are fed into the AES
block and a XOR operation is applied to the resulting key stream and the first 128 bit of
data. The counter is incremented, and this continues for the length of the entire frame. The
final counter value is set to 0 and fed into the AES block. A XOR operation is applied to
the resulting key stream and the 64 bit MIC value. Finally, the encrypted MIC value is
appended to the encrypted frame.
The CCMP decapsulation process is not shown but is essentially the reverse of the
encapsulation process of Figure 7, with some additional steps. One of this is PN checking.
PN is extracted and if it is not greater than the current value of the replay counter, the frame
is discarded. The last step is MIC checking. A MIC is calculated in the same way and is
292 Cristian Chiţu

compared to MIC in the received frame. If they are identical, then the frame is passed on
the higher levels, otherwise is discarded.

Table 1. Comparison of security protocols.

Security protocol WEP TKIP CCMP


Cipher RC4 RC4 AES
Key length 40 or 104 bits 128 bits encryption 128 bits
encryption 64 bits authentication
Key life 24 bit IV 48 bit IV 48 bit IV
Key generation concatenation mixing function not needed
Key management none IEEE 802.1X IEEE 802.1X
Data integrity CRC-32 Michael CCM

Station Access Point Authentication Server

security policy
agreement

802.1X authentication

key derivation MK distribution


and distribution by RADIUS

RSNA data
confidentiality and integrity

Figure 8. 802.11i operational phases.

To complete this subsection, the wireless attacks on CCMP are discussed. With re-
gard to traffic analysis and eavesdropping attack, an adversary may eavesdrop on traffic,
but it cannot decrypt the packets because it has no way to discover the temporal keys. Fur-
thermore, since the IP header of the messages is encrypted, the adversary can only obtain
limited information through traffic analysis. However, the adversary does have some ways
to discover useful information, because the MAC header is not encrypted and therefore the
packet size and frequency are observable. Fortunately, in most scenarios such information
leakage is not considered to be harmful. Masquerading attack on data frames is completely
eliminated because a strong MIC prevents an adversary from inserting a forged data mes-
sage. For message modification attack, the adversary is able to delete a packet in any case.
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 293

However, this can be handled by the retransmission mechanism or higher layer protocols.
Moreover, the adversary is also able to intercept a packet and forward it to the receiver later.
The packet which was forwarded, could have been correctly encrypted with a valid MIC.
But however, the receiver is likely to recognize this as an out of order packet and discard it
silently.
In summary, against eavesdropping, masquerading, and message modification attacks,
CCMP appears to provide satisfactory data confidentiality, integrity, and replay protection
for data packets, as intended. However, since management and control frames are neither
encrypted nor authenticated by the encryption algorithm, they are still vulnerable to these
attacks. In addition, CCMP requires hardware upgrades and might have some impacts on
performance.
The wireless network security methods explained so far are summarized in Table 1. It
should be noticed that the protocols, TKIP and CCMP, address all known WEP problems.

2.3. RSNA Establishment Procedure


The 802.11i standard seeks to address all the security issues concerning WLANs and is
essentially split into three main parts: TKIP and CCMP both offer confidentiality and data
integrity, and IEEE 802.1X provides authentication. TKIP is designed for legacy devices
and hardware that can only support WEP, while CCMP is more advanced, robust protocol
designed for all new devices. Either of these can be combined with 802.1X authentication;
when 802.1X is combined with TKIP, it is known as WPA, and when 802.1X is combined
with CCMP, it is known as WPA2. Actually, WPA was introduced in October 2003 as
an interim solution, to immediately address the security flaws in WEP. At that time, the
802.11i standard was still under development.
802.11i RSNA establishment procedure [34] consists of 802.1X authentication and key
management protocols. There are involved three entities as follows: a wireless station, an
AP, and an authentication server (a RADIUS server [35]). Establishing a secure communi-
cation context consists of our phases, as presented in Figure 8:
• agreeing on the security policy,
• 802.1X authentication,
• key derivation and distribution,
• RSNA data confidentiality and integrity.

2.3.1. Phase1: Agreeing on the Security Policy

802.11i specifies RSN IE which incorporates RSN security information including RSN
capabilities, authentication, and cipher key selectors. As illustrated in Figure 9, RSN IE
contains a list of authentication and cipher selector fields for communications. Element ID
should always be 48 in decimal and Length indicates the number of octets in the information
field. Version shows the version number of the RSNA protocol. Pairwise Key Cipher
Suite Count indicates the number of Pairwise Key Cipher Suites that are contained in the
Pairwise Key Cipher Suite List field. Group Key Cipher Suite is the cipher suite which is
associated between communicating peers. Similarly, Authentication and Key Management
Suite Count indicates the number of Authentication and Key Management Suites that are
294 Cristian Chiţu

contained in the Authentication and Key Management Suite List field. RSN Capabilities is
used in the way that the receiver could know the security mechanisms the sender supports.

Pairwise Pairwise Authentication Authentication


Group
Key Key and Key and Key
Element Key RSN
Length Version Cipher Cipher Management Management
ID Cipher Capabilities
Suite Suite Suite Suite
Suite Count List Count List

Figure 9. RSN IE format.

Station Access Point


probe request

probe response + RSN IE


CCMP multicast, CCMP unicast, 802.1X authentication

802.11 open system authentication

802.11 open system authentication − success

association request + RSN IE


Station request CCMP multicast, CCMP unicast, 802.1X authentication

association response − success

Figure 10. Phase1: Agreeing on the security policy.

The first phase requires the communicating parties to agree on the security policy to
use, as depicted in Figure 10. Security policies supported by AP are advertised in a Probe
Response which follows a Probe Request from the station. After that, a standard Open Sys-
tem Authentication is initiated. The station response is included in the Association Request
message validated by an Association Response from AP. The security policy information is
sent in the RSN IE field including: supported authentication methods (802.1X, PSK), se-
curity protocols for unicast traffic (CCMP, TKIP etc.) identified as Pairwise Cipher Suite,
and security protocols for multicast traffic (CCMP, TKIP etc.) identified as Group Cipher
Suite.

2.3.2. Phase2: 802.1X Authentication


IEEE 802.1X authentication is aimed at corporations with existing authentication infras-
tructure in place, such as RADIUS servers. 802.1X [36] uses EAP [37] as the transport
protocol used for authentication. It should be noticed that EAP is a transport method, not an
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 295

Station Access Point Authentication Server

802.1X/EAP − request identity

802.1X/EAP − response identity

RADIUS access
request identity

EAP messages specific to the chosen method

RADIUS accept
MK distribution
802.1X/EAP success

Figure 11. Phase2: 802.1X Authentication.

authentication method. There are many authentication methods which can use EAP, such
as smart cards and passwords. Common secure authentication types include EAP-TLS,
EAP-TTLS, and PEAP. 802.1X is a port based authentication framework and operates on
a concept of a controlled and uncontrolled port.
The second phase is shown in Figure 11 and represents 802.1X authentication methods
as follows: EAP-TLS with station and server certificates (requiring a public key infrastruc-
ture), EAP-TTLS and PEAP for hybrid authentication (which certifies only required for
servers). 802.1X authentication is initiated when AP requests station identity data. The sta-
tion’s response contains the preferred authentication method. After that, suitable messages
are exchanged between the station and the authentication server to generate a common MK.
At the end of the procedure, a RADIUS Accept message is sent from the authentication
server to AP, containing the MK and a final EAP Success message for the station.

2.3.3. Phase3: Key Derivation and Distribution


The keys play a very important role in the connection security and within RSNA each one
has a limited lifetime. Overall security is ensured using an organized key system. After
succesful authentication, temporal keys are created and regularly updated until the security
context is closed. The third phase consists of key generation and exchange, as seen in
Figure 12. Two handshakes [38, 39, 40] occur during key derivation as follows:
• 4-way handshake for PTK and GTK derivation,
• group key handshake for GTK renewal.
The pairwise key hierarchy is summarized in Figure 13. There are two ways to obtain
PMK, depending on the authorization method which is used. First, if a PSK is used, then
PMK becomes PSK. This case is a solution for home network and small enterprises that
have no authentication server. Second, PMK is derived from the 802.1X authentication
296 Cristian Chiţu

Station Access Point Authentication Server

MK transmission

4−way handshake
PTK and GTK derivation and distribution

group key handshake for GTK renewal


GTK derivation and distribution

Figure 12. Phase3: Key derivation and distribution.

MK when an authentication server is used. However, whatever way is chosen, PMK is


never used for encryption or integrity checking. By using an algorithm called PRF, from
PMK is derived a temporal encryption key named PTK. The length of the PTK depends
of the encryption protocol: 512 bits for TKIP and 384 bits for CCMP. PTK consists
of several temporal keys: KCK for authenticating messages MIC, KEK to ensure data
confidentiality, TK for data encryption (used by TKIP or CCMP), and TMK for data
authentication used only by Michael with TKIP. TMK is divided in two parts for each side
of the communication.
The 4-way handshake, initiated by AP, does several things: confirms the PMK between
the station and AP, performs the first group key handshake, authenticates the security pa-
rameters that were negotiated, provides keying material to implement the group key hand-
shake, and establishes the temporal keys to be used by the data confidentiality protocol.
Four EAPOL-key messages are exchanged between the station and AP during the 4-way
handshake and this process is illustrated in Figure 14. In the first message, AP sends out a
message to the station which contains key information and a nonce called ANonce. Essen-
tially, a nonce is a random or pseudo random value. The station generates its own random
number SNonce and can now calculate PTK and derive temporal keys. In the second mes-
sage, the station sends the SNonce and the MIC calculated using KCK from the pairwise
key hierarchy. When AP receives the second message, it can extract SNonce, calculate
PTK and derive temporal keys. Furthermore, it can verify the value of the MIC and be
sure that the station knows the PMK and has correctly calculated the PTK and derived
temporal keys. In the third message, AP sends to the station the GTK (see Figure 15 for
details) encrypted with KEK along with a MIC calculated using KCK. When the station
receives this message, MIC is checked to ensure that AP knows the PMK and has correctly
calculated the PTK and derived temporal keys. The fourth message acknowledges the com-
pletion of the whole handshake and indicates that the station will now install the key and
start encryption. AP installs its keys after verifying the MIC value sent by the station. So
the station and AP have obtained, computed and installed encryption keys and are able now
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 297

to communicate over a secure channel.

or

PSK MK
PMK − 256 bits

PRF

PTK − 512 bits (TKIP), 384 bits (CCMP)

KCK − 128 bits KEK − 128 bits TEK(=TK) − 128 bits TMK1 − 64 bits TMK2 − 64 bits
transmission reception
Bits 0 − 127 Bits 128 − 255 Bits 256 − 383 Bits 384 − 447 Bits 448 − 511

TKIP

Figure 13. Pairwise key hierarchy.

The group key hierarchy is summarized in Figure 15. By using PRF, GTK is generated
from a master key called GMK, a fixed string, the MAC address of AP and a random num-
ber GNonce. The length of GTK depends on the encryption protocol: 256 bits for TKIP
and 128 bits for CCMP. GTK is divided into temporal keys: GEK for data encryption
(used by TKIP or CCMP) and GIK for data authentication used only by Michael with
TKIP.
Two EAPOL-key messages are exchanged between the station and AP during the group
key handshake and this process is illustrated in Figure 16. AP initiates the first message by
using the random GNonce and calculating a new GTK. It sends the encrypted GTK using
KEK, the GTK sequence number and the MIC calculated using KCK. When the message
is received by the station, MIC is verified and GTK can be decrypted. The second message
acknowledges the completion of the group key handshake by sending the GTK sequence
number and the MIC calculated on this second message. AP installs the new GTK after
verifying the MIC value.
It should be noticed that a STAkey handshake also exists, but it is not discussed here.
It supports the generation of a secret transient key called STAkey by the AP for ad-hoc
connections.
298 Cristian Chiţu

Station Access Point


EAPOL−key
ANonce + Access Point RSN IE

EAPOL−key
SNonce + MIC + Station RSN IE

EAPOL−key
MIC + GTK encrypted + Access Point RSN IE

EAPOL−key acknowledge
MIC

Figure 14. 4-way handshake.

2.3.4. Phase4: RSNA Data Confidentiality and Integrity

All the keys generated previously are used in protocols supporting RSNA data confidential-
ity and integrity: TKIP and CCMP. Both protocols are discussed in details at the beginning
of this section.

2.4. 802.11i Security Analysis


The 802.11i standard was designed to cover up all weaknesses of WEP and offers effective
data confidentiality and integrity when CCMP is used. However, implementing all the
advanced features of 802.11i means that a hardware and software upgrade is mandatory.
This process might be complex and very expensive as well. As a consequence, some users
have decided that WPA is good enough for them although 802.11i offers better security.
The most practical vulnerability is the attack against PSK in RSNA. As already dis-
cussed, PSK provides an alternative to 802.1X PMK generation using an authentication
server. PSK can be derived from a passphrase [41], which makes PSK vulnerable to both
dictionary and brute force offline attacks. An implementation should carefully choose a
good passphrase or directly use a 256 bit random value to eliminate this vulnerability.
The Michael MIC has also known weaknesses [42] resulting from its design. While
cryptographic MIC is usually designed to resist known plaintext attacks, Michael is vulner-
able to such attacks since it is invertible. It is possible to discover the secret MIC key given
a single known message and its MIC value.
Attacks with 802.1X message spoofing (EAP-Start, EAP-Logoff, EAP-Failure) were
first described by Mishra and Arbaugh [43]. Forging of EAP-Start, EAP-Logoff, and EAP-
Failure messages becomes easier but the attacker needs expensive equipments to disturb the
network flow.
802.11i is also vulnerable to DoS attacks during the 4-way handshake. He and Mitchell
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 299

Access Point MAC


GMK − 256 bits Group Key Expansion
GNonce

PRF

GTK − 256 bits (TKIP), 128 bits (CCMP)

GEK − 128 bits GIK − 128 bits


Bits 0 − 127 Bits 128 − 255

TKIP

Figure 15. Group key hierarchy.

[44] identified two more types of DoS attacks: RSN IE poisoning and 4-way handshake
blocking. They also provide countermeasures to these attacks.

3. Conclusion
802.11i can be viewed as consisting of two layers. On the lower level are improved en-
cryption algorithms in the form of TKIP and CCMP. Both of these encryption protocols
provide enhanced data integrity over WEP, with TKIP being targeted at legacy equip-
ment and CCMP being targeted at future WLAN equipment. Above TKIP and CCMP is
802.1X, a standard for port based access control. As used in 802.11i, 802.1X provides a
framework for robust user authentication and encryption key distribution.
The 802.11i standard is written in such a way that is extensible to support the addition of
new encryption protocols should they be required in the future. An infrastructure wireless
network can support the simultaneous use of more than one encryption protocol and the
station and AP use the highest level of security that both can mutually support. However, a
true RSN uses only the CCMP protocol for all equipment.
In addition to TKIP encryption, 802.11i defines a new encryption method based on
AES which is considered state of the art in encryption technology. Unlike TKIP, CCMP
was not designed for backward compatibility and in many cases new Wi-Fi hardware which
has processor support for AES will be required for optimal performance. In most cases,
station computers with fast microprocessor support will be upgradeable to support AES
with a software driver upgrade.
300 Cristian Chiţu

Station Access Point


EAPOL−key
MIC + GTK + Group

EAPOL−key
Group + MIC

Figure 16. Group key handshake.

In terms of security, 802.11i provides a system for greatly enhanced security within Wi-
Fi equipment. Through the use of improved encryption protocols and the 802.1X standard
for improved authentication, 802.11i provides improved security for both legacy and future
Wi-Fi hardware.

References
[1] Carli, M., Rossetti, A., & Neri, A. (2003). Integrated Security Architecture for WLAN.
Proceedings of the IEEE ICT’2003.

[2] Shunman, W., Ran, T., Yue, W., & Ji, Z. (2003). WLAN and its Security Problems.
Proceedings of the PDCAT’2003.

[3] Arbaugh, W. A. (2003). Wireless Security is Different. IEEE Computer, 36, 99-101.

[4] National Institute of Standards and Technology (2001). Advanced Encryption Stan-
dard (AES). FIPS Pub 197.

[5] 802.11. (1999). IEEE Standard for Information technology - Telecommunications and
information exchange between systems - Local and metropolitan area networks - Spe-
cific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Phys-
ical Layer (PHY) specifications. IEEE Computer Society.

[6] Rogaway, P., Bellare, M., Black, J., & Krovetz, T. (2001). OCB: A Block-Cipher
Mode of Operation for Efficient Authenticated Encryption. Proceedings of the 8th
ACM Conference.

[7] Chiţu, C., & Glesner, M. (2005). An FPGA Implementation of the AES-Rijndael in
OCB/ECB Modes of Operation. Microelectronics Journal, 36 (2), Elsevier, 139-146.

[8] Whiting, D., Housley, R., & Ferguson, N. (2003). Counter with CBC-MAC (CCM).
RFC 3610.
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 301

[9] 802.11i. (2004). IEEE Standard for Information technology - Telecommunications


and information exchange between systems - Local and metropolitan area networks -
Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) specifications - Amendment 6: Medium Access Control (MAC)
Security Enhancements. IEEE Computer Society.

[10] Arbauch, W. A., Shankar, N., Wan, Y. C. J., & Zhang, K. (2002). Your 802.11 Wireless
Network has no Clothes. IEEE Wireless Communications, 44-51.

[11] Karygiannis, T., & Owens, L. (2002). Wireless Network Security 802.11, Bluetooth
and Handheld Devices Draft. National Institute of Standards and Technology Special
Publication 800-48.

[12] Lapitiotis, G., Byungsuk, K., Das, S., & Anjum, F. (2005). A policy-based approach
to wireless LAN security management. Workshop of the 1st International Conference
on Security and Privacy for Emerging Areas in Communication Networks.

[13] Zhang, L., Han, W., Zheng, D., & Chen, K. (2005). A security solution of WLAN
based on public key cryptosystem. Proocedings of the 11th International Conference
on Parallel and Distributed Systems.

[14] Prasithsangaree, P., & Krishnamurthy, P. (2004). Analysis of tradeoffs between secu-
rity strength and energy savings in security protocols for WLANs. Proceedings of the
60th IEEE Vehicular Technology Conference.

[15] Sorman, M., Kovac, T., & Maurovic, D. (2004). Implementing improved WLAN se-
curity. Proceedings of the 46th International Symposium of Electronics in Marine.

[16] Park, J. S., & Dicoi, D. (2003). WLAN security: current and future. IEEE Internet
Computing, 7 (5), 60-65.

[17] Wang, S., Tao, R., Wang, Y., & Zhang, J. (2003). WLAN and it’s security problems.
Proceedings of the 4th International Conference on Parallel and Distributed Comput-
ing, Applications and Technologies.

[18] Majstor, F. (2003). WLAN security threats & solutions. Proceedings of the 28th Anual
IEEE International Conference on Local Computer Networks.

[19] Potter, B. (2003). Wireless security’s future. IEEE Security & Privacy Magazine, 1,
(4), 68-72.

[20] Schmoyer, T. R., Yu Xi, L., & Owen, H. L. (2004). Wireless intrusion detection and
response: a classic study using main-in-the-middle attack. Proceedings of the IEEE
Wireless Communications and Networking Conference, 2.

[21] Stallings, W. (2005). Cryptography and Network Security: Principles and Practices.
NJ, 4th edition: Prentice-Hall.

[22] Shimonski, R. (2002). Security+ Study Guide and DVD Training System. MA, 1st
edition: Syngress Publishing.
302 Cristian Chiţu

[23] Chiţu, C., Chien, D., Chien, C., Verbauwhede, I., & Chang, F. (2002). A Hardware
Implementation in FPGA of the Rijndael Algorithm. Proceedings of the 45th IEEE
International Midwest Symposium on Circuits and Systems, I.

[24] Chiţu, C., & Glesner, M. (2003). Design and Performance of an AES-Rijndael ASIC.
Proceedings of the 4th IEEE Electronic Circuits and Systems Conference.

[25] Fluhrer, R., Mantin, I., & Shamir, A. (2001). Weaknesses in the key schedule algo-
rithm of RC4. Proceedings of the 4th Annual Workshop on Selected Areas of Cryptog-
raphy.

[26] Borisov, N., Goldberg, I., & Wagner, D. (2001). Intercepting mobile communications:
The insecurity of 802.11. Proceedings of the International Conference on Mobile
Computing and Networking.

[27] Edney, J., & Arbaugh, W. (2003). Real 802.11 Security: Wi-Fi Protected Access and
802.11i. Boston: Addison-Wesley.

[28] Bittau, A., Handley, M., & Lackey, J. (2006). The Final Nail in WEP’s Coffin. Pro-
ceedings of the IEEE Symposium on Security and Privacy.

[29] Housley, R., & Arbaugh, W. (2003). Security problems in 802.11-based networks.
Communications of the ACM, 46 (5), 31-34.

[30] Cam-Winget, N., Housley, R., Wagner, D., & Walker, J. (2003). Security flaws in
802.11 data link protocols. Communications of the ACM, 46 (5), 35-39.

[31] Rogaway, P., & Wagner, D. (2003). A critique of CCM. Cryptology ePrint Archive:
Report 2003/070.

[32] National Institute of Standards and Technology (2004). Recommendation for Block
Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality.
NIST Special Publication 800-38C.

[33] Jang, H. Y., Shim, J. H.,Suk, J. H.,Hwang, I. C., & Choi, J. R. (2004). Compatible
design of CCMP and OCB AES cipher using separated encryptor and decryptor for
IEEE 802.11i. Proceedings of the International Symposium on Circuits and Systems.

[34] Sithirasenan, E., Zafar, S., & Muthukkumarasamy, V. (2006). Formal verification of
the IEEE 802.11i WLAN security protocol. Proceedings of the 2006 Australian Soft-
ware Engineering Conference.

[35] Rigney, C., Willens, S.,Rubens, A., & Simpson, W. (2000). Remote Authentication
Dial In User Service (RADIUS). RFC 2865.

[36] 802.1X. (2004). IEEE Standard for Local and metropolitan area networks. Port-based
Network Access Control. IEEE Computer Society.

[37] Adoba, P., Blunk, L., Carlson, J., Levkowetz, E., & Vollbrecht, J. (2004). Extensible
Authentication Protocol (EAP). RFC 3748.
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 303

[38] Altunbasak, H., & Owen, H. (2004). Alternative Pair-wise Key Exchange Protocols
for Robust Security Networks (IEEE 802.11i) in Wireless LANs. Proceedings of the
IEEE Southeast Conference.

[39] He, C., & Mitchell, J. C. (2004). Analysis of the 802.11i 4-Way Handshake. Proceed-
ings of the 3rd ACM International Workshop on Wireless Security.

[40] He, C., Sundarajan, M., Datta, A., Derek, A., & Mitchell, J. C. (2005). A Modular
Correctness Proof of IEEE 802.11i and TLS. Proceedings of the 12th ACM Conference
on Computer and Communication Security.

[41] Moskowitz, R. (2003). Weakness in Passphrase Choice in WPA interface. ICSA Labs.

[42] Wool, A. (2004). A Note on the Fragility of the “Michael” Message Integity Code.
IEEE Transactions on Wireless Communications, 3 (5), 1459-1462.

[43] Mishra, A., & Arbaugh, W. A. (2002). An initial security analysis of the IEEE 802.1X
standard. Technical Report CS-TR-4328, UMIACS-TR-2002-10, University of Mary-
land.

[44] He, C., & Mitchell, J. C. (2005). Security analysis and improvements for IEEE
802.11i. Proceedings of the 12th Annual Network and Distributed System Security
Symposium.

You might also like