S I IEEE 802.11 W L A N (Wlan) : Ecurity Mprovements Within I Ireless Ocal REA Etworks S
S I IEEE 802.11 W L A N (Wlan) : Ecurity Mprovements Within I Ireless Ocal REA Etworks S
S I IEEE 802.11 W L A N (Wlan) : Ecurity Mprovements Within I Ireless Ocal REA Etworks S
Chapter 12
Abstract
Wireless networks use electromagnetic waves to communicate from one point to
another without relying on a physical connection. They become very popular, almost
anywhere you go has a wireless connection available: airports, restaurants, libraries,
colleges, even malls.
Typically, WLANs operate over a fairly limited range, such as an office building or
building campus, and usually are implemented as extensions [1] to existing wired local
area networks to enhance user mobility. The factors that contribute to the popularity
of WLANs are easy of use, inter-operability, compatibility, availability, and different
modes of operation. However, they are not as secure as the people would want them to
be. Due to the fact that WLANs are expanding and the amount of people are wanting
to be connected to them expands as well, the control and security [2] become harder
for the network administrators and everyday users. The wireless security is different
from wired network security, primarily because it gives potential attackers an easy
transport medium access [3]. It is easier for attacker to intercept the transmitted data
in wireless mode and, therefore, the security is a very important issue.
Wireless network security attacks are concerns for people with available wireless
connections. New security solution has been implemented and proposed. AES is new
[4] since it was made a standard in 2001. However, it has already been implemented
in many ways, and seen as the possible solution to security problems.
To improve security, the IEEE formed the 802.11i task group. This task group
proposed a new security architecture known as RSN which offers centralized authen-
tication of users and tones down some of the weaknesses of the first security standard
named WEP protocol [5]. The draft of the IEEE 802.11i addressed numerous secu-
rity problems and specified two different AES based encryption modes, AES-OCB
[6, 7] and AES-CCMP [8]. Both of them have been submitted to the National Insti-
tute of Standards and Technology (NIST) as new modes of operation. One of these
two modes, AES-CCMP, has been selected as the mandatory to implement mode for
∗
E-mail address: [email protected]
280 Cristian Chiţu
IEEE 802.11i. In 2004 the draft became a standard [9], known as the data security
protocol. It considers two encryption algorithms, TKIP for backward compatibility
with WEP and AES-CCMP to provide a stronger encryption than WEP.
Many researches have been done, or are going on, trying to enhance the security
mechanisms for the IEEE 802.11i WLANs. The main purpose of this chapter is to an-
alyze and understand the security aspects of the IEEE 802.11i WLANs. Our analysis
suggests that 802.11i is a well designed standard for data confidentiality, integrity, and
authentication, promising to improve the security of wireless networks.
List of Acronyms
1. Introduction
Nowadays, mobility is something that the people prefer every day. When thinking about
mobility, the correspondent term is wireless, anything that makes is easier for people to
access data from any place. From mobile phones, pagers and Personal Digital Assistants
(PDAs), to laptop computers, people want to be able to reach each other at any place and at
any time. Wireless networks help them with that process. Millions of wireless devices are
sold every year, including the majority of notebook computers, as well as cell phones and
PDAs. Today most notebooks have 802.11 (popularly known as Wi-Fi) capabilities.
Desktop PC
Server
Switch
Access Point
the network. However, the biggest security threat derives from wireless AP and, therefore,
this is a common problem when discussing wireless network security. On one hand people
want that their network should be secure, but on the other hand they do not want to spend
time and money on setting the network up in a secure manner.
In comparison with the infrastructure network, the ad-hoc mode is designed for having
computers interconnected to each other as peers, without the need of a centralized AP. The
computers are interconnected to each other, as depicted in Figure 2. This type of wire-
less network has no AP, authentication from one computer to the other is somewhat more
complicated than AP authentication, which resembles with the authentication in wired net-
works. Furthermore, the computers are interconnected to each other performing their own
authentications. In terms of security, the ad-hoc networks are vulnerable to eavesdropping
and masquerading attacks.
power levels for client devices. The devices are automatically adjusted based on geographic
requirements. 802.11e defines a set of Quality of Service (QoS) enhancements for LAN
applications. The standard is considered of critical importance for delay sensitive appli-
cations, such as voice over wireless IP and streaming multimedia. The protocol enhances
the MAC layer. 802.11f or Inter Access Point Protocol is a recommendation that describes
an optional extension to 802.11 that provides wireless access point communications among
multi-vendor systems. Similar to 802.11b, 802.11g gives a throughput of up to 54 Mbps. It
also operates in the 2.4 GHz frequency band but uses a different radio technology in order
to boost overall bandwidth. 802.11h focuses on power usage and transmission interference
from 802.11 radio frequencies. It was originally designed to address European regulations
but is now applicable in many other countries. Finally, 802.11i known as the data security
protocol, is an amendment to the 802.11 standard specifying security mechanisms for wire-
less networks. The draft standard was ratified in June 2004, and supersedes the previous
specification WEP which was shown to have severe security weaknesses.
As a long term solution, 802.11i is proposed to provide an enhanced MAC layer se-
curity. The standard defines a CCMP that provides strong confidentiality, integrity, and
replay protection. Furthermore, an authentication process, combining the 802.1X authenti-
cation and key management procedures, is performed to mutually authenticate the devices
and generate a fresh session key for data transmissions. 802.11i is supposed to be the right
solution for wireless security and should be able to prevent an adversary from advanced
attacks. This is the case even if the adversary might have the most powerful equipments
and techniques for breaking into the systems. In other words, an implementation of 802.11i
protocols in a WLAN should be able to provide sufficient data confidentiality, integrity, and
mutual authentication.
working typically penetrate outside the building, creating a real risk that the network can be
hacked from the parking lot or the street.
Several papers [11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22] dealing with wireless
security have been publishes so far. Two terms within WLAN security are defined: ”threat”
and ”attack”. A ”threat” is a potential violation of security and can be a danger that might
exploit a vulnerability of the system [21]. An ”attack” is an actual violation of security.
Actually, it is a deliberate attempt to evade security services and to violate the security
policy of a system [21]. Generally, a distinction between active and passive attacks can
be made, putting the intruder either into the role of a listener or more in the role of a
manipulator. However, no matter what he or she intends to do, any king of an attack is
not desired at all, independent whether being of the first or the second category. Attacks
on wireless networks fall into four basic categories: passive attacks, active attacks, man-in-
the-middle attacks, and jamming attacks [22].
Passive attacks on wireless networks are extremely common, and the same time, very
difficult to detect. A passive attack on a wireless network may not be malicious in nature.
They help an attacker to prepare for an active attack, by providing sufficient information
from the system. Once an attacker has gained sufficient information from the passive attack,
he can launch an active attack against the network. Common passive attacks are those that
involve traffic analysis and eavesdropping.
With few words, eavesdropping means that someone listens to your transmission by
monitoring and intercepting data passing over the WLAN. This kind of attack is special
easy within the wireless environment since transmission travels over the radio path. As
we know, transmission over the radio path allows everyone being equipped with a suitable
transceiver and located within the transmission range to listen to the messages sent over the
air. With the use of a special antenna, the unauthorized listener can even monitor traffic
from a location quite far away, staying unrecognized by the sender as well as the intended
and authorized receiver.
There are different types of active attacks that an adversary can launch against a wireless
network. For the most part, these attacks are identical to the kinds of active attacks that
are encountered on wired networks. These include, but are not limited to, spoofing or
masquerading, replay, message modification, and Denial-of-Service (DoS) [11].
Spoofing or masquerading is one of the basic types of active attacks launched to gain
unauthorized access to network resources and services. The intruder will first try to de-
termine the access parameters of a potentially vulnerable wireless network. Such access
parameters may include a MAC address and an IP address of a particular station. When
the station is not transmitting, the intruder will first reconfigure his or her terminal with the
known information. Once this is done, the intruder’s terminal will appear as the authorized
terminal and will be able to access most of the resources. This technique is known as MAC
spoofing.
During replay attack, the intruder may use a third-party wireless packet sniffing or mon-
itoring utility to capture packets exchanged between two wireless entities. Once such pack-
ets are captured, the intruder can analyze the packet content and launch a number of attacks.
One such example could be to initiate a DoS attack. On the other hand, the intruder could
collect sufficient data to crack an encryption key.
Message modification attacks occur when an attacker adds data to an existing connec-
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 285
tion in order to hijack the connection or maliciously send data or commands. An attacker
can manipulate control messages and data streams by inserting packets or commands to a
base station or vice versa. Inserting control messages on a valid control channel can result
in the disassociation or disconnection of users from the network.
DoS attack prevents authorized and therefore authenticated users from getting access to
the wanted network resources. This type of attack differs from the usual ones in such a way
that its aim is not to get into possession of sensitive information but to just bring down the
organization’s network. Flooded APs causing them to break down which can for example be
achieved by a huge ICMP ping flood, is one possible scenario. Such a flooded AP bars users
from connecting to it or interrupts an already existing connection. Other examples for a
denial of service attack are jamming of specific radio frequencies or consequently resending
of a captured disconnect message. In the first scenario no transmission will be possible
anymore because no understanding among AP and its associated stations can happen. In
the second case the attacker will cause the legitimated user to loose his or her connection
to AP. Unfortunately, all these attacks will also be possible when providing a strict access
control with strong authentication methods.
Man-in-the-middle is an attack that requires some sophisticated hacking software and
may cause significant levels of disruption and chaos. Due to the fact that network layer
security typically only provides protection for IP, other protocols are left unprotected and
vulnerable to attacks. With no access control mechanisms someone could for example
fool a station by sending a forged ARP message to it, or try to get access to the network
by simulating known, permitted MAC addresses. Like this, the attacker can also place
himself or herself between AP and the station, identifying and impersonating himself or
herself as a corporate wireless AP to the station and as station to AP. Data between the two
authorized entities will be redirected by the attacker, generating a transmission path from
the station over the attacker to the corporate AP and the other way around, letting both
authorized parties unaware of its data being redirected. The authorized, associated station
is connected to AP, even if not directly. In this attack, mutual authentication appears to be
very important.
Wireless networks provide security in different ways. Security is defined as the op-
erations undertaken to protect and defend information and information systems ensuring
their confidentiality, integrity, authorization, availability, nonrepudiation, and authentica-
tion [21].
Confidentiality ensures an eavesdropper cannot discover the contents of messages being
exchanged between endpoints. It is usually achieved through the use of good encryption
algorithms and keeping the keys secret.
Integrity ensures a third party cannot tamper with the contents of messages exchanged
between endpoints without the endpoints’ knowledge. Integrity is usually achieved by a
Message Authentication Code (MAC), which is like a checksum but incorporates a crypto-
graphic key in a way that prevents a third party from calculating the MAC on his own. An
attacker attempting to tamper with the message will not be able to construct a correct MAC
for the modified message. Again, keeping the keys secure is an essential element.
Authorization controls who is permitted to do what. The simplest authorization decision
is who is permitted to establish a communication session with whom. More complex au-
thorization can make finer grained statements about what different endpoints are permitted
286 Cristian Chiţu
challenge text
challenge response
(encrypted challenge text)
confirm success
to what of a wired network. The WEP protocol introduced three main accepts of security
to WLANs as follows: authentication, encryption and integrity checks.
One of the WEP’s components was an authentication process to assist with the need to
ensure that APs only communicate with authorized wireless stations. WEP authentication
is based on a Shared Key also known as the WEP key. Both the station and AP need to have
the same WEP key to be able to allow communication beyond the authentication exchange.
An example of the exchange is shown in Figure 3. First, the station sends an Authentication
Request to AP. AP sends back a random number known as the Challenge Text. After that,
the station encrypts the Challenge Text using the WEP key to create ciphertext. Finally, AP
verifies that the Challenge Text it sent was encrypted with the correct WEP key.
WEP’s encryption is based on the RC4 stream cipher algorithm. The cipher takes
plaintext and applies an encryption key to it making the output randomized encrypted ci-
phertext. The receiving device decrypts the ciphertext using the predetermined encryption
key. Initially, WEP standard used 40 bit encryption keys but later on the manufactures in-
creased the length of their WEP key implementations to 104 bits. To add randomness to the
encryption key, an IV was added to the fixed length encryption key. The addition of the IV
increases the number of bits from 40 and 104 bit keys to 64 bits and 128 bits, respectively.
These are the key sizes supported on all WLAN devices that are WEP compliant.
WEP includes a check-field called ICV. Check value is computed from the plaintext
data before encryption. The value is appended to the plaintext, and encrypted among with
rest of the data. The idea of ICV was to provide integrity protection. At the time of initial
release, it was believed that encrypting the ICV value would prevent tampering and ensure
integrity.
It was soon discovered that the WEP security protocol was flawed and in 2001,
Fluhrer et al. [25] published a cryptanalysis of WEP that exploited the way the RC4 al-
gorithm and IV was used in WEP. It was discovered that a passive attack could recover
the RC4 key after eavesdropping on the network for a few hours. Borisov, Goldberg, and
Wagner [26] showed several other attacks, including that the encrypted messages could be
modified freely as well as the fact that the user authentication protocol is trivially defeated.
According to Edney and Arbaugh [27], there are three ways to attack RC4 privacy in WEP:
IV reuse, RC4 weak keys and direct key attack. In 2006, Bittau, Handley, and Lackey [28]
show that the 802.11 protocol itself can be used against WEP to enable earlier attacks that
are previously thought impractical. After eavesdropping a single packet, an attacker can
288 Cristian Chiţu
Plaintext
Initial Round
KeyAddition
Standard Round
Substitution ShiftRow MixColumn KeyAddition
Final Round
Substitution ShiftRow KeyAddition
Ciphertext
The encryption and decryption algorithms are organized as a set of iterations called
round (initial, standard, and final) transformations. Since the block and key lengths are of
128 bits the total number of rounds is ten. All round transformations are identical, apart of
the final one. Implementation of the encryption round of AES requires realization of four
component operations: Substitution, ShiftRow, MixColumn, and KeyAddition.
The Substitution transformation is performed on each byte of the state using sixteen
substitution tables (S-boxes). The inverse transformation of Substitution, InvSubstitution,
is constructed by the same number of inverse S-boxes.
In the ShiftRow transformation, the bytes in the first row of the state do not change. The
second, third, and fourth rows shift cyclically to the left one byte, two bytes, and three bytes,
respectively. InvShiftRow is the inverse transformation of ShiftRow. In this transformation,
the bytes in the first row of the state do not change; the second, third, and fourth row shift
290 Cristian Chiţu
cyclically one byte, two bytes, and three bytes to the right, respectively.
The MixColumn transformation as well as InvMixColumn can be expressed as a matrix
multiplication in the Galois Field. The InvMixColumn transformation has a longer critical
path compared to the MixColumn transformation, and therefore the entire decryption is
more time consuming that encryption.
KeyAddition is a bitwise XOR of two 128 bit words.
To decrypt the ciphertext, the procedure followed is the exact opposite of the encryption
process. That is, a standard round consists of InvSubstitution, InvShiftRow, InvMixColumn,
and KeyAddition operations while the final round consists of the same operations excluding
the InvMixColumn operation.
In early 802.11i drafts, two AES schemes were proposed: CCM [8] and OCB [6, 7].
Questions over intellectual property, however, made some members of the 802.11i task
group uncomfortable. Therefore, CCMP has been chosen within 802.11i standard. Al-
though there has been some criticism [31], analysis suggests that CCM mode provides
a level of confidentiality and authenticity comparable to OCB mode. It is reasonable to
believe that, once CCMP is implemented, an adversary is not able to break the data confi-
dentiality and integrity without the knowledge of the key. Furthermore, an adversary cannot
obtain useful information about the key through analyzing the cipher text even if the corre-
sponding plaintext is known.
Encrypted
Authenticated Authenticated
CCM mode [32] uses counter mode for encryption and CBC-MAC for integrity pro-
tection. Both algorithms employ only the encryption primitive at both the sender and the
receiver. CCM mode was designed to meet the following criteria:
• Use a single key to provide confidentiality and integrity. This minimizes the time spent to
compute AES key schedules.
• Allow pre-computation to reduce latency.
• Support pipelining to increase throughput.
• Provide integrity protection for the plaintext header along with integrity and confidential-
ity of the packet payload.
• Small implementation size.
• Avoid patent issues.
MPDU format after CCMP encryption is shown in Figure 6. The packet is expanded
by 16 bytes over an unencrypted frame and is identical to a TKIP frame with the exception
of the ICV. Like TKIP, CCMP uses a 48 bit IV called PN which is used along with
other information to initialize the AES cipher for both the MIC calculation and the frame
encryption.
The CCMP encapsulation process [33] is illustrated in Figure 7. CBC-MAC provides
data integrity and like MIC in TKIP, protects the sender and destination addresses as well
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 291
MIC Calculation
Clear Text
Frame
Frame Header PN 128 bits 128 bits Data 128 bits MIC
Encryption
PL(1) PL(2) PL(n) PL(0)
Ctr Preload
Encrypted
Frame
Frame Header PN Data MIC FCS
as the frame data from modification. CCMP uses PN as part of the IV. PN increments for
each frame sent, and never repeats for a single temporal key. Like the sequence number in
TKIP, PN provides protection from replay attacks and works in the same way. A frame
with an out of sequence PN, or a frame which has a PN equal or smaller than the current
value of the replay counter, is discarded.
As depicted in Figure 7, the data in the frame is split into 128 bit blocks. To calculate
the MIC, an IV is created by concatenating the priority on reserved bits, the address of the
sender, the PN and other header data. IV is fed into an AES block, and a XOR operation is
applied to the resulting key stream with specific elements in the header of the frame. The
output is then XOR-ed with the first 128 bit block of data. This continues for the entire
length of the frame resulting in a 128 bit CBC-MAC value. The first 64 bits of this value
are used as MIC. The encryption process is initiated by IV and a counter set to 1. The
combined IV and counter value, known as the preload value PL(n), are fed into the AES
block and a XOR operation is applied to the resulting key stream and the first 128 bit of
data. The counter is incremented, and this continues for the length of the entire frame. The
final counter value is set to 0 and fed into the AES block. A XOR operation is applied to
the resulting key stream and the 64 bit MIC value. Finally, the encrypted MIC value is
appended to the encrypted frame.
The CCMP decapsulation process is not shown but is essentially the reverse of the
encapsulation process of Figure 7, with some additional steps. One of this is PN checking.
PN is extracted and if it is not greater than the current value of the replay counter, the frame
is discarded. The last step is MIC checking. A MIC is calculated in the same way and is
292 Cristian Chiţu
compared to MIC in the received frame. If they are identical, then the frame is passed on
the higher levels, otherwise is discarded.
security policy
agreement
802.1X authentication
RSNA data
confidentiality and integrity
To complete this subsection, the wireless attacks on CCMP are discussed. With re-
gard to traffic analysis and eavesdropping attack, an adversary may eavesdrop on traffic,
but it cannot decrypt the packets because it has no way to discover the temporal keys. Fur-
thermore, since the IP header of the messages is encrypted, the adversary can only obtain
limited information through traffic analysis. However, the adversary does have some ways
to discover useful information, because the MAC header is not encrypted and therefore the
packet size and frequency are observable. Fortunately, in most scenarios such information
leakage is not considered to be harmful. Masquerading attack on data frames is completely
eliminated because a strong MIC prevents an adversary from inserting a forged data mes-
sage. For message modification attack, the adversary is able to delete a packet in any case.
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 293
However, this can be handled by the retransmission mechanism or higher layer protocols.
Moreover, the adversary is also able to intercept a packet and forward it to the receiver later.
The packet which was forwarded, could have been correctly encrypted with a valid MIC.
But however, the receiver is likely to recognize this as an out of order packet and discard it
silently.
In summary, against eavesdropping, masquerading, and message modification attacks,
CCMP appears to provide satisfactory data confidentiality, integrity, and replay protection
for data packets, as intended. However, since management and control frames are neither
encrypted nor authenticated by the encryption algorithm, they are still vulnerable to these
attacks. In addition, CCMP requires hardware upgrades and might have some impacts on
performance.
The wireless network security methods explained so far are summarized in Table 1. It
should be noticed that the protocols, TKIP and CCMP, address all known WEP problems.
802.11i specifies RSN IE which incorporates RSN security information including RSN
capabilities, authentication, and cipher key selectors. As illustrated in Figure 9, RSN IE
contains a list of authentication and cipher selector fields for communications. Element ID
should always be 48 in decimal and Length indicates the number of octets in the information
field. Version shows the version number of the RSNA protocol. Pairwise Key Cipher
Suite Count indicates the number of Pairwise Key Cipher Suites that are contained in the
Pairwise Key Cipher Suite List field. Group Key Cipher Suite is the cipher suite which is
associated between communicating peers. Similarly, Authentication and Key Management
Suite Count indicates the number of Authentication and Key Management Suites that are
294 Cristian Chiţu
contained in the Authentication and Key Management Suite List field. RSN Capabilities is
used in the way that the receiver could know the security mechanisms the sender supports.
The first phase requires the communicating parties to agree on the security policy to
use, as depicted in Figure 10. Security policies supported by AP are advertised in a Probe
Response which follows a Probe Request from the station. After that, a standard Open Sys-
tem Authentication is initiated. The station response is included in the Association Request
message validated by an Association Response from AP. The security policy information is
sent in the RSN IE field including: supported authentication methods (802.1X, PSK), se-
curity protocols for unicast traffic (CCMP, TKIP etc.) identified as Pairwise Cipher Suite,
and security protocols for multicast traffic (CCMP, TKIP etc.) identified as Group Cipher
Suite.
RADIUS access
request identity
RADIUS accept
MK distribution
802.1X/EAP success
authentication method. There are many authentication methods which can use EAP, such
as smart cards and passwords. Common secure authentication types include EAP-TLS,
EAP-TTLS, and PEAP. 802.1X is a port based authentication framework and operates on
a concept of a controlled and uncontrolled port.
The second phase is shown in Figure 11 and represents 802.1X authentication methods
as follows: EAP-TLS with station and server certificates (requiring a public key infrastruc-
ture), EAP-TTLS and PEAP for hybrid authentication (which certifies only required for
servers). 802.1X authentication is initiated when AP requests station identity data. The sta-
tion’s response contains the preferred authentication method. After that, suitable messages
are exchanged between the station and the authentication server to generate a common MK.
At the end of the procedure, a RADIUS Accept message is sent from the authentication
server to AP, containing the MK and a final EAP Success message for the station.
MK transmission
4−way handshake
PTK and GTK derivation and distribution
or
PSK MK
PMK − 256 bits
PRF
KCK − 128 bits KEK − 128 bits TEK(=TK) − 128 bits TMK1 − 64 bits TMK2 − 64 bits
transmission reception
Bits 0 − 127 Bits 128 − 255 Bits 256 − 383 Bits 384 − 447 Bits 448 − 511
TKIP
The group key hierarchy is summarized in Figure 15. By using PRF, GTK is generated
from a master key called GMK, a fixed string, the MAC address of AP and a random num-
ber GNonce. The length of GTK depends on the encryption protocol: 256 bits for TKIP
and 128 bits for CCMP. GTK is divided into temporal keys: GEK for data encryption
(used by TKIP or CCMP) and GIK for data authentication used only by Michael with
TKIP.
Two EAPOL-key messages are exchanged between the station and AP during the group
key handshake and this process is illustrated in Figure 16. AP initiates the first message by
using the random GNonce and calculating a new GTK. It sends the encrypted GTK using
KEK, the GTK sequence number and the MIC calculated using KCK. When the message
is received by the station, MIC is verified and GTK can be decrypted. The second message
acknowledges the completion of the group key handshake by sending the GTK sequence
number and the MIC calculated on this second message. AP installs the new GTK after
verifying the MIC value.
It should be noticed that a STAkey handshake also exists, but it is not discussed here.
It supports the generation of a secret transient key called STAkey by the AP for ad-hoc
connections.
298 Cristian Chiţu
EAPOL−key
SNonce + MIC + Station RSN IE
EAPOL−key
MIC + GTK encrypted + Access Point RSN IE
EAPOL−key acknowledge
MIC
All the keys generated previously are used in protocols supporting RSNA data confidential-
ity and integrity: TKIP and CCMP. Both protocols are discussed in details at the beginning
of this section.
PRF
TKIP
[44] identified two more types of DoS attacks: RSN IE poisoning and 4-way handshake
blocking. They also provide countermeasures to these attacks.
3. Conclusion
802.11i can be viewed as consisting of two layers. On the lower level are improved en-
cryption algorithms in the form of TKIP and CCMP. Both of these encryption protocols
provide enhanced data integrity over WEP, with TKIP being targeted at legacy equip-
ment and CCMP being targeted at future WLAN equipment. Above TKIP and CCMP is
802.1X, a standard for port based access control. As used in 802.11i, 802.1X provides a
framework for robust user authentication and encryption key distribution.
The 802.11i standard is written in such a way that is extensible to support the addition of
new encryption protocols should they be required in the future. An infrastructure wireless
network can support the simultaneous use of more than one encryption protocol and the
station and AP use the highest level of security that both can mutually support. However, a
true RSN uses only the CCMP protocol for all equipment.
In addition to TKIP encryption, 802.11i defines a new encryption method based on
AES which is considered state of the art in encryption technology. Unlike TKIP, CCMP
was not designed for backward compatibility and in many cases new Wi-Fi hardware which
has processor support for AES will be required for optimal performance. In most cases,
station computers with fast microprocessor support will be upgradeable to support AES
with a software driver upgrade.
300 Cristian Chiţu
EAPOL−key
Group + MIC
In terms of security, 802.11i provides a system for greatly enhanced security within Wi-
Fi equipment. Through the use of improved encryption protocols and the 802.1X standard
for improved authentication, 802.11i provides improved security for both legacy and future
Wi-Fi hardware.
References
[1] Carli, M., Rossetti, A., & Neri, A. (2003). Integrated Security Architecture for WLAN.
Proceedings of the IEEE ICT’2003.
[2] Shunman, W., Ran, T., Yue, W., & Ji, Z. (2003). WLAN and its Security Problems.
Proceedings of the PDCAT’2003.
[3] Arbaugh, W. A. (2003). Wireless Security is Different. IEEE Computer, 36, 99-101.
[4] National Institute of Standards and Technology (2001). Advanced Encryption Stan-
dard (AES). FIPS Pub 197.
[5] 802.11. (1999). IEEE Standard for Information technology - Telecommunications and
information exchange between systems - Local and metropolitan area networks - Spe-
cific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Phys-
ical Layer (PHY) specifications. IEEE Computer Society.
[6] Rogaway, P., Bellare, M., Black, J., & Krovetz, T. (2001). OCB: A Block-Cipher
Mode of Operation for Efficient Authenticated Encryption. Proceedings of the 8th
ACM Conference.
[7] Chiţu, C., & Glesner, M. (2005). An FPGA Implementation of the AES-Rijndael in
OCB/ECB Modes of Operation. Microelectronics Journal, 36 (2), Elsevier, 139-146.
[8] Whiting, D., Housley, R., & Ferguson, N. (2003). Counter with CBC-MAC (CCM).
RFC 3610.
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 301
[10] Arbauch, W. A., Shankar, N., Wan, Y. C. J., & Zhang, K. (2002). Your 802.11 Wireless
Network has no Clothes. IEEE Wireless Communications, 44-51.
[11] Karygiannis, T., & Owens, L. (2002). Wireless Network Security 802.11, Bluetooth
and Handheld Devices Draft. National Institute of Standards and Technology Special
Publication 800-48.
[12] Lapitiotis, G., Byungsuk, K., Das, S., & Anjum, F. (2005). A policy-based approach
to wireless LAN security management. Workshop of the 1st International Conference
on Security and Privacy for Emerging Areas in Communication Networks.
[13] Zhang, L., Han, W., Zheng, D., & Chen, K. (2005). A security solution of WLAN
based on public key cryptosystem. Proocedings of the 11th International Conference
on Parallel and Distributed Systems.
[14] Prasithsangaree, P., & Krishnamurthy, P. (2004). Analysis of tradeoffs between secu-
rity strength and energy savings in security protocols for WLANs. Proceedings of the
60th IEEE Vehicular Technology Conference.
[15] Sorman, M., Kovac, T., & Maurovic, D. (2004). Implementing improved WLAN se-
curity. Proceedings of the 46th International Symposium of Electronics in Marine.
[16] Park, J. S., & Dicoi, D. (2003). WLAN security: current and future. IEEE Internet
Computing, 7 (5), 60-65.
[17] Wang, S., Tao, R., Wang, Y., & Zhang, J. (2003). WLAN and it’s security problems.
Proceedings of the 4th International Conference on Parallel and Distributed Comput-
ing, Applications and Technologies.
[18] Majstor, F. (2003). WLAN security threats & solutions. Proceedings of the 28th Anual
IEEE International Conference on Local Computer Networks.
[19] Potter, B. (2003). Wireless security’s future. IEEE Security & Privacy Magazine, 1,
(4), 68-72.
[20] Schmoyer, T. R., Yu Xi, L., & Owen, H. L. (2004). Wireless intrusion detection and
response: a classic study using main-in-the-middle attack. Proceedings of the IEEE
Wireless Communications and Networking Conference, 2.
[21] Stallings, W. (2005). Cryptography and Network Security: Principles and Practices.
NJ, 4th edition: Prentice-Hall.
[22] Shimonski, R. (2002). Security+ Study Guide and DVD Training System. MA, 1st
edition: Syngress Publishing.
302 Cristian Chiţu
[23] Chiţu, C., Chien, D., Chien, C., Verbauwhede, I., & Chang, F. (2002). A Hardware
Implementation in FPGA of the Rijndael Algorithm. Proceedings of the 45th IEEE
International Midwest Symposium on Circuits and Systems, I.
[24] Chiţu, C., & Glesner, M. (2003). Design and Performance of an AES-Rijndael ASIC.
Proceedings of the 4th IEEE Electronic Circuits and Systems Conference.
[25] Fluhrer, R., Mantin, I., & Shamir, A. (2001). Weaknesses in the key schedule algo-
rithm of RC4. Proceedings of the 4th Annual Workshop on Selected Areas of Cryptog-
raphy.
[26] Borisov, N., Goldberg, I., & Wagner, D. (2001). Intercepting mobile communications:
The insecurity of 802.11. Proceedings of the International Conference on Mobile
Computing and Networking.
[27] Edney, J., & Arbaugh, W. (2003). Real 802.11 Security: Wi-Fi Protected Access and
802.11i. Boston: Addison-Wesley.
[28] Bittau, A., Handley, M., & Lackey, J. (2006). The Final Nail in WEP’s Coffin. Pro-
ceedings of the IEEE Symposium on Security and Privacy.
[29] Housley, R., & Arbaugh, W. (2003). Security problems in 802.11-based networks.
Communications of the ACM, 46 (5), 31-34.
[30] Cam-Winget, N., Housley, R., Wagner, D., & Walker, J. (2003). Security flaws in
802.11 data link protocols. Communications of the ACM, 46 (5), 35-39.
[31] Rogaway, P., & Wagner, D. (2003). A critique of CCM. Cryptology ePrint Archive:
Report 2003/070.
[32] National Institute of Standards and Technology (2004). Recommendation for Block
Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality.
NIST Special Publication 800-38C.
[33] Jang, H. Y., Shim, J. H.,Suk, J. H.,Hwang, I. C., & Choi, J. R. (2004). Compatible
design of CCMP and OCB AES cipher using separated encryptor and decryptor for
IEEE 802.11i. Proceedings of the International Symposium on Circuits and Systems.
[34] Sithirasenan, E., Zafar, S., & Muthukkumarasamy, V. (2006). Formal verification of
the IEEE 802.11i WLAN security protocol. Proceedings of the 2006 Australian Soft-
ware Engineering Conference.
[35] Rigney, C., Willens, S.,Rubens, A., & Simpson, W. (2000). Remote Authentication
Dial In User Service (RADIUS). RFC 2865.
[36] 802.1X. (2004). IEEE Standard for Local and metropolitan area networks. Port-based
Network Access Control. IEEE Computer Society.
[37] Adoba, P., Blunk, L., Carlson, J., Levkowetz, E., & Vollbrecht, J. (2004). Extensible
Authentication Protocol (EAP). RFC 3748.
Security Improvements within IEEE 802.11i Wireless Local Area Networks... 303
[38] Altunbasak, H., & Owen, H. (2004). Alternative Pair-wise Key Exchange Protocols
for Robust Security Networks (IEEE 802.11i) in Wireless LANs. Proceedings of the
IEEE Southeast Conference.
[39] He, C., & Mitchell, J. C. (2004). Analysis of the 802.11i 4-Way Handshake. Proceed-
ings of the 3rd ACM International Workshop on Wireless Security.
[40] He, C., Sundarajan, M., Datta, A., Derek, A., & Mitchell, J. C. (2005). A Modular
Correctness Proof of IEEE 802.11i and TLS. Proceedings of the 12th ACM Conference
on Computer and Communication Security.
[41] Moskowitz, R. (2003). Weakness in Passphrase Choice in WPA interface. ICSA Labs.
[42] Wool, A. (2004). A Note on the Fragility of the “Michael” Message Integity Code.
IEEE Transactions on Wireless Communications, 3 (5), 1459-1462.
[43] Mishra, A., & Arbaugh, W. A. (2002). An initial security analysis of the IEEE 802.1X
standard. Technical Report CS-TR-4328, UMIACS-TR-2002-10, University of Mary-
land.
[44] He, C., & Mitchell, J. C. (2005). Security analysis and improvements for IEEE
802.11i. Proceedings of the 12th Annual Network and Distributed System Security
Symposium.