802.11 security protocols - pegax - start...
TRANSCRIPT
Lappeenranta University of TechnologyFaculty of Technology ManagementLaboratory of Communications SoftwareCT30A8800 Secured Communications
802.11 security protocolsSeminar report
Marko IhonenAnssi SaloTuomo Timonen
ii
ABSTRACT
Lappeenranta University of TechnologyFaculty of Technology ManagementLaboratory of Communications SoftwareCT30A8800 Secured Communications
Marko IhonenAnssi SaloTuomo Timonen
802.11 security protocolsSeminar work2009
32 pages, 7 figures, 3 tables and 4 appendices.
Examiners: D.Sc. (Tech.) Pekka Jäppinen, M.Sc (Tech.) Were Oyomno
Keywords: WPA2, IEEE 802.11i, IEEE 802.11X, WEP, WPA, TKIP, CCMP, WLAN security
Wireless communication medium is, by its nature, vulnerable to variety of different threats,including unauthorized access, eavesdropping of communication, modification andrepetition of data, denial of service, and fabrication of data. Therefore, it’s essential that thesecurity protocol can counter to these issues. In this seminar report, we introduce threecommonly used WLAN security protocols that try to provide protection against thesethreats: WEP, WPA and WPA2.
We start by introducing the Wired Equivalent Protocol (WEP) and continue to the generalauthentication framework used by IEEE 802.11i security amendment: IEEE 802.1X andExtensible Authentication Protocol. Moreover, different key management schemes arediscussed under this topic. Finally, we go through the data encryption protocols used inWPA and WPA2 that are TKIP and CCMP respectively.
Since, WLANs are so widely used, we feel that it’s important to understand thefunctionality of different wireless security protocols. The goal is that after reading thispaper, the reader gains a detailed view of the topic.
1
TABLE OF CONTENTS
ABBREVIATIONS............................................................................................................2
1 INTRODUCTION ......................................................................................................4
2 WIRED EQUIVALENT PRIVACY ...........................................................................5
3 IEEE 802.11i ..............................................................................................................8
4 AUTHENTICATION AND KEY MANAGEMENT ..................................................9
4.1 Key generation..................................................................................................10
4.1.1 Master Session Key ...................................................................................11
4.1.2 The 4-Way Handshake ..............................................................................12
4.2 EAP (Enterprise mode) .....................................................................................14
4.2.1 EAP-Message Digest 5..............................................................................15
4.2.2 EAP- Transport Layer Security..................................................................15
4.2.3 EAP-Tunneled Transport Layer Security ...................................................16
4.2.4 EAP-SIM ..................................................................................................16
5 Wi-Fi Protected Access.............................................................................................18
6 Wi-Fi Protected Access 2..........................................................................................21
7 CONCLUSIONS ......................................................................................................26
REFERENCES.................................................................................................................27
APPENDICES..................................................................................................................29
Appendix A: 802.11 MAC frame format.......................................................................29
Appendix B: Payload of 802.11 frame with WEP encryption. .......................................29
Appendix C: TKIP MPDU............................................................................................30
Appendix D: CCMP MPDU .........................................................................................30
2
ABBREVIATIONS
AES Advanced Encryption Standard
AP Access Point
CBC-MAC Chaining-Message Authentication Code Message
Authentication Code
CCMP Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol
CRC Cyclic Redundancy Check
CTR Counter Mode
DA Destination Address
DES Data Encryption Standard
EAP Extensible Authentication Protocol
EAP-TLS EAP-Transport Layer Security
EAP-TTLS EAP-Tunneled Transport Layer Security
EAP-SIM EAP for GSM Subscriber Identity
EAPOL EAP Over Local Area Network
FCS Frame Check Sequence
GSM Global System for Mobile Communications
GTK Group Transient Key
ICV Integrity Check Value
IEEE Institute of Electrical and Electronics Engineers
IV Initialization Vector
KCK EAPOL-Key confirmation key
KEK EAPOL-Key encryption key
MAC Medium Access Control
MD5 Message-Digest Algorithm
MIC Message Integrity Code
MPDU Media Access Control Protocol Data Unit
MSB Most Significant Bit
MSDU Media Access Control Service Data Unit
3
MSK Master Session Key
NIST National Institute of Standards and Technology
PAE Port Access Entity
PDU Protocol Data Unit
PKI Public Key Infrastructure
PMK Pair-wise Master Key
PN Packet Number
PRNG Pseudo-Random Number Generator
PSK Pre-Shared Key
PTK Pair-wise Transient Key
QoS Quality of Service
RADIUS Remote Authentication Dial In User Service
RC4 Rivest Cipher 4
SA Source Address
SIM Subscriber Identity Module
SSL Secure Socket Layer
SSID Service Set Identifier
TA Transmitter Address
TKIP Temporal Key Integrity Protocol
TLS Transport Layer Security
TTLS Tunneled Transport Layer Security
TSC TKIP Sequence Counter
WEP Wired Equivalent Privacy
WLAN Wireless Local Area Network
WPA Wi-Fi protected access
XOR Exclusive OR
4
1 INTRODUCTION
Over the past years, the volume of Wireless Local Area Network (WLAN, IEEE Std.
802.11) capable devices has been constantly increasing, providing connectivity to the
Internet and local networks. Wireless networks can be used, for example, to reduce cabling
costs by solving the last step problem between an access point (AP) and terminal device.
Furthermore, it speeds up the deployment of the network and provides an enhanced support
for mobility. However, if this wireless communication channel is used to transmit sensitive
data in business, industry or home, then the communication channel should be secure to
prevent illegal activities.
Wireless communication medium is, by its nature, vulnerable to variety of threats,
including unauthorized access, eavesdropping of communication, modification and
repetition of data, denial of service, and fabrication of data. Therefore, a security protocol
that provides effective authentication, authorization, data encryption and means for
handling modification and repetition of data is essential. Since, WLANs are so widely
used, we feel that it’s important to understand the functionality of different wireless
security protocols. This paper discusses Wired Equivalent Privacy (WEP), Wi-Fi Protected
Access (WPA) and Wi-Fi Protected Access 2 (WPA2) with details and pinpoints their main
weaknesses and benefits. The following research questions were set: What security
primitives or algorithms different WLAN security protocols use? How wireless
communication channel is secured with different protocols? How authentication is
handled? How data is encrypted? What are the benefits and vulnerabilities of each
protocol?
Chapter 2 introduces WEP, which is the first protocol for securing WLAN communication.
Chapter 3 presents a short briefing to the IEEE 802.11i standard, from which WPA and
WPA2 have been developed. In chapter 4, we describe the IEEE 802.1X standard, which
provides an authentication framework for 802.11i. Then, chapters 5 and 6 present the
functionalities of WPA and WPA2 with details. Finally, conclusions are drawn in chapter
7.
5
2 WIRED EQUIVALENT PRIVACY
WEP is an optional security mechanism for WLANs that was introduced in the IEEE
802.11-1997 standard, trying to provide a security level that is comparable to traditional
wired networks [802.11-2007]. In practice, WEP provides WLAN security through simple
authorization and data encryption. These are now shortly described in order to pinpoint
their weaknesses.
WEP uses the Rivest Cipher 4 (RC4) stream cipher as an encryption and decryption
algorithm. RC4 uses a pseudo-random number generator (PRGN) to generate a bit stream
(also known as a key stream) from a WEP seed, which is a concatenation of 24-bit
initialization vector (IV) and 40-bit key. However, it should be noted that the WEP
algorithm can make use of 104-bit keys as stated in the IEEE standard [802.11-2007].
Ciphertext is created by XORing the generated key stream with plaintext and its integrity
check value (ICV), which is calculated by using CRC-32 algorithm. ICV is used to protect
ciphertext against unauthorized modifications and acts like a fingerprint for each message.
Finally, the WEP algorithm concatenates the encrypted ciphertext with current IV, which is
needed for decrypting the message. This results in a complete WEP frame that can be sent
over the used communication channel [802.11-2007]. Refer to appendix b to check the
structure of the frame payload field. WEP encryption process is depicted in the figure 1.
Figure 1: A block diagram of WEP encryption [802.11-2007]
6
The decryption process is done in reverse order. Firstly, the receiver separates the
unencrypted IV from WEP frame and generates the correct key stream. It is required that
both participants know the encryption key. Secondly, the receiver decrypts the message by
using XOR function and calculates a new ICV value for the plaintext and compares it to the
one received in order to validate data integrity [802.11-2007].
Generally speaking, WEP supports two types of legacy authentication methods: open
system authentication and shared key authentication [Sarmi2008]. In open system
authentication, every device can access the network. In shared key authentication, terminal
device and access point share a common key, which is verified every time a client tries to
connect to the network. This is done by applying a challenge-response procedure and
therefore WEP encryption must be enabled. AP sends a challenge to the connecting client,
which encrypts the message and responses accordingly. Then, AP verifies and checks if the
message was encrypted correctly and accepts/denies the connection request [Sarmi2008].
Nowadays, WEP can be considered as an obsolete protocol, because it doesn’t provide an
acceptable level of security. First of all, in many of the shared key implementations, the
same key is used throughout the network disabling unique authentication. Therefore, every
malicious entity that can gain access to the shared key can connect to the network. The
standard does not provide any means of distributing the keys automatically and thus forces
to manual distribution, which can be problematic with a large user-base. This also raises
the question of how the keys need to be stored so that they won’t fall into the wrong hands.
In addition, the CRC-32 algorithm, which is used by WEP to generate the ICV, is
cryptographically insecure because of its linearity. This means that the algorithm generates
a similar signature for similar messages without any use of any use of initialization values
and/or keys, and thus makes it possible to modify data without breaking the checksum
[Moen2004].
RC4 algorithm itself isn’t the security bottleneck of WEP, since many security protocols
using it, such as Secure Socket Layer (SSL) and Transport Layer Security (TLS), can be
considered secure [Sarmi2008]. The problem is the WEPs` way of using it [Bulbul2008]:
• The use of shared key directly to data encryption.
7
• Lack of key management.
• Short keys (40 bits).
• Short IVs (24 bits): results in an inevitable reuse of keys and since they are
concatenated unencrypted to the WEP frame, it’s possible to eavesdrop the
communication and deduct the shared key.
• Authentication forging: Poor implementation of the shared key authentication
mechanism makes it less secure than open system authentication. An intruder can
eavesdrop a successful challenge-response procedure and forge an authentication by
determining the used key stream [Bulbul2008].
8
3 IEEE 802.11i
In order to develop the security of 802.11 and react to the several weaknesses of WEP,
802.11i workgroup composed an amendment [802.11i-2004] to the original 802.11
standard that specifies various security mechanisms for wireless networks. The
enhancement was later accepted and incorporated to the current 802.11-2007 standard
[802.11-2007]. It offers the following components to overcome the main weaknesses of
WEP:
• Improved authentication with IEEE 802.1X standard and Extensible Authentication
Protocol (EAP).
• Key management: The master key is not used directly in data encryption, but rather
a temporary key is used.
• Enhanced data integrity and confidentiality through the use of Temporal Key
Integrity Protocol (TKIP) or Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP).
• Stronger initialization vectors (48 bits) and encryption keys (128 bits).
Wi-Fi Protected Access was developed by the Wi-Fi alliance as an intermediate solution,
since it does not implement the whole security framework of 802.11i. The main design
principle was to ensure backwards compatibility with older WEP capable devices and to
overcome all known security flaws in WEP [Moen2004]. At best, a firmware upgrade was
only required for older devices. WPA applies TKIP to provide unique frame-keys for each
frame, but the encryption process itself is similar to WEP.
Wi-Fi Protected Access 2 is an enhancement to WPA and fully implements the security
mechanisms of 802.11i. Both WPA and WPA2 apply 802.1X framework to handle the
authentication, but the main difference between them is within the data encryption. WPA2
introduces a new encryption protocol called CCMP, which is based on Advanced
Encryption Standard (AES).
9
4 AUTHENTICATION AND KEY MANAGEMENT
Authentication and authorization play an important role in WLAN security. The purpose is
to identify connecting user or device (authentication) and decide whether network access is
allowed for that entity (authorization) [Dantu2007]. Throughout this document the
following notation is used to describe entities involved in the authentication procedure:
• The supplicant: A device requesting access to the network. For example, a laptop
computer.
• The authenticator: A device (for example, a WLAN access point) with whom the
supplicant authenticates itself in order to gain access to the network.
• The authentication server: Can be either an external or internal server, which
processes the authentication requests and grants authentication for the supplicant
via authenticator.
Generally speaking, IEEE 802.11i specifies two different authentication modes: one for
small office and personal networks called personal mode and one for larger networks and
enterprises called enterprise mode. In personal mode, there is a shared secret (Pre-Shared
Key, PSK) between the authenticator and supplicants, and therefore no need for
authentication server. In enterprise mode, authentication is handled through IEEE 802.1X
standard and Extensible Authentication Protocol that provide a general purpose
authentication framework. A supplicant is authenticated to an authenticator via the use of
an authentication server (trusted third party), which can be implemented, for example, as a
Remote Authentication Dial-In User Service (RADIUS). However, it should be noted that
802.1X is not unique to WLANs and can be applied to any point-to-point network
[Dantu2007].
Next, we introduce the authentication procedure and different keys for 802.11i in general
level. Different key management schemes (e.g. the 4-Way Handshake) are discussed that
provide temporal keys for each session. Finally, we describe enterprise mode authentication
with more details by going through the EAP framework. We present requirements that are
10
imposed by the WLAN environment and introduce some popular EAP methods with their
suitability to the requirements.
4.1 Key generation
The purpose of the 802.11i authentication is to generate unique Pair-wise Master Key
(PMK), which can be used as an input for the key management protocols in order to
generate Pair-wise Transient Key (PTK). PTK can be used to open a secured
communication channel between the supplicant and authenticator. Key hierarchy during the
process is depicted in figure 2.
Key ConfirmationKey (KCK)
MasterSession Key
(MSK)
Pair-wise Master Key(PMK)
Pair-wise Transient Key(PTK)
The 4-WayHandshake
802.1X
Key EncryptionKey (KEK)
Temporal Key(TK) MIC Key
Figure 2: Key hierarchy
As we can see from the figure above, multiple keys are generated during the authentication
and key management. This ensures that keys are not repeated and therefore security is
increased. Keys are generated in the following phases [He2004][802.11-2007]:
i. The supplicant and authenticator will decide the used security policy, which
contains, for example, desired authentication method.
11
ii. The 802.1X authentication is performed between the supplicant and authenticator
by using the EAP method decided in previous step, resulting in a Master Session
Key (MSK).
iii. In enterprise mode, this MSK is used to derive a Pair-wise Master Key (PMK). In
personal mode, a shared secret (PSK), together with Service Set Identifier (SSID)
and its length are used to derive the PMK.
iv. PMK is used as an input for 802.11i key management protocols: The 4-Way
Handshake and/or Group Key Handshake. This phase results in a PTK for unicast
and/or Group Transient Key (GTK) for multicast and broadcast traffic.
v. After a successful handshake, a secure communication channel is established
between the supplicant and authenticator. The PTK is divided into four 128-bit
keys:
• Key Confirmation Key (KCK): Used to calculate Message Integrity Code
(MIC) values from the EAPOL frames.
• Key Encryption Key (KEK): Used to encrypt the EAPOL frames.
• Temporal Key (TK): Used to encrypt the 802.11 frames.
• MIC Keys: Used to provide data integrity to 802.11 frames.
4.1.1 Master Session Key
Master Session Key is a shared secret, which is created during an EAP authentication
between the supplicant and authenticator. MSK is at least 64 octets (512 bits) and it’s
generated during the following steps that represent the phase ii in the previous chapter
[802.11-2007]:
i. The authenticator and supplicant open their own port access entities (PAE) and the
EAP authentication is performed by using these ports.
ii. The supplicant sends an EAP start message to the authenticator to start the
authentication process. The messages are sent within EAP over LAN (EAPOL)
frames.
iii. The authenticator sends an EAP request to the supplicant by using the supplicant
corresponding PAE port.
iv. The supplicant sends an EAP response to the authenticators PAE port.
12
v. The authenticator converts EAPOL messages to the correct access request format
that the selected authenticator server uses (e.g. RADIUS messages) and forwards
those to the authentication server.
vi. EAP messages, based on the selected EAP method, are exchanged between the
supplicant and authentication server.
vii. MSK is generated after a successful EAP authentication and used to derive PMK.
Figure 3 illustrates the 802.1X authentication procedure in a general level.
Figure 3: Simplified sequence diagram of 802.1X authentication
4.1.2 The 4-Way Handshake
Purpose of the 4-Way Handshake is to generate a PTK. PTK is a 512-bit session based key,
which is derived from the PMK, authenticators address, supplicants address, authenticators’
nonce (ANonce) and supplicants’ nonce (SNonse) [802.11-2007]. The PMK has been
generated during the authentication and it should be noted that although the PMK can be
derived either from the MSK or obtained directly from the PSK, the handshake is
performed in the same manner. Furthermore, the latter four values are generated and
exchanged during the handshake. The 4-Way Handshake algorithm is represented in figure
4.
13
Supplicant Authenticator
ANonce
SNonce + MIC
DerivePTK
DerivePTK and
GTK
GTK + MICACK
Set temporal keys
Generate random nonces
Figure 4: A sequence diagram of the 4-Way Handshake
The handshake is initialized by the authenticator and done within four EAPOL-Key frames.
This procedure represents the steps iv and v of the general algorithm, described in chapter
4.1. These frames and operations during the handshake are described in the IEEE standard
[802.11-2007] and summarized by He et al. in “Analysis of the 802.11i 4-way handshake”
[He2004]:
• Firstly, a shared PMK is verified to be correct and known by the supplicant and
authenticator. In addition, the supplicant and authenticator generate their own nonce
with PRNG.
• The authenticator sends the first EAPOL-Key handshake message to the supplicant,
containing its nonce.
• The supplicant derives a fresh PTK from the PMK by using a pseudo random
function and sends its nonce within the second EAPOL-Key message to the
authenticator. Integrity of the message is ensured by calculating a MIC from the
message.
• The authenticator derives the PTK, generates a GTK if it is required, and sends
GTK to the supplicant within the third EAPOL-Key message.
• Finally, the supplicant acknowledges the handshake.
Moreover, IEEE 802.11i supports the Group Key Handshake, which is used to refresh the
used GTK.
14
4.2 EAP (Enterprise mode)
The 802.1X standard defines an EAP framework, which is used for authentication in the
enterprise mode. This framework was originally defined in RFC 3748 and later updated in
RFC 5247. EAP framework defines guidelines for authentication, in other words how a
supplicant is authenticated to an authenticator by using an authentication server, and does
not require use of a specific authentication protocol or predefined procedure. The 802.1X
consist of several different EAP methods, suitable for variety of network characteristics and
security requirements [Dantu2007]. In this paper, we’ll go through some commonly used
EAP methods and discuss suitable use for those. However, before going into EAP methods,
their requirements should be addressed in order understand their suitability for different
wireless environments.
RFC 4017 [Stanley2005] defines some mandatory requirements for an EAP method if it’s
used in a WLAN environment. These are also described by Dantu et al. in “EAP methods
for wireless networks” [Dantu2007] and summarized in the following:
a) An EAP method should be able to generate symmetric keying material for use in
post-authentication or data encryption.
b) An EAP method should support mutual authentication, at which time both
participants (the device and network) can authenticate each other.
c) Self-protection: An EAP method should be able to protect itself from eavesdropping
or other threats that might give information about the user or device.
d) An EAP method should support synchronization of state or certain attributes
between communicating parties. This means sharing information about the current
protocol, encryption method or keys.
e) Resistance to dictionary attacks and man-in-the-middle attacks; If an EAP method
uses secret password(s) then it must ensure that dictionary/brute force attacks are
handled. In addition, it must be able to protect itself from man-in-the-middle-
attacks, which means that a malicious entity acts in-between the device and AP.
This might, for example, require support to cryptographic binding, data integrity
protection and/or data replay protection.
15
In addition to the mandatory requirements, there are some recommended and optional
requirements, which can enhance the functionality of an EAP method in a WLAN
environment [Dantu2007]. These include, for example, support to message fragmentation
in authentication procedure, which is due to the limitations of the underlying physical layer.
For more information about these recommended and optional requirements, refer to
[Stanley2005], [Dantu2007] and [Lei2007].
4.2.1 EAP-Message Digest 5
MD5-EAP is a rather simple, legacy EAP method for exchanging password and user
identifier information between the supplicant and authentication server, encrypted via MD5
hash function. To achieve this, EAP-MD5 applies a challenge-based mechanism,
combining a random challenge with password and MD5. The method doesn’t offer any
way of changing symmetric key material (requirement a) and doesn’t provide mutual
authentication (requirement b). Therefore, it faces the same problem with static keys as
WEP and is vulnerable to dictionary attacks [Ali2007]. However, EAP-MD5 can be useful
in a situation where it’s combined with a more secure method that achieves these
requirements (e.g. EAP-TTLS) [Dantu2007], but in general it’s not recommended to use in
a wireless environment [Ali2007].
4.2.2 EAP- Transport Layer Security
EAP-TLS is defined in RFC 5216 and based on SSL v.3.0, which is widely used in secure
web transactions. It uses a public key certificate authentication procedure to authenticate
both the wireless clients and the authentication server by establishing an encrypted TLS
session [Ali2007]. It requires a full public key infrastructure (PKI) within the EAP
framework, in which every entity possesses a public key certificate, which has been signed
by an authority. The authority can be a trusted third party or built-in to the enterprise
[Dantu2007]. The advantage of this method is a strong level of security, but it might be
hard to implement in practice, especially with a large user-base or when devices are mobile
and frequently changing.
16
EAP-TLS provides symmetric key material (requirement a), mutual authentication between
the authenticator and supplicant (requirement b), and synchronization (requirement d)
[Dantu2007]. It meets the requirement of self-protection through the use of secured TLS
pipe (requirement c). Moreover, since passwords are not used, EAP-TLS is not vulnerable
to dictionary attacks, and mutual authentication removes the threat of man-in-the-middle
attacks (requirement e). Therefore, Ali et al. define it as a strongest EAP method for
wireless environment if only security is concerned [Ali2007]. However, the hard and costly
implementation can be a huge obstacle for deploying EAP-TLS. There is also an issue of
transmitting the certificates between all entities within the infrastructure.
4.2.3 EAP-Tunneled Transport Layer Security
EAP-TTLS was intended to overcome the difficulties of EAP-TLS and the usage of PKI in
client devices. Therefore, in EAP-TTLS, only server-side certificates are required
[Ali2009]. The method consists of the following steps:
i. The identity of an authentication server is verified through the use of an
asymmetric, public key algorithm.
ii. A symmetric encryption tunnel is created.
iii. The identity of the supplicant (client) is verified with another authentication method
(e.g. EAP-MD5) through the secure tunnel.
EAP-TTLS offers a strong security during the authentication, and thus, meets the
requirement of self-protection (requirement c). It provides means for generating symmetric
key material and mutual authentication (requirements a and b) [Ali2009]. Moreover,
requirements d and e are filled.
4.2.4 EAP-Subscriber Identity Module
EAP-SIM uses subscriber identity modules that provide the authentication method used by
many equipment provides in the field of cellular networking. The physical module acts as
storage of data and can contain, for example, the credentials for certain user or device. The
clients would then use this SIM to provide the necessary credentials during the
authentication procedure [Dantu2007]. Therefore, the method of applying EAP-SIM to
17
WLANs has similarities with the current authentication method of Global System for
Mobile Communications (GSM).
18
5 Wi-Fi Protected Access
WPA applies Temporal Key Integrity Protocol, which provides improved data encryption
and key management by using temporary frame-keys and stronger initialization vectors.
TKIP also utilizes non-linear Message Integrity Code (MIC) algorithm, which provides
enhanced data integrity compared to linear CRC-32 [Moen2004]. Following figure 5
illustrates the WPA (TKIP) encryption process, which is later described.
Figure 5 A block diagram of TKIP encryption.
The functionality of WEP is based on 128-bit Temporal Key. This key is obtained during
the authentication/key distribution procedure. Refer to chapter 4 for more information. TK
is used together with transmitter address (TA, 48 bits) and IV (48 bits) in key mixing
function. This hash function returns a unique 128-bit frame-key (also known as WEP key
or RC4KEY), which is used in encryption. This significant improvement, offered by TKIP,
ensures that secret key is not used directly in encryption purposes. For more information
about the functionality of this key mixing function, refer to [Housley2002]. TKIP uses
TKIP Sequence Counter (TSC), which ensures that the frame-key is used only for one
frame. The counter increases after each packet, which on the other hand acts as a defense
against data reply attacks because the receiver ignores packets with incorrect TSC.
19
TKIP provides an improved method for checking data integrity. This is achieved through
the usage of Message Integrity Code (MIC), which is calculated with Michael algorithm
and introduced in [Ferg2002]. This algorithm takes as an input the following components:
f) 64-bit MIC-key, which is derived during the authentication process. The 128-bit
MIC key is divided into two parts [Halv2009]. The first part is used in the
communication from the access point to the client and vice versa.
g) Destination Address (DA, 48 bits).
h) Source Address (SA, 48 bits).
i) Priority field (8 bits).
j) Unencrypted payload (plaintext).
TKIP encrypts the MIC, which makes MIC forgery harder. The MIC isn’t calculated over
the Medium Access Control Protocol Data Unit (MPDU) because that would decrease the
flexibility with older hardware. When the MIC is calculated, it is concatenated with the
plaintext and forwarded to encryption. Encapsulated WPA frame (appendix c) is sent to the
receiver [802.11-2007].
Decapsulation of the WEP frame is started by checking that TSC is in correct order. The
message is discarded if the TSC is out of order, otherwise the ciphered MPDU is sent to the
WEP decapsulation process [802.11-2007]. In addition, Frame Check Sequence (FCS) and
ICV are checked before calculating the MIC. Before WEP decapsulation can be done a
WEP seed needs to be created. The receiver calculates the frame key in a similar fashion
than the sender and gives the seed to WEP as an IV. If the WEP decapsulation process is
successful, the defragmented Medium Access Control Service Data Unit (MSDU) is
provided to the next step in the decapsulation process. If defragmentation fails, the packet
is discarded. After the defragmentation, TKIP checks that the received MIC inside the
packet is valid.
The WPA protocol managed to fix the main problems of WEP by providing enhanced data
encryption and authentication with key management. However, WPA was a temporary
solution and thus some compromises were made, for example, when choosing a old
cryptographic algorithm (RC4) instead of AES. In addition, the usage of hash functions
20
within the TKIP key mixing function can produce unnecessary threats, for example, during
a hash collision [Sarmi2008]. This problem of WPA is also pinpointed in [Moen2004].
21
6 Wi-Fi Protected Access 2
WPA2 protocol is an enhancement over WPA and fully implements the IEEE 802.11i
standard. For this reason, the terms 802.11i and WPA2 are often used interchangeably
[Lash2009]. WPA2 introduces a new encryption protocol called Counter Mode with Cipher
Block Chaining Message Authentication Code, which is based on Advanced Encryption
Standard. Actually, the protocol consists of two different modes of AES, as defined in the
name of the protocol:
• Counter-Mode (CTR), which ensures data privacy and confidentiality by handling
the encryption of the frame.
• Cipher Block Chaining-Message Authentication Code (CBC-MAC) mode,
which provides data integrity.
AES is a symmetric block cipher, which was introduced by the National Institute of
Standards and Technology (NIST) as a successor for Data Encryption Standard (DES) in
November 2001. It’s well documented, free of royalties or patents, and secure encryption
algorithm [Lash2009]. In WPA2, the encryption key is 128 bits long, derived from 802.1X
authentication and different key management schemes discussed earlier. Therefore, in the
WPA2 implementation of AES, the message is encrypted in 128-bit blocks that are
calculated independently, rather than having a RC4 key stream acting across the input
stream. However, TKIP is also supported by WPA2, as it’s defined in IEEE 802.11i, to
ensure backwards compatibility with WPA implementations.
WPA2 uses CBC-MAC mode of AES to ensure data integrity by generating a chained
authentication component from the unencrypted frame. This differs from WPA, in which a
separate algorithm (Michael) was used for generating MIC. Moreover, WPA2 removes the
threats that might arise from the usage of hash-functions in TKIP key mixing function (e.g.
due to a hash collision) [Sarmi2008]. The algorithm for calculating CBC-MAC, and thus
ensuring data integrity for current frame, consists of the following steps:
22
i. An initialization block is constructed from the following components:
• Flag field (8 bits) is set to 01011001. This field contains various flags, which
define, for example, that the used MIC length is 64 bits and data length field is
16 bits.
• Priority field (8 bits), which is fixed to 0 and reserved for future usage.
• Transmitter Address (48 bits)
• Packet Number (PN, 48 bits), which is incremented for each subsequent packet
and similar to the TSC of WPA. If the PN is invalid, packet is discarded.
• Data length field (16 bits)
The constructed block, illustrated in table 1, is fed to the AES together with data
integrity key, derived from authentication and key management. The result can be
considered as an IV for calculating MIC.
Table 1: CBC-MAC Initialization block
Bit index 0-7 8-15 16-63 64-111 112-127Content 01011001 00000000 Transmitter
addressPacket number Data length
ii. XOR function is applied to the result from previous step and selected 128 bits from
the 802.11 frame header: Frame Control, Address 1, Address 2 and Hlen. Refer to
appendix A for more information about the 802.11 MAC frame or figure 6.
iii. The result from step ii is introduced into AES.
iv. XOR function is applied to the result from previous step and other selected fields
from the frame header: Address 3, Sequence Control, Address 4 and Quality of
Service (QoS) Control.
v. The result from step iv is ciphered with AES.
vi. XOR function is applied to the result from previous step and first 128 bits of the
payload.
vii. The result from step vi is ciphered with AES, producing a 128-bit block.
viii. Steps vi and vii are repeated until the whole payload has been ciphered. Packet
Number field is excluded, because it was already part of the initialization block.
23
If the final block is less than 16 octets (128 bits) it’s padded with zeroes to match in size.
The explained CBC-MAC results in a 128-bit block that was generated over the whole
frame, starting from the headers to the end of payload, in a chained manner. The 64 most
significant bits (msb) are taken to represent the MIC for the frame and concatenated
unencrypted to the end of payload before ciphering with AES counter mode.
Figure 6: CBC-MAC algorithm
The counter mode algorithm encrypts data and MIC of the frame in following steps:
24
i. An initial block is constructed from the following components:
• Flag field (8 bits) is set to 01011001, which is same as with MIC initial
block.
• Priority field (8 bits) is again initialized to zero.
• Transmitter Address (TA, 48 bits)
• Packet Number (PN, 48 bits)
• Counter (16 bits), which is fixed at 1 and increased for every 128-bit block
until everything has been encrypted.
The constructed IV block is ciphered with AES and data encryption key.
Table 2: 802.11i Counter-Mode initialization block
Bit index 0-7 8-15 16-63 64-111 112-127Content 01011001 00000000 Transmitter
addressPacket number Counter
ii. XOR function is applied to the result from previous step and first 128 bits from the
clear text payload. This produces the first 128 ciphered bits.
iii. The counter from IV is increased, ciphered with AES, and XORed with next 128
bits of payload. This step is repeated until the payload and concatenated MIC
(CBC-MAC) has been encrypted. For MIC encryption the counter of the initial
block is not increased, but is set to 0. Only 64 most-significant bits are XORed with
the MIC.
The following figure 7 presents the functionality of AES in counter mode for 802.11.
Decapsulation of the encrypted MPDU is done in reverse order. If the PN is invalid the
packet is discarded. Moreover, the MIC calculated in receiver side must match to the one
that was encrypted within the frame.
25
Figure 7: AES in Counter-Mode for 802.11
26
7 CONCLUSIONS
In this paper, we have presented a detailed description of different protocols for securing
IEEE 802.11 communication. WEP, WPA and WPA2 are discussed together with the IEEE
802.1X authentication framework and key management schemes, in order to give the
overall understanding of the current situation in the field of WLAN security. WEP fails to
provide an adequate level of security to match with the modern threats and level of raw
computing power. Its successor (WPA) suffers from its legacy background, because it was
intended to be compatible with existing WEP hardware. In addition, modern attacks against
WPA have been identified. However, the TKIP protocol applied by WPA can overcome the
main weaknesses of WEP.
WPA2, on the other hand, provides a good level of security through the use of government-
grade encryption algorithm AES and implementing the whole IEEE 802.11i security
standard. When these features are combined with a functional authentication mechanism,
we feel that it can provide the necessary level of security for different WLAN
environments, ranging from small offices to larger enterprises.
The following table 3 concludes the different WLAN security protocols.
Table 3: WLAN security protocols
Description WEP WPA WPA2Authenticationmethod
None 802.1X/Pre-Shared-Key
802.1X/Pre-Shared-Key
Encryption protocol WEP TKIP CCMPCryptographicalgorithm
RC4 RC4 AES
Key length (bits) 40* 128 128IV length (bits) 24 48 48Data integrityalgorithm
CRC-32 Michael (MIC) CBC-MAC
Protection againstdata replay attack
None Yes. The IV ofWPA (TSC) acts asa counter.
Yes The usage ofpacket numbering.
* = WEP also supports the usage of 104 bit keys and this is supported by manymanufacturers.
27
REFERENCES
[802.11-2007] IEEE Std. 802.11 -2007, “Wireless LAN Medium Access Control (MAC)
and Physical Layer (PHY) Specifications”, IEEE Computer Society, June 2007
[802.11i-2004] IEEE Std. 802.11i -2004, “Medium Access Control (MAC) Security
Enhancements”, IEEE Computer Society, June 2004
[Ali2007] K. Ali and T. Owens, “Selection of an EAP authentication method for a
WLAN”, International Journal of Information and Computer Security, vol. 1, issue 1, pp.
210-233, January 2007
[Bulbul2008] H. Bulbul, I. Batmaz, and M. Ozel, “Wireless network security: comparison
of WEP (Wired Equivalent Privacy) mechanism, WPA (Wi-Fi Protected Access) and RSN
(Robust Security Network) security protocols”, Proceedings of the 1st international
conference on Forensic applications and techniques in telecommunications, information,
and multimedia and workshop, no. 9, 2008
[Bulk2006] Frank Bulk, “The ABCs of WPA2 Wi-Fi Security”, Network Computing, 17, 2,
pp. 65-69, February 2, 2006
[Dantu2007] R. Dantu, G. Clothier, and A. Atri, “EAP methods for wireless networks”,
Computer Standards & Interfaces, vol. 29, issue 3, pp. 289-301, March 2007
[Ferg2002] Niels Ferguson, “Michael: an improved MIC for 802.11 WEP”,
IEEE document 802.11-02/020r0, 2002
[Halv2009] F. Halvorsen and O. Haugen, “Cryptanalysis of IEEE 802.11i TKIP”, Master’s
thesis, Norwegian University of Science and Technology, 2009
28
[He2004] C. He and J. Mitchell, “Analysis of the 802.11i 4-way handshake”, Proceedings
of the 3rd ACM workshop on Wireless security, pp. 43-50, 2004
[Housley2002] R. Housley, D. Whiting, and N. Ferguson, “Alternate temporal key hash”,
IEEE document 802.11-02/282r8, April 2002
[Lash2009] A. Lashkari, M. Danesh, and B. Samadi, “A Survey on Wireless Security
protocols (WEP, WPA and WPA2/802.11i)”, 2nd IEEE International Conference on
Computer Science and Information Technology, pp. 48-52, August 2009
[Lei2007] J. Lei, X. Fu, D. Hogrefe, and J, Tan, ”Comparative Studies on Authentication
and Key Exchange Methods for 802.11 Wireless LAN”, Computers & Security, vol. 26,
issue 5, pp. 401-409, August 2007
[Moen2004] V. Moen, H. Raddum, and K. Hole, “Weaknesses in the temporal key hash of
WPA”, ACM SIGMOBILE Mobile Computing and Communications Review, pp. 76-83,
April 2004
[Sarmi2008] O. Sarmiento, F. Guerrero, and D. Argote, “Basic Security Measures For
IEEE 802.11 Wireless Networks”, Ingenieria e investigacio, pp. 89-96, vol. 28, issue 002,
2008
[Stanley2005] D. Stanley, J. Walker, and B. Aboba, “Extensible Authentication Protocol
(EAP) Method Requirements for Wireless LANs”, RFC 4017, March 2005
29
APPENDICES
Appendix A: 802.11 MAC frame format
The following figure represents the 802.11 MAC frame format [802.11-2007].
Appendix B: Payload of 802.11 frame with WEP encryption.
The following figure depicts the data field (frame body) of 802.11 a MAC frame, when
WEP encryption is enabled [802.11-2007].
30
Appendix C: TKIP MPDU
The following figure illustrates TKIP MPDU, in which the MAC Header part is depicted in
Appendix A [802.11-2007].
Appendix D: CCMP MPDU
The following figure illustrates CCMP MPDU, in which the MAC Header part is depicted
in appendix A [802.11-2007].