802.11i

The 802.11i architecture contains the following components: 802.1X for authentication (entailing the use of EAP and an Authentication Server ), RSN for keeping track of associations, and AES-based CCMP to provide Confidentiality , Integrity and origin Authentication . Another important element of the authentication process is the four-way handshake, explained below.

The Four-Way Handshake

The authentication process leaves two considerations; the (ANonce), STA Nonce (SNonce), AP MAC Address and STA MAC address. The product is then put through a Cryptographic Hash Function .

The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:

# The AP sends a Nonce -value to the STA (ANonce). The client now has all the attributes to construct the PTK.
# The STA sends its own nonce-value (SNonce) to the AP together with a MIC .
# The AP sends the GTK and a sequence number together with another MIC. The sequence number is the sequence number that will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
# The STA sends a confirmation to the AP.

As soon as the PTK is obtained it is divided into three separate keys:

# EAPOL-Key Confirmation Key (KCK) - The key used to compute the MIC for EAPOL -Key packets.
# EAPOL-Key Encryption Key (KEK) - The key used to encrypt the EAPOL -Key packets.
# Temporal Key (TK) - The key used to encrypt the actual wireless traffic.

The Group Key Handshake

The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.

To handle the updating, 802.11i defines a ''Group Key Handshake'' that consists of a two-way handshake:

# The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA and protects the data from being tampered using a MIC.
# The STA acknowledges the new GTK and replies to the AP.

SECURITY IN PRE-SHARED KEY MODE

Like WPA, 802.11i has a Pre-shared Key mode (PSK, also known as ''personal'' mode), designed for home and small office networks that cannot afford the cost and complexity of an 802.1X authentication server. Each user must enter a Passphrase to access the network. The passphrase is typically stored on the user's computer, so it need only be entered once. The weak passphrases users typically employ create a major vulnerability to Password Cracking attacks. It is recommended that passphrases be at least 8 characters and contain numbers and special characters. The IEEE 802.11i standard allows strong PSKs to be entered as 64 character hexadecimal numbers. Passphrases should be changed whenever an individual with access is no longer authorized to use the network or when a device configured to use the network is lost or compromised.

DEVICES IMPLEMENTING 802.11I

In general, the use of WPA2 needs firmware or driver support of both devices, the wireless host (router or access point) and the wireless client (adapter).

Usually, the wireless host can be enabled to support WPA2 by a firmware upgrade, available at the manufacturer's site. The client needs an update of the wireless adapter driver, and maybe part of the operating system as well.

Mac OS X

With the release of the 4.2 update to their AirPort software, Apple now supports WPA2 on all AirPort Extreme-enabled Macintoshes, the AirPort Extreme Base Station, and the AirPort Express (firmware upgrades included in AirPort 4.2).

Windows XP

Support of WPA2 needs an operating system update (KB893357, see external link below), and upgrade of wireless adapter drivers.

Linux

Support of WPA2 is dependent on a 3rd-party wrapper (such as wpa_supplicant ) and support from the wireless adapter driver.

SEE ALSO

WAPI

TKIP

IEEE standard can be retrieved at no charge through the GetIEEE802 program from http://standards.ieee.org/getieee802/download/802.11i-2004.pdf

Wpa_supplicant

EXTERNAL LINKS

Understanding the updated WPA and WPA2 standards (Zdnet)

Wi-Fi Protected Access 2 (WPA2) Overview (Microsoft)

Windows XP WPA2 Update (Microsoft)

802.11i (How we got here and where are we headed); PDF

(Meetinghouse Aegis 802.11i software)

	APPAREL
	BABY
	BEAUTY
	BOOKS
	CAR TOYS
	CELL PHONES
	DVD'S
	ELECTRONICS
	GOURMET FOOD
	GROCERIES
	HEALTH & PERSONAL
	HOME & GARDEN
	JEWELRY
	MUSIC
	MUSIC INSTRUMENTS
	OFFICE PRODUCTS
	SOFTWARE
	SPORTING GOODS
	TOOLS & HARDWARE
	TOYS
	VIDEO GAMES
	SHOPPING HOME

	MORE SHOPPING...

	CATEGORIES ABOUT IEEE 802.11I

	cryptographic protocols

	ieee 802.11

Information About

802.11i