802.11i

The 802.11i architecture contains the following components: 802.1X for authentication (entailing the use of EAP and an Authentication Server ), RSN for keeping track of associations, and AES-based CCMP to provide Confidentiality , Integrity and origin Authentication . Another important element of the authentication process is the four-way handshake, explained below.

ENCRYPTION KEY DISTRIBUTION

The Four-Way Handshake

The authentication process leaves two considerations: the (ANonce), STA nonce (SNonce), AP MAC Address and STA MAC address. The product is then put through a Cryptographic Hash Function .

The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:

# The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
# The STA sends its own nonce-value (SNonce) to the AP together with a MIC .
# The AP sends the GTK and a sequence number together with another MIC. The sequence number is the sequence number that will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
# The STA sends a confirmation to the AP.

As soon as the PTK is obtained it is divided into five separate keys:

PTK (Pairwise Transient Key – 64 bytes)

#16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
#16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
#16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
#8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
# 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.

The Group Key Handshake

The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.

To handle the updating, 802.11i defines a ''Group Key Handshake'' that consists of a two-way handshake:

# The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA and protects the data from being tampered using a MIC.
# The STA acknowledges the new GTK and replies to the AP.

GTK ( Groupwise Transient Key – 32 bytes)

#16 bytes of Group Temporal Encryption Key – Used to encrypt Multicast data packets
#8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on Multicast packet transmitted by AP
#8 bytes of Michael MIC Authenticator Rx Key – This is currently not used as stations do not send multicast traffic

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.

DEVICES IMPLEMENTING 802.11I

In general, the use of WPA2 needs firmware or driver support of both devices, the wireless host (router or access point) and the wireless client (adapter).

Usually, the wireless host can be enabled to support WPA2 by a firmware upgrade, available at the manufacturer's site. The client needs an update of the wireless adapter driver, and maybe part of the operating system as well.

Mac OS X

With the release of the 4.2 update to their AirPort software, Apple now supports WPA2 on all AirPort Extreme -enabled Macintoshes, the AirPort Extreme Base Station, and the AirPort Express (firmware upgrades included in AirPort 4.2).

Windows XP

Support of WPA2 needs an operating system update (KB917021 (Replaces KB893357), see external link below), and upgrade of wireless adapter drivers. WPA2 support for Windows XP x64 is included in Windows XP x64 SP2. Windows Server Division WebLog : Windows Server 2003 and XP x64 Editions Service Pack 2

Windows Vista

All " Release To Manufacturing " (RTM) editions of Windows Vista support WPA2 without any additional patches.

Linux

Support of WPA2 is available. Drivers are needed to support WPA as well as the userspace utility, Wpa_supplicant or Xsupplicant .

A tool called NetworkManager , with GNOME and KDE frontends can be used to configure access to protected wireless networks.

Symbian OS

Support of WPA2 is available on the S60 Platform for mobile phones that use Symbian OS v.9.1 or later. An example of such a device is the Nokia E70 .

SEE ALSO

WAPI

TKIP

CCMP

EXTERNAL LINKS

IEEE standard can be retrieved at no charge through the GetIEEE802 program from http://standards.ieee.org/getieee802/download/802.11i-2004.pdf

NIST Special Publication 800-97, ''Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i'' as a PDF or zipped PDF file

Understanding the updated WPA and WPA2 standards (Zdnet)

Wi-Fi Protected Access 2 (WPA2) Overview (Microsoft)

Windows XP WPA2 Update (Microsoft)

802.11i (How we got here and where are we headed); PDF

Gnome Network Manager

WifiRadis a free online radius server with 802.11i PEAP

WIRE1x

802.11i Security Analysis: Can We Build a Secure WLAN? on ResearchChannel (March 2005)

REFERENCES

	APPAREL
	BABY
	BEAUTY
	BOOKS
	CAR TOYS
	CELL PHONES
	DVD'S
	ELECTRONICS
	GOURMET FOOD
	GROCERIES
	HEALTH & PERSONAL
	HOME & GARDEN
	JEWELRY
	MUSIC
	MUSIC INSTRUMENTS
	OFFICE PRODUCTS
	SOFTWARE
	SPORTING GOODS
	TOOLS & HARDWARE
	TOYS
	VIDEO GAMES
	SHOPPING HOME

	MORE SHOPPING...

	CATEGORIES ABOUT IEEE 802.11I

	cryptographic protocols

	ieee 802.11

Information About

802.11i