802.11I

IEEE 802.11i (also known as WPA2) is an amendment to the 802.11 standard specifying security mechanisms for wireless networks (see Wi-Fi). The draft standard was ratified on 24 June, 2004, and supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have severe security weaknesses. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. It implemented a subset of 802.11i; the Wi-Fi Alliance also refer to the new standard as WPA2 which is their approved interoperable implementation of 802.11i. 802.11i makes use of the Advanced Encryption Standard (AES) block cipher; WEP and WPA use only the RC4 stream cipher. The 802.11i architecture contains the following components: 802.1X for authentication (entailing the use of EAP and an authentication server), RSN for keeping track of associations and CCMP to provide confidentiality, integrity and origin authentication. Another important element of the authentication process is the four-way handshake, explained below.

The Four-Way Handshake

The authentication process leaves two considerations: the AP still needs to authenticate itself to the client and keys to encrypt the traffic needs to be derived. The earlier EAP exchange has provided the shared secret key PMK (Pairwise Master Key). This key is however designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address and STA MAC address. The product is then put through a cryptographic hash function The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:
  1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC.
  3. The AP sends the GTK and a sequence number together with another MIC. The sequence number is the sequence number that will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
  4. The STA sends a confirmation to the AP.
As soon as the PTK is obtained it is divided into three separate keys:
  1. EAPOL-Key Confirmation Key (KCK) - The key used to compute the MIC for EAPOL-Key packets.
  2. EAPOL-Key Encryption Key (KEK) - The key used to provide confidentiality for EAPOL-Key packets.
  3. Temporal Key (TK) - The key used to encrypt the actual wireless traffic.

The Group Key Handshake

The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP. To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:
  1. The AP sends the new GTK to each STA in the network. The GTK is encrypted using the PTK assigned to that STA and protects the data from being tampered using a MIC.
  2. The STA acknowledges the new GTK and replies to the AP.

See also

  • WAPI
  • TKIP
  • IEEE standard can be retrieved at no charge through the GetIEEE802 program from http://standards.ieee.org/getieee802/download/802.11i-2004.pdf

 

<< PreviousWord BrowserNext >>
new jersey vegetable monster
rustam kasimdzhanov
james kempt
mount arvon
festival of muharram
leonard george
thomas brown (naturalist)
khrabr
orange roughy
club atltico san lorenzo de almagro
alliance of liberals and democrats for europe
autoconfig
orpah
st mirren f.c.
muurla
mynmki
myrskyl
mntsl
mntt
nhs trust
mntyharju
naantali
nakkila
nastola
nagu
table alphabeticall
nilsi
california state highway 24
bundelkhand
nivala
noormarkku
iso automobile
nummi pusula
nurmes
the voice of firestone
the child of prague
third lanark f.c.
benjamin wadsworth
labour party (lithuania)
nurmo
mount curwood
stephen r. speed
nrpes
oravais
Copyright 2005-2009 OnPedia.com. All Rights Reserved