IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original
IEEE 802.11
IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commun ...
, implemented as
Wi-Fi Protected Access II
Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The All ...
(WPA2). The draft standard was ratified on 24 June 2004. This standard specifies
security
Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
mechanisms for
wireless network
A wireless network is a computer network that uses wireless data connections between network nodes.
Wireless networking is a method by which homes, telecommunications networks and business installations avoid the costly process of introducing c ...
s, replacing the short ''Authentication and privacy'' clause of the original standard with a detailed ''Security'' clause. In the process, the
amendment An amendment is a formal or official change made to a law, contract, constitution, or other legal document. It is based on the verb to amend, which means to change for better. Amendments can add, remove, or update parts of these agreements. They ...
deprecated
In several fields, especially computing, deprecation is the discouragement of use of some terminology, feature, design, or practice, typically because it has been superseded or is no longer considered efficient or safe, without completely removing ...
broken
Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) was a security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wi ...
(WEP), while it was later incorporated into the published
IEEE 802.11-2007
IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commu ...
standard.
Replacement of WEP
802.11i supersedes the previous security specification,
Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) was a security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wi ...
(WEP), which was shown to have security vulnerabilities.
Wi-Fi Protected Access
Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The All ...
(WPA) had previously been introduced by the
Wi-Fi Alliance
The Wi-Fi Alliance is a non-profit organization that owns the Wi-Fi trademark. Manufacturers may use the trademark to brand products certified for Wi-Fi
interoperability.
History
Early 802.11 products suffered from interoperability problems be ...
as an intermediate solution to WEP insecurities. WPA implemented a subset of a draft of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2, also called RSN (Robust Security). 802.11i makes use of the
Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
(AES)
block cipher
In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called ''blocks''. Block ciphers are specified cryptographic primitive, elementary components in the design of many cryptographic protocols and ...
, whereas WEP and WPA use the
RC4
In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
stream cipher
stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream ...
.
[ (Broken Link)]
Protocol operation
IEEE 802.11i enhances IEEE 802.11-1999 by providing a Robust Security Network (RSN) with two new protocols: the four-way handshake and the group key handshake. These utilize the authentication services and port access control described in
IEEE 802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
IEEE 802.1X defines t ...
to establish and change the appropriate cryptographic keys. The RSN is a security network that only allows the creation of robust security network associations (RSNAs), which are a type of association used by a pair of stations (STAs) if the procedure to establish authentication or association between them includes the 4-Way Handshake.
The standard also provides two RSNA data confidentiality and integrity protocols,
TKIP and
CCMP, with implementation of CCMP being mandatory since the confidentiality and integrity mechanisms of TKIP are not as robust as those of CCMP. The main purpose to implement TKIP was that the algorithm should be implementable within the capabilities of most of the old devices supporting only WEP.
The initial authentication process is carried out either using a
pre-shared key In cryptography, a pre-shared key (PSK) is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used.
Key
To build a key from shared secret, the key derivation function is typically us ...
(PSK), or following an
EAP exchange through 802.1X (known as
EAPOL
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
IEEE 802.1X defines ...
, which requires the presence of an authentication server). This process ensures that the client station (STA) is authenticated with the access point (AP). After the PSK or 802.1X authentication, a shared secret key is generated, called the
Pairwise Master Key
IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless netw ...
(PMK). In PSK authentication, the PMK is actually the PSK, which is typically derived from the WiFi password by putting it through a
key derivation function
In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a crypto ...
that uses
SHA-1
In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecima ...
as the
cryptographic hash function
A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography:
* the probability of a particular n-bit output re ...
.
If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server.
Four-way handshake
The four-way handshake
is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the access point (AP) and client encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK. The four-way handshake is critical for protection of the PMK from malicious access points—for example, an attacker's SSID impersonating a real access point—so that the client never has to tell the access point its PMK.
The PMK is designed to last the entire session and should be exposed as little as possible; therefore,
key
Key or The Key may refer to:
Common meanings
* Key (cryptography), a piece of information that controls the operation of a cryptography algorithm
* Key (lock), device used to control access to places or facilities restricted by a lock
* Key (map ...
s to encrypt the traffic need to be derived. A four-way handshake is used to establish another key called the Pairwise Transient Key (PTK). The PTK is generated by
concatenating
In formal language theory and computer programming, string concatenation is the operation of joining character strings end-to-end. For example, the concatenation of "snow" and "ball" is "snowball". In certain formalisations of concatenat ...
the following attributes: PMK, AP
nonce (ANonce), STA nonce (SNonce), AP
MAC address
A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking techno ...
, and STA MAC address. The product is then put through a
pseudo-random function
In cryptography, a pseudorandom function family, abbreviated PRF, is a collection of efficiently-computable functions which emulate a random oracle in the following way: no efficient algorithm can distinguish (with significant advantage) between ...
. The handshake also yields the GTK (Group Temporal Key), used to decrypt
multicast
In computer networking, multicast is group communication where data transmission is addressed to a group of destination computers simultaneously. Multicast can be one-to-many or many-to-many distribution. Multicast should not be confused with ...
and broadcast traffic.
The actual messages exchanged during the handshake are depicted in the figure and explained below (all messages are sent as
EAPOL
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
IEEE 802.1X defines ...
-Key frames):
# The
AP sends a nonce-value (ANonce) to the STA together with a Key Replay Counter, which is a number that is used to match each pair of messages sent, and discard replayed messages. The STA now has all the attributes to construct the PTK.
# The STA sends its own nonce-value (SNonce) to the AP together with a
Message Integrity Code
In cryptography, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and ...
(MIC), including authentication, which is really a Message Authentication and Integrity Code (MAIC), and the Key Replay Counter which will be the same as Message 1, to allow AP to match the right Message 1.
# The AP verifies Message 2, by checking MIC, RSN, ANonce and Key Replay Counter Field, and if valid constructs and sends the GTK with another MIC.
# The STA verifies Message 3, by checking MIC and Key Replay Counter Field, and if valid sends a confirmation to the AP.
The Pairwise Transient Key (64 bytes) is divided into five separate keys:
# 16 bytes of EAPOL-Key Confirmation Key (KCK) – Used to compute MIC on WPA EAPOL Key message
# 16 bytes of EAPOL-Key Encryption Key (KEK) – AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
# 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
# 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
# 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station
The Group Temporal Key (32 bytes) is divided into three separate keys:
# 16 bytes of Group Temporal Encryption Key used to encrypt/decrypt Multicast and Broadcast data packets
# 8 bytes of Michael MIC Authenticator Tx Key used to compute MIC on Multicast and Broadcast packets transmitted by AP
# 8 bytes of Michael MIC Authenticator Rx Key currently unused as stations do not send multicast traffic
The Michael MIC Authenticator Tx/Rx Keys in both the PTK and GTK are only used if the network is using TKIP to encrypt the data.
This four-way handshake has been shown to be vulnerable to
KRACK
KRACK ("Key Reinstallation Attack") is a replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens o ...
.
Group key handshake
The Group Temporal Key (GTK) used in the network may need to be updated due to the expiration of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.
To handle the updating, 802.11i defines a ''Group Key Handshake'' that consists of a two-way handshake:
# The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA, and protects the data from tampering, by use of a
MIC.
# The STA acknowledges the new GTK and replies to the AP.
CCMP overview
CCMP is based on the
Counter with CBC-MAC (CCM) mode of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header.
Key hierarchy
RSNA defines two key hierarchies:
# Pairwise key hierarchy, to protect unicast traffic
# GTK, a hierarchy consisting of a single key to protect multicast and broadcast traffic
The description of the key hierarchies uses the following two functions:
* L(Str, F, L) - From Str starting from the left, extract bits F through F+L–1.
* PRF-n - Pseudo-random function producing n bits of output, there are the 128, 192, 256, 384 and 512 versions, each of these output these number of bits.
The pairwise key hierarchy utilizes PRF-384 or PRF-512 to derive session-specific keys from a PMK, generating a PTK, which gets partitioned into a KCK and a KEK plus all the temporal keys used by the MAC to protect unicast communication.
The GTK shall be a random number which also gets generated by using PRF-n, usually PRF-128 or PRF-256, in this model, the group key hierarchy takes a GMK (Group Master Key) and generates a GTK.
MAC frame formats
Frame Control field
Protected Frame field
"The Protected Frame field is 1 bit in length. The Protected Frame field is set to 1 if the Frame Body field contains information that has been processed by a cryptographic encapsulation algorithm. The Protected Frame field is set to 1 only within data frames of type Data and within management frames of type Management, subtype Authentication. The Protected Frame field is set to 0 in all other frames. When the bit Protected Frame field is set to 1 in a data frame, the Frame Body field is protected utilizing the cryptographic encapsulation algorithm and expanded as defined in Clause 8. Only WEP is allowed as the cryptographic encapsulation algorithm for management frames of subtype Authentication."
See also
*
WLAN Authentication and Privacy Infrastructure
WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese National Standard for Wireless LANs (GB 15629.11-2003).
Although it was allegedly designed to operate on top of Wi-Fi, compatibility with the security protocol used by the 802.11 w ...
(WAPI), China's centralized wireless security method
*
IEEE 802.1AE
IEEE 802.1AE (also known as MACsec) is a network security standard that operates at the medium access control layer and defines connectionless data confidentiality and integrity for media access independent protocols. It is standardized by the I ...
MACsec
References
;General
*
*
External links
*Vulnerability in the WPA2 protocol, hole19
{{IEEE standards
Cryptographic protocols
I